Description
This article provides he commands to configure FortiManager/FortiAnalyzer to send local-logs (FMG/FAZ events, not managed devices) to a syslog server that have changed since release 5.0.7.
With release 5.0.7 and above it is a two step process. The first step can be done via GUI or CLI, the second step is CLI only.
With release 5.0.7 and above it is a two step process. The first step can be done via GUI or CLI, the second step is CLI only.
Scope
FortiManager 4.3.x, 7.0.x, 7.2.x and 7.4.x.
Solution
CLI commands are:
config fmsystem locallog syslogd setting
set server <IP address> Address of remote syslog server
set severity <emergency | alert | critical | error | warning | notification | information | debug> (Least severity level to log)
set status <enable | disable>
set csv Whether to enable CSV.
set facility Which facility for remote syslog.
set port Port that server listens at
end
FortiManager 5.0.x , up to 5.0.6.
CLI commands are:
config system locallog syslogd setting
set server <IP address> Address of remote syslog server
set severity <emergency | alert | critical | error | warning | notification | information | debug> (Least severity level to log)
set status <enable | disable>
set csv Whether to enable CSV.
set facility Which facility for remote syslog.
set port Port that server listens at.
end
FortiManager 5.0.7 and above.
First, the Syslog server is defined, then the FortiManager is configured to send a local log to this server.
Step 1: Define Syslog servers.
This can be done through GUI in System Settings -> Advanced -> Syslog Server.
FortiManager 7.0.x and 7.2.x.
FortiManager 7.4.x and above.
NOTE:
|
Reliable Connection |
Enable or disable a reliable connection with the syslog server. The default is disable. |
|
Secure Connection |
Enable/disable connection secured by TLS/SSL. The default is disable. This option is only available when Reliable Connection is enabled. |
|
Local Certificate CN |
Enter one of the available local certificates used for secure connection: Fortinet_Local or Fortinet_Local2. The default is Fortinet_Local. This option is only available when Secure Connection is enabled. |
|
Peer Certificate CN |
Enter the certificate common name of syslog server. Null means no certificate CN for the syslog server. This option is only available when Secure Connection is enabled. |
The server can also be defined with CLI commands:
config system syslog
edit <server name>
set ip <syslog server IP>
end
Example:
config system syslog
edit Syslog-serv1
set ip 11.11.11.11
set reliable enable
set secure-connection enable
set local-cert <Certificate Name>
set peer-cert-cn <Peer Certificate CN>
next
end
Note:
Reliable by default is disabled, it is possible to enable it for using TCP/514 and that should be enabled in both places else it will fall to UDP/514.
Step 2: Enable sending FortiManager local logs to the Syslog server.
This can only be configured via CLI with commands:
config system locallog syslogd setting
set syslog-name < Remote syslog server name, defined at previous step>
set severity <emergency | alert | critical | error | warning | notification | information | debug> (Least severity level to log)set status <enable | disable>
set csv Whether to enable CSV.
set facility Which facility for remote syslog.
set port Port that server listens at
end
Example:
config system locallog syslogd setting
set severity information
set status enable
set syslog-name "Syslog-serv1"
end
(setting)# get
cert : (null)
csv : disable
facility : local7
reliable : disable
severity : notification
status : enable
syslog-name : Syslog-serv1
