Technical Tip: Audit logs are not being forwarded

FortiSOAR Knowledge Base

FortiSOAR: Security Orchestration and Response software provides innovative case management, automation, and orchestration. It pulls together all of an organization's tools, helps unify operations, and reduce alert fatigue, context switching, and the mean time to respond to incidents.

Article Id 339484

Description

This article describes that FortiSOAR audit logs are not being forwarded to FortiSIEM. The Gateway service writes audit logs on this socket:

/run/systemd/journal/syslog

This socket is absent on systems with a fresh installation of Rocky Linux, causing log forwarding to fail. However, systems upgraded from CentOS to Rocky Linux have this socket present, allowing log forwarding to function correctly.

Scope

FortiSOAR v7.3.0 through v7.6.0.

Solution

To resolve the issue, create the missing socket on Rocky Linux or RHEL systems, using these steps:

yum reinstall systemd

ln -s /lib/systemd/system/rsyslog.service /etc/systemd/system/syslog.service

systemctl daemon-reload

systemctl restart systemd-journald

systemctl stop rsyslog

Start socket service:

systemctl start syslog.socket

Start rsyslog:

systemctl start rsyslog

213

Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Technical Tip: Audit logs are not being forwarded

You are leaving our website