Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ispcolohost
Contributor

Any way to get RFC-compliant syslog messages?

Does anyone know if there's a way to get the FortiOS to output syslog messages per RFC 5424 / 3164?  The default format seems to be something proprietary, and doesn't even include the timezone.  What's worse, is there doesn't seem to be consistency between FortiOS and ForitWeb; they spit out events with different field names for the same data, or have different fields the other doesn't, etc.

10 REPLIES 10
emnoc
Esteemed Contributor III

Yes it "proprietary"  and no i don't think  they will ever  meet rfc compliance. You have raw text or csv for output selections.

 

Most modern syslog collectors can support one or the other,  but not rfc5242 from the FGT . So your   out of luck and you could ask for a feature request but I highly doubt FTNT will make the logging output  compatible to RFC5424

 

PCNSE 

NSE 

StrongSwan  

ispcolohost

We're ingesting syslog data into Graylog, which someone has written a FortiNet-specific module for, but other log analysis tools are of course useless with it being proprietary.  Unfortunately the FortiWeb output is completely useless since it doesn't even match normal FortiOS format, so I guess we'll have to go the custom route for that.

emnoc
Esteemed Contributor III

I thought  fortiweb had a  option for rfc enabled output? Have you double check  with support?

 

 

PCNSE 

NSE 

StrongSwan  

ispcolohost

Fortiweb has even less features than FortiOS.  You can enable or disable CSV format, set a server, set a port.  It doesn't support the TCP-based option (not that anyone uses that) and I don't even see a way to set the source IP, so I just got lucky that my Fortiwebs decided to use the interface I was hoping they'd use when sending syslog.  Have been on 5.5 and am now on 5.6.

 

I have an open ticket I'm working but not going well lol.

NeilG

So then holding breath for a fortigate to output in Common Event Format (CEF) would be pointless as well.

 

That's too bad. For a moment I thought that this brief (https://www.fortinet.com/content/dam/fortinet/assets/alliances/Fortinet-HPE-Logger-Solution-Brief.pd...) implied that the fortigate could - but reading it again I think it means that HPE has a system which ingests proprietary fortigate logs and converts into CEF.

 

Note: I am trying to integrate the Fortigate on-prem and in Azure-Cloud with Microsoft's OMS system.

(see https://channel9.msdn.com/Events/Ignite/2016/BRK3328 at the 2:52 mark)

 

As more vendors provide this, hopefully that will push Fortinet to get on board or to provide a shim. (Of course then its another thing to manage as FortiOS gets upgraded). 

ispcolohost

Hmm, yeah the integration with HPE Logger is probably going to make it even less likely that they solve the problem, since third parties are producing products that expect to see the non-standard format data lol.

 

Seems like many people have had the same frustrations as us though.  Here's a reddit thread about someone producing Graylog dashboards for fortigate logs and noticing the syslog format can change based on even enabling and disabling firewall features, same hardware, same firmware; it's crazy.  https://www.reddit.com/r/fortinet/comments/3pw4qz/some_graylog_dashboards_for_fortigates/

 

It would be nice if they'd publish the standard so at least we know which fields will show up based on which features.  We're using this Graylog content pack to get the logs in from our Fortigates (https://marketplace.graylog.org/addons/a91344aa-fced-4d1a-928d-f3ded6e5a2f8) but the FortiWeb syslog format is so broken I'm going to have to write something custom to deal with it.

MikePruett
Valued Contributor

NeilG wrote:

So then holding breath for a fortigate to output in Common Event Format (CEF) would be pointless as well.

 

That's too bad. For a moment I thought that this brief (https://www.fortinet.com/content/dam/fortinet/assets/alliances/Fortinet-HPE-Logger-Solution-Brief.pd...) implied that the fortigate could - but reading it again I think it means that HPE has a system which ingests proprietary fortigate logs and converts into CEF.

 

Note: I am trying to integrate the Fortigate on-prem and in Azure-Cloud with Microsoft's OMS system.

(see https://channel9.msdn.com/Events/Ignite/2016/BRK3328 at the 2:52 mark)

 

As more vendors provide this, hopefully that will push Fortinet to get on board or to provide a shim. (Of course then its another thing to manage as FortiOS gets upgraded). 

5.6 will bring syslog CEF format to play

ispcolohost

Is that FortiGate-specific?  I'm running 5.6 on FortiWeb and that is not an option.

MikePruett

FortiGate specific yes.