Does anyone know if there's a way to get the FortiOS to output syslog messages per RFC 5424 / 3164? The default format seems to be something proprietary, and doesn't even include the timezone. What's worse, is there doesn't seem to be consistency between FortiOS and ForitWeb; they spit out events with different field names for the same data, or have different fields the other doesn't, etc.
Yes it "proprietary" and no i don't think they will ever meet rfc compliance. You have raw text or csv for output selections.
Most modern syslog collectors can support one or the other, but not rfc5242 from the FGT . So your out of luck and you could ask for a feature request but I highly doubt FTNT will make the logging output compatible to RFC5424
PCNSE
NSE
StrongSwan
We're ingesting syslog data into Graylog, which someone has written a FortiNet-specific module for, but other log analysis tools are of course useless with it being proprietary. Unfortunately the FortiWeb output is completely useless since it doesn't even match normal FortiOS format, so I guess we'll have to go the custom route for that.
I thought fortiweb had a option for rfc enabled output? Have you double check with support?
PCNSE
NSE
StrongSwan
Fortiweb has even less features than FortiOS. You can enable or disable CSV format, set a server, set a port. It doesn't support the TCP-based option (not that anyone uses that) and I don't even see a way to set the source IP, so I just got lucky that my Fortiwebs decided to use the interface I was hoping they'd use when sending syslog. Have been on 5.5 and am now on 5.6.
I have an open ticket I'm working but not going well lol.
So then holding breath for a fortigate to output in Common Event Format (CEF) would be pointless as well.
That's too bad. For a moment I thought that this brief (https://www.fortinet.com/content/dam/fortinet/assets/alliances/Fortinet-HPE-Logger-Solution-Brief.pd...) implied that the fortigate could - but reading it again I think it means that HPE has a system which ingests proprietary fortigate logs and converts into CEF.
Note: I am trying to integrate the Fortigate on-prem and in Azure-Cloud with Microsoft's OMS system.
(see https://channel9.msdn.com/Events/Ignite/2016/BRK3328 at the 2:52 mark)
As more vendors provide this, hopefully that will push Fortinet to get on board or to provide a shim. (Of course then its another thing to manage as FortiOS gets upgraded).
Hmm, yeah the integration with HPE Logger is probably going to make it even less likely that they solve the problem, since third parties are producing products that expect to see the non-standard format data lol.
Seems like many people have had the same frustrations as us though. Here's a reddit thread about someone producing Graylog dashboards for fortigate logs and noticing the syslog format can change based on even enabling and disabling firewall features, same hardware, same firmware; it's crazy. https://www.reddit.com/r/fortinet/comments/3pw4qz/some_graylog_dashboards_for_fortigates/
It would be nice if they'd publish the standard so at least we know which fields will show up based on which features. We're using this Graylog content pack to get the logs in from our Fortigates (https://marketplace.graylog.org/addons/a91344aa-fced-4d1a-928d-f3ded6e5a2f8) but the FortiWeb syslog format is so broken I'm going to have to write something custom to deal with it.
NeilG wrote:So then holding breath for a fortigate to output in Common Event Format (CEF) would be pointless as well.
That's too bad. For a moment I thought that this brief (https://www.fortinet.com/content/dam/fortinet/assets/alliances/Fortinet-HPE-Logger-Solution-Brief.pd...) implied that the fortigate could - but reading it again I think it means that HPE has a system which ingests proprietary fortigate logs and converts into CEF.
Note: I am trying to integrate the Fortigate on-prem and in Azure-Cloud with Microsoft's OMS system.
(see https://channel9.msdn.com/Events/Ignite/2016/BRK3328 at the 2:52 mark)
As more vendors provide this, hopefully that will push Fortinet to get on board or to provide a shim. (Of course then its another thing to manage as FortiOS gets upgraded).
5.6 will bring syslog CEF format to play
Mike Pruett
Is that FortiGate-specific? I'm running 5.6 on FortiWeb and that is not an option.
FortiGate specific yes.
Mike Pruett
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.