Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
sims
New Contributor III

Syslog configuration

Hi,

 

I am using one free syslog application , I want to forward this logs to the syslog server  how can I do that

 

Thanks

  

1 Solution
AndreaSoliva
Contributor III

Hi

 

there is one point which is not noted here and which is important specially for 5.2.x because the behaviour changed in releases before 5.2.x. If you configure the syslog you have to:

 

       # config log syslogd setting        # set status enable        # set server [FQDN Syslog Server or IP]        # set reliable [Activate TCP-514 or UDP-514 which means UDP is default]        # set port [Standard 514]        # set csv [enable | disable]        # set facility [By Standard local7]        # set source-ip [Source IP of FortiGate; By Standard 0.0.0.0]        # end

 

The important point is the facility and severity which means loca7 means "warning" (not a lot of messages). If you look to the filter which is used on the FGT 5.2 you will recognize that this filter is also using "warning":

 

      # config log syslogd filter        # get        severity                 : warning        forward traffic          : enable        local-traffic            : enable        multicast-traffic        : enable        sniffer-traffic          : enable        anomaly                  : enable        netscan-discovery        : enable        netscan-vulnerability    : enable        voip                     : enable

 

To get really logging information of the FGT on a sylsog server both must be set to "information" which means:

 

       # config log syslogd filter        # severity                 : warning

       # end

 

       # config log syslogd setting        # set facility [Information means local0]        # end

 

Now you can be sure that "all" logging goes to the syslog. This behaviour you will find also based on other logging like "memory" because the filter of memory is also by standard on "warning". Keep this in mind....!

 

hope this helps

 

have fun

 

Andrea

View solution in original post

7 REPLIES 7
FortiAdam
Contributor II

Depending on your what OS and hardware you are running it pretty easy.  You will need to access the CLI via the widget in the GUI or over SSH or telnet.  Once in the CLI you can config your syslog server by running the command "config log syslogd setting".  Set status to enable and set server to the IP of your syslog server.  

gilbile_nilesh
New Contributor

  from command line you can configure the below default setting.         config log syslogd setting set status enable set source-ip "ip of interface of fortigate" set server "ip of server machine" end         if u are looking more details into this then please refer the below link. http://docs-legacy.fortinet.com/fgt/handbook/cli_html/index.html#page/FortiOS%205.0%20CLI/config_log...  
AndreaSoliva
Contributor III

Hi

 

there is one point which is not noted here and which is important specially for 5.2.x because the behaviour changed in releases before 5.2.x. If you configure the syslog you have to:

 

       # config log syslogd setting        # set status enable        # set server [FQDN Syslog Server or IP]        # set reliable [Activate TCP-514 or UDP-514 which means UDP is default]        # set port [Standard 514]        # set csv [enable | disable]        # set facility [By Standard local7]        # set source-ip [Source IP of FortiGate; By Standard 0.0.0.0]        # end

 

The important point is the facility and severity which means loca7 means "warning" (not a lot of messages). If you look to the filter which is used on the FGT 5.2 you will recognize that this filter is also using "warning":

 

      # config log syslogd filter        # get        severity                 : warning        forward traffic          : enable        local-traffic            : enable        multicast-traffic        : enable        sniffer-traffic          : enable        anomaly                  : enable        netscan-discovery        : enable        netscan-vulnerability    : enable        voip                     : enable

 

To get really logging information of the FGT on a sylsog server both must be set to "information" which means:

 

       # config log syslogd filter        # severity                 : warning

       # end

 

       # config log syslogd setting        # set facility [Information means local0]        # end

 

Now you can be sure that "all" logging goes to the syslog. This behaviour you will find also based on other logging like "memory" because the filter of memory is also by standard on "warning". Keep this in mind....!

 

hope this helps

 

have fun

 

Andrea

agrammenos

Hi 

Can somenone axplain what

set csv [enable | disable]

 

stands for ???? (what is does ?)

 

thanx

pcraponi

Hi,

 

CSV enabled will add a comma between the log fields in syslog:

 

Logs like:

itime=2017-09-28 11:59:47 vd=root rcvdbyte=98291 srccountry=Reserved app=HTTP.BROWSER_IE utmaction=allow...

 

Will be generated as:

 

itime=2017-09-28 11:59:47,vd=root,rcvdbyte=98291,srccountry=Reserved,app=HTTP.BROWSER_IE,utmaction=allow... 

 

Regards, Paulo Raponi

KjetilT
New Contributor

If I understand you correctly you have a free syslog server application (like Kiwi) and want to send logs from your Fortigate to it?

 

Quite easy - under log settings you switch on logging to syslog, and enter the IP or name of the server where your syslog app is installed and save the settings.

Then you make sure that your syslog app listens on port 514/UDP.

 

Now you should be home and, if not dry, at least towelling yourself off.

 

Good luck

 

/Kjetil

emnoc
Esteemed Contributor III

For typical CSV &  DEFAULT  formats, you have other options CEF and brief. All of these will make  a impact in the size of the  log-record and thru-put fir large environments with  afew firewalls and log rates over 1k per-sec

 

And fwiw, you can now log to ipv6 destinations in the later  FortiOS versions

 

Ken

 

PCNSE 

NSE 

StrongSwan