Hi all,
Some time back when running v4.3.something firmware, we sent all our syslog(514) data to our Fortianalyzer. My recollection is that the functionality was lost when we upgraded to v5.0 firmware. Couple of questions for those running v5.2 now:
(1) is the syslog functionality back? Can you use the Fortianalyzer as a syslog server again?
(2) if using this, how does the functionality look to you? Is it substantially different to what was available in v4.3 firmware?
(3) is it possible to filter the incoming syslog data in any way (so that not all data is logged)?
TIA for any information you can share,
Frosty
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi
I can not say anything related to FortiManager 5.2 but I'm expecting that the same as for FortiManager 5.0 which means. You do not have to enable whatever to use the syslog function on FortiManager. This means if you have a device which can be configured to be sending syslog message to FortiManger do so. As soon as the request is coming to the FortiManager you will have a message regarding unregistered device and if yo accept you will have a new tree for syslog. You can not use this syslog devices within FortiFiew and Reporting. But for me it works perfect for:
Cisco Switch logs
Different Linux logs
APC UPS Botz etc. logs
What is not working (or could be a problem) is if you have a device syslog-ng like Sophos (common under ASTARO name). This device is using syslog-ng and I was not able to bring the logs to FAZ. The rest if it is pure sylsog works out of the box perfect.
hope this helps
have fun....
Andrea
from error, seems you did not enable ADOM function
by default, FAZ ADOM function is disabled, and can only manage FGT logs, and you can enable ADOM in System Settings dashboard and then you can promote syslog device to syslog ADOM.
thanks
Simon
In the meantime I downloaded the VM version of 5.2.1 ... and I can't see anywhere that its possible to set up a syslog server in the FAZ (there is only an option to forward syslog events off to another syslog server elsewhere).
So did I dream that you could run a syslog server with 5.2.x ?
Hi
I can not say anything related to FortiManager 5.2 but I'm expecting that the same as for FortiManager 5.0 which means. You do not have to enable whatever to use the syslog function on FortiManager. This means if you have a device which can be configured to be sending syslog message to FortiManger do so. As soon as the request is coming to the FortiManager you will have a message regarding unregistered device and if yo accept you will have a new tree for syslog. You can not use this syslog devices within FortiFiew and Reporting. But for me it works perfect for:
Cisco Switch logs
Different Linux logs
APC UPS Botz etc. logs
What is not working (or could be a problem) is if you have a device syslog-ng like Sophos (common under ASTARO name). This device is using syslog-ng and I was not able to bring the logs to FAZ. The rest if it is pure sylsog works out of the box perfect.
hope this helps
have fun....
Andrea
Thanks Andrea,
That's very helpful. I set up a test with my current v5.0 firmware on the FL100C. I put Snare syslog tools on my PC and set it for forward some Event Log data to the FL100C as syslog data on port 514. I can confirm that a new Unregistered Device showed up on the Fortianalyzer immediately. But I am unable to Promote this device; it throws an error saying "Device type not supported by the ADOM". So I will wait until its a suitable time, update the FL100C to v5.2 and then try again.
Cheers,
Steve
from error, seems you did not enable ADOM function
by default, FAZ ADOM function is disabled, and can only manage FGT logs, and you can enable ADOM in System Settings dashboard and then you can promote syslog device to syslog ADOM.
thanks
Simon
Thanks Simon,
I just tried enabling the ADOM functionality and, hey presto, its all looking good. I am now successfully shipping syslog data into the Fortianalyzer. I guess I will need to do some exploring and find out what's possible on the reporting side of things.
Cheers,
Steve
Have run into what seems like an insurmountable problem. I was wanting to use a command-line tool to generate syslog entries when a user logs in/out of their PC (via logon/logoff script). In testing I can see that as this runs on each PC, a new Device is flagged in the Fortianalyzer and its just not practical for me to have 150-odd syslog devices. What I really need the Fortianalyzer to do for me is allow me to set up one (1) syslog device and then allow me to direct all syslog(514) data into that device. Seems it won't let me do that? Does anyone have a suggestion as to how I might get around this constraint? I've considered ideas like setting up a virtual IP and redirecting all syslog traffic through that IP, but it all seems to complex; it really ought to be easier than that I think.
Hi, Stephen,
For your case, maybe you can create a virtual group (log array) for these syslog devices, and also maybe can create a different syslog ADOM for them.
Thanks
Simon
Thanks for the suggestions. I tried creating a new ADOM v5.2 syslog and then created a Log Array as well. But this doesn't seem to change the behaviour. PCs which send syslog data still show up as Unregistered devices and have to be manually added. It would be nice if it were possible to configure a default syslog and then set it so that new devices auto-add themselves to the default store. Or even if I could define rules to direct the syslog data, such as "any device matching 192.168.11.0/24 or 192.168.12.0/24" or something like that.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1516 | |
1013 | |
749 | |
443 | |
209 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.