Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Frosty
Contributor

Anyone using their Fortianalyzer as a syslog store?

Hi all,

Some time back when running v4.3.something firmware, we sent all our syslog(514) data to our Fortianalyzer.  My recollection is that the functionality was lost when we upgraded to v5.0 firmware.  Couple of questions for those running v5.2 now:

(1) is the syslog functionality back?  Can you use the Fortianalyzer as a syslog server again?

(2) if using this, how does the functionality look to you?  Is it substantially different to what was available in v4.3 firmware?

(3) is it possible to filter the incoming syslog data in any way (so that not all data is logged)?

TIA for any information you can share,

Frosty

2 Solutions
AndreaSoliva
Contributor III

Hi

 

I can not say anything related to FortiManager 5.2 but I'm expecting that the same as for FortiManager 5.0 which means. You do not have to enable whatever to use the syslog function on FortiManager. This means if you have a device which can be configured to be sending syslog message to FortiManger do so. As soon as the request is coming to the FortiManager you will have a message regarding unregistered device and if yo accept you will have a new tree for syslog. You can not use this syslog devices within FortiFiew and Reporting. But for me it works perfect for:

 

Cisco Switch logs

Different Linux logs

APC UPS Botz etc. logs

 

What is not working (or could be a problem) is if you have a device syslog-ng like Sophos (common under ASTARO name). This device is using syslog-ng and I was not able to bring the logs to FAZ. The rest if it is pure sylsog works out of the box perfect.

 

hope this helps

 

have fun....

 

Andrea

View solution in original post

scao_FTNT
Staff
Staff

from error, seems you did not enable ADOM function

 

by default, FAZ ADOM function is disabled, and can only manage FGT logs, and you can enable ADOM in System Settings dashboard and then you can promote syslog device to syslog ADOM.

 

thanks

 

Simon

View solution in original post

8 REPLIES 8
Frosty
Contributor

In the meantime I downloaded the VM version of 5.2.1 ... and I can't see anywhere that its possible to set up a syslog server in the FAZ (there is only an option to forward syslog events off to another syslog server elsewhere).

So did I dream that you could run a syslog server with 5.2.x ?

AndreaSoliva
Contributor III

Hi

 

I can not say anything related to FortiManager 5.2 but I'm expecting that the same as for FortiManager 5.0 which means. You do not have to enable whatever to use the syslog function on FortiManager. This means if you have a device which can be configured to be sending syslog message to FortiManger do so. As soon as the request is coming to the FortiManager you will have a message regarding unregistered device and if yo accept you will have a new tree for syslog. You can not use this syslog devices within FortiFiew and Reporting. But for me it works perfect for:

 

Cisco Switch logs

Different Linux logs

APC UPS Botz etc. logs

 

What is not working (or could be a problem) is if you have a device syslog-ng like Sophos (common under ASTARO name). This device is using syslog-ng and I was not able to bring the logs to FAZ. The rest if it is pure sylsog works out of the box perfect.

 

hope this helps

 

have fun....

 

Andrea

Frosty
Contributor

Thanks Andrea,

That's very helpful.  I set up a test with my current v5.0 firmware on the FL100C.  I put Snare syslog tools on my PC and set it for forward some Event Log data to the FL100C as syslog data on port 514.  I can confirm that a new Unregistered Device showed up on the Fortianalyzer immediately.  But I am unable to Promote this device; it throws an error saying "Device type not supported by the ADOM".  So I will wait until its a suitable time, update the FL100C to v5.2 and then try again.

Cheers,

Steve

scao_FTNT
Staff
Staff

from error, seems you did not enable ADOM function

 

by default, FAZ ADOM function is disabled, and can only manage FGT logs, and you can enable ADOM in System Settings dashboard and then you can promote syslog device to syslog ADOM.

 

thanks

 

Simon

Frosty
Contributor

Thanks Simon,

I just tried enabling the ADOM functionality and, hey presto, its all looking good.  I am now successfully shipping syslog data into the Fortianalyzer.  I guess I will need to do some exploring and find out what's possible on the reporting side of things.

Cheers,

Steve

Frosty
Contributor

Have run into what seems like an insurmountable problem.  I was wanting to use a command-line tool to generate syslog entries when a user logs in/out of their PC (via logon/logoff script).  In testing I can see that as this runs on each PC, a new Device is flagged in the Fortianalyzer and its just not practical for me to have 150-odd syslog devices.  What I really need the Fortianalyzer to do for me is allow me to set up one (1) syslog device and then allow me to direct all syslog(514) data into that device.  Seems it won't let me do that?  Does anyone have a suggestion as to how I might get around this constraint?  I've considered ideas like setting up a virtual IP and redirecting all syslog traffic through that IP, but it all seems to complex; it really ought to be easier than that I think.

scao_FTNT
Staff
Staff

Hi, Stephen,

 

For your case, maybe you can create a virtual group (log array) for these syslog devices, and also maybe can create a different syslog ADOM for them.

 

Thanks

 

Simon

Frosty
Contributor

Thanks for the suggestions.  I tried creating a new ADOM v5.2 syslog and then created a Log Array as well.  But this doesn't seem to change the behaviour.  PCs which send syslog data still show up as Unregistered devices and have to be manually added.  It would be nice if it were possible to configure a default syslog and then set it so that new devices auto-add themselves to the default store.  Or even if I could define rules to direct the syslog data, such as "any device matching 192.168.11.0/24 or 192.168.12.0/24" or something like that.

Labels
Top Kudoed Authors