Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Not applicable

Cannot forward log to syslog server?

Hi all, I want to forward Fortigate log to the syslog-ng server. In Log & Report --> Log config --> Log setting, I configure as following: IP: x.x.x.x Port: 514 Mininum log level: Information Facility: local7 (Enable CSV format) I have opened UDP port 514 in iptables on the syslog-ng server. But ' tcpdump' on the syslog-ng server or ' diag sniffer packet' on Fortigate CLI cannot see any packets arriving or departing: tcpducmp -n -e -ttt -i eth0 udp port 514 diag sniffer packet any ' dst host x.x.x.x and port 514' 1 How to ' debug' this case? PS: setting in Alert E-mail works fine.
8 REPLIES 8
emnoc
Esteemed Contributor III

Are you generating any events that would generate syslog messages? Try some failed logins or other events and monitor the syslog-ng server

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Not applicable

Yes, of course. I generated some events such as: failed login, change the value of minimum log level... and I got the alert mail normally but cannot see any packets on syslog-ng server (with tcpdump).
Message meets Alert condition date=2010-01-11 time=09:12:54 devname=x device_id=FG600B3908600180 log_id=0104041985 type=event subtype=admin pri=alert fwver=040000 vd=root user=" quan.ta" ui=https(x) action=login status=failed reason=" passwd_invalid" msg=" Administrator quan.ta login failed from https(x) because of invalid password"
emnoc
Esteemed Contributor III

Did you configure your " eventlog" options ?

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Not applicable

Yes, I enabled all of event log.
emnoc
Esteemed Contributor III

Let me go over some of the other obvious issues; do you have reach to the syslog server from the firewall? no other firewall in between preventing udp/514? On my 400A, I had to once disable and reenable the syslog settings to get it running once. This was under mr6p1 iirc. So you might want to uncheck and recheck the box or change local facility setting.

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
g3rman
New Contributor

Double check to make sure you have the correct routing to reach your Syslog server. Try pinging it from your firewall.
A Real World Fortinet Guide Configuration Examples & Frequently Asked Questions http://firewallguru.blogspot.com
A Real World Fortinet Guide Configuration Examples & Frequently Asked Questions http://firewallguru.blogspot.com
Not applicable

Yes, I can reach to the Syslog server:
 # execute ping 172.16.32.99
 PING 172.16.32.99 (172.16.32.99): 56 data bytes
 64 bytes from 172.16.32.99: icmp_seq=0 ttl=64 time=0.1 ms
 64 bytes from 172.16.32.99: icmp_seq=1 ttl=64 time=0.1 ms
 64 bytes from 172.16.32.99: icmp_seq=2 ttl=64 time=0.1 ms
 64 bytes from 172.16.32.99: icmp_seq=3 ttl=64 time=0.1 ms
 64 bytes from 172.16.32.99: icmp_seq=4 ttl=64 time=0.1 ms
 
 --- 172.16.32.99 ping statistics ---
 5 packets transmitted, 5 packets received, 0% packet loss
 round-trip min/avg/max = 0.1/0.1/0.1 ms
 
 # execute traceroute 172.16.32.99
 traceroute to 172.16.32.99 (172.16.32.99), 32 hops max, 72 byte packets
  1  172.16.32.99  0 ms  0 ms  0 ms
 
I also tried to uncheck and re-check the ' Remote logging' box or change the ' facility' setting to ' alert' or ' auth' ... but it' s still not working.
Not applicable

The problem is: regardless of a firewall between Fortigate and Syslog server, why didn' t I see any packets depart from Fortigate with ' diag sniffer packet' while I am generating some events?
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors