Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Markus_Albisser
New Contributor II

FortiAuthenticator Syslog

Hi all

 

I am trying to send all the log message I get in Logging -> Log Access -> Logs to a syslog server. But none of them arrived. 

I have the syslog server configured with the IP address, the level is Debug (but also tried with Informational, there is no change. Anyway Debug should include everything above it, therefore also informational). For the Facility I tried a couple of things, such as syslog, local0, auth etc. 

Is there a documentation how the FortiAuthenticator sends out these log messages, with which Facility? Is it possible in the same syslog server setting to send everything I get in the log file?

 

Thank you

Markus

2 Solutions
seadave

Hmm, that is odd.  You might log into the console and make sure "exec ping syslogip" to see if that works.  If that works then not sure.  I know that the data we get out of the FAC via our FAZ isn't super detailed.  But it is basic auth operations which is useful.  Also I wonder if enabling Syslog on an interface is for SSO incoming and not outgoing data?  I bet that is the case.  If you go to https://fachostname/debug you can see all of the debug logs which are far more detailed and critical for figuring things out such as RADIUS issues.  I see Syslog SSO there so I think that relates to receiving syslog from an interface for SSO events.

 

I'd try a reboot and if still nothing, yes I'd open a case with the TAC.

View solution in original post

Markus_Albisser

That's true :-). Such simple things, either it is a bug or than it is solved after a reboot.

 

Indeed, this FA now works perfectly for us to act as Radius proxy/LDAP authentication which forwards now all the request to a Microsoft NPS server and from there to Azure for MFA. Nice solution!

View solution in original post

6 REPLIES 6
seadave
Contributor III

We send to our FAZ and then send those to Syslog/Splunk. This is how you would do it under 6.0.3.

 

So I assume you created the Syslog server first under Log Config/Syslog Servers.  Leaving set to Information/User should work.  Is your syslog server expecting TCP/UDP or either?  Then go to Log Config/Log Settings.  Enable Remote Syslog.  Select the Syslog server you configured and click the arrow to move it to the right under Chosen Syslog Servers.  Click OK.  I'd log on and off a few times to see if that sends data. You could also reboot your FAC for the heck of it.

 

You should confirm the interface that connects to the segment that routes to your Syslog server has Syslog enabled as an option also.  System/Network/Interface.  Select your Port that will send Syslog and make sure it is green under Services.

Markus_Albisser

Hi seadave

 

Many thanks for your reply. You did a perfect first catch, the enabling of Syslog in the interface. I was not aware of that one, so I enabled it. Unfortunately I still don't see any packets arriving on the syslog server. The server uses udp/514 as a standard port to get the syslog messages. I also checked to send syslog to a client where Wireshark is running, no Syslog packets arrives from the FA source IP address.

 

Do you have any more good ideas what it could be? Or should I open a case with Fortinet for this topic?

 

Thank you

Markus

seadave

Hmm, that is odd.  You might log into the console and make sure "exec ping syslogip" to see if that works.  If that works then not sure.  I know that the data we get out of the FAC via our FAZ isn't super detailed.  But it is basic auth operations which is useful.  Also I wonder if enabling Syslog on an interface is for SSO incoming and not outgoing data?  I bet that is the case.  If you go to https://fachostname/debug you can see all of the debug logs which are far more detailed and critical for figuring things out such as RADIUS issues.  I see Syslog SSO there so I think that relates to receiving syslog from an interface for SSO events.

 

I'd try a reboot and if still nothing, yes I'd open a case with the TAC.

Markus_Albisser

Hi seadave

 

Thank you for that one. I then tried the ping it worked. At the end I reloaded the box as requested, this now finally brougut back the syslog messages. So once more, a boot is always a good option!

 

This hint together with enabling syslog on the interface did the trick, thanks a lot for your help.

 

Best regards

Markus

seadave

That kind of stuff drives me crazy, but such is our profession :)  Glad you got it working.  The FAC is a good appliance and it saves you $1000s of dollars vs a Duo subscription.

Markus_Albisser

That's true :-). Such simple things, either it is a bug or than it is solved after a reboot.

 

Indeed, this FA now works perfectly for us to act as Radius proxy/LDAP authentication which forwards now all the request to a Microsoft NPS server and from there to Azure for MFA. Nice solution!

Labels
Top Kudoed Authors