Hi all
I am trying to send all the log message I get in Logging -> Log Access -> Logs to a syslog server. But none of them arrived.
I have the syslog server configured with the IP address, the level is Debug (but also tried with Informational, there is no change. Anyway Debug should include everything above it, therefore also informational). For the Facility I tried a couple of things, such as syslog, local0, auth etc.
Is there a documentation how the FortiAuthenticator sends out these log messages, with which Facility? Is it possible in the same syslog server setting to send everything I get in the log file?
Thank you
Markus
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hmm, that is odd. You might log into the console and make sure "exec ping syslogip" to see if that works. If that works then not sure. I know that the data we get out of the FAC via our FAZ isn't super detailed. But it is basic auth operations which is useful. Also I wonder if enabling Syslog on an interface is for SSO incoming and not outgoing data? I bet that is the case. If you go to https://fachostname/debug you can see all of the debug logs which are far more detailed and critical for figuring things out such as RADIUS issues. I see Syslog SSO there so I think that relates to receiving syslog from an interface for SSO events.
I'd try a reboot and if still nothing, yes I'd open a case with the TAC.
That's true :-). Such simple things, either it is a bug or than it is solved after a reboot.
Indeed, this FA now works perfectly for us to act as Radius proxy/LDAP authentication which forwards now all the request to a Microsoft NPS server and from there to Azure for MFA. Nice solution!
We send to our FAZ and then send those to Syslog/Splunk. This is how you would do it under 6.0.3.
So I assume you created the Syslog server first under Log Config/Syslog Servers. Leaving set to Information/User should work. Is your syslog server expecting TCP/UDP or either? Then go to Log Config/Log Settings. Enable Remote Syslog. Select the Syslog server you configured and click the arrow to move it to the right under Chosen Syslog Servers. Click OK. I'd log on and off a few times to see if that sends data. You could also reboot your FAC for the heck of it.
You should confirm the interface that connects to the segment that routes to your Syslog server has Syslog enabled as an option also. System/Network/Interface. Select your Port that will send Syslog and make sure it is green under Services.
Hi seadave
Many thanks for your reply. You did a perfect first catch, the enabling of Syslog in the interface. I was not aware of that one, so I enabled it. Unfortunately I still don't see any packets arriving on the syslog server. The server uses udp/514 as a standard port to get the syslog messages. I also checked to send syslog to a client where Wireshark is running, no Syslog packets arrives from the FA source IP address.
Do you have any more good ideas what it could be? Or should I open a case with Fortinet for this topic?
Thank you
Markus
Hmm, that is odd. You might log into the console and make sure "exec ping syslogip" to see if that works. If that works then not sure. I know that the data we get out of the FAC via our FAZ isn't super detailed. But it is basic auth operations which is useful. Also I wonder if enabling Syslog on an interface is for SSO incoming and not outgoing data? I bet that is the case. If you go to https://fachostname/debug you can see all of the debug logs which are far more detailed and critical for figuring things out such as RADIUS issues. I see Syslog SSO there so I think that relates to receiving syslog from an interface for SSO events.
I'd try a reboot and if still nothing, yes I'd open a case with the TAC.
Hi seadave
Thank you for that one. I then tried the ping it worked. At the end I reloaded the box as requested, this now finally brougut back the syslog messages. So once more, a boot is always a good option!
This hint together with enabling syslog on the interface did the trick, thanks a lot for your help.
Best regards
Markus
That kind of stuff drives me crazy, but such is our profession :) Glad you got it working. The FAC is a good appliance and it saves you $1000s of dollars vs a Duo subscription.
That's true :-). Such simple things, either it is a bug or than it is solved after a reboot.
Indeed, this FA now works perfectly for us to act as Radius proxy/LDAP authentication which forwards now all the request to a Microsoft NPS server and from there to Azure for MFA. Nice solution!
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1705 | |
1093 | |
752 | |
446 | |
230 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.