I have a unique situation. I am trying to configure our environment to use Fortinet for webfiltering. This includes our 3600c's as well as FortiClients. I have this configured except for one item. We need to be able to collect all FortiClient logs while the machine is off net. I know that sending logs to FAZ was an option and with the newest FortiClient, sending to a syslog server is now an option. I configured the remote logging settings within the FortiClient XML to send logs to a syslog server and it is working, kinda. The issue is that our syslog server is only accessible while on net. However the FortiClient sends the logs in realtime to the syslog server while off net, into the ether of the Interwebz which will never be seen by the syslog server.
So some initial thoughts, stand up a public-facing syslog server. I am not really entertaining this option. However, is there an option to queue logging until the FortiClient is back on net? Or, is there a way for the FortiClient to send logs back to another device, than would then log them to a syslog server? We do not have a FAZ but we have FortiManager.
Thanks
This is the full section for logging settings in the FortiClient XML configuration:
<forticlient_configuration> <system> <log_settings> <onnet_local_logging>[0|1]</onnet_local_logging> <level>6</level> <log_events>ipsecvpn,sslvpn,scheduler,update,firewall,av,clie ntmanager,proxy,shield,webfilter,endpoint,fssoma,wanacc, configd,vuln</log_events> <remote_logging> <log_upload_enabled>0</log_upload_enabled> <log_upload_server>0.0.0.0</log_upload_server> <log_upload_ssl_enabled>1</log_upload_ssl_enabled> <log_upload_freq_minutes>90</log_upload_freq_minutes> <log_retention_days>90</log_retention_days> <log_upload_freq_hours>1</log_upload_freq_hours> <log_last_upload_date>0</log_last_upload_date> <log_protocol>syslog</log_protocol> <!-- faz | syslog --> <netlog_server></netlog_server> <!-- server IP address --> <netlog_categories>7</netlog_categories> </remote_logging> </log_settings> </system> </forticlient_configuration>
It doesn't look like you can make the distinction you're looking for.
Regards, Chris McMullan Fortinet Ottawa
There is an option to upload logs to FortiAnalyzer, but I have also seen where that could be to a FortiManager. Is that correct? If so, is there a way FortiManager could send those logs to a syslog server?
Thanks
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.