Hi everyone, bear with me as I’m not a network admin, just a security analyst, and I’d like to ask for your help.
I’m receiving FG logs in the log management system we have (Graylog) through Syslog. I cannot configure any of this, I just want to make use of the logs for dashboards and alerts in the log management. The FortiGates that log into Graylog seem to send logs in batches (multiple logs in one message, usually about 65k chars long, last log that would reach the treshold would be incomplete and cut in a random spot). Both Graylog and Syslog don’t know how to deal with this sort of message or how to parse it into singular messages.
Is there a way to configure either FGs to send logs one by one or to make the receiving devices understand these logs? What are your general best practices or have you even encounter this behaviour before? Would sending logs one by one put a big load on the firewall and receivers and also on the network?
Thanks for your opinions and ideas in advance.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi Goudd
I guess you are sending via TCP, that's why such parsing issue.
I hope the below tech tip will help.
Hello,
Also you can use filter on FGT:
https://docs.fortinet.com/document/fortigate/7.4.3/cli-reference/437620/config-log-eventfilter
https://docs.fortinet.com/document/fortigate/7.4.3/cli-reference/450620/config-log-setting
BR
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1548 | |
1032 | |
749 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.