I work at an MSSP and am trying to get my clients Fortigate 100D to send its logs to our syslog server. The server is listening on 514 TCP and UDP and is configured to receive the logs.
FortiOS Version: 5.4.3,build 1111
The Fortigate is configured in the CLI with the following settings:
get log syslogd setting
status : enable
server : 10.0.0.152
reliable : disable
port : 514
csv : disable
facility : local0
It is configured to log all events in the GUI (Local Traffic Log and Event Logging) and the log graph shows about 100MB of logs per day.
Logs are set to be stored on the Disk, Local Reports are disabled, logs are not sent to FortiAnalyzer, and logs are sent to my customers FortiCloud account but I cannot find any documention that would say that sending them to FortiCloud would prevent them from being sent to a syslog server.
The syslog server however is not receivng the logs. Doing traffic dumps on a device with a SPAN/mirror port shows that the fortigate is not even attempting to send the logs, there is no record of any traffic going from it to the syslog server.
Is there any reason that the FortiGate will not send them? The configuration appears correct.
Everything in the GUI for Local Traffic Log and Event Logging is enabled and this is the output of the syslogd filter:
set severity information
set forward-traffic enable
set local-traffic enable
set multicast-traffic enable
set sniffer-traffic enable
set anomaly enable
set voip enable
set filter ''
set filter-type include
How would I check for having logging enabled on fw policy? I can see logs in the GUI for my account logging in and out and failed logins.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.