Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ksapeth
New Contributor

Fortigate 100D Not Sending Logs to Syslog Server

I work at an MSSP and am trying to get my clients Fortigate 100D to send its logs to our syslog server. The server is listening on 514 TCP and UDP and is configured to receive the logs.

 

FortiOS Version: 5.4.3,build 1111

 

The Fortigate is configured in the CLI with the following settings:

 

get log syslogd setting status : enable server : 10.0.0.152 reliable : disable port : 514 csv : disable facility : local0

 

It is configured to log all events in the GUI (Local Traffic Log and Event Logging) and the log graph shows about 100MB of logs per day. 

 

Logs are set to be stored on the Disk, Local Reports are disabled, logs are not sent to FortiAnalyzer, and logs are sent to my customers FortiCloud account but I cannot find any documention that would say that sending them to FortiCloud would prevent them from being sent to a syslog server.

 

The syslog server however is not receivng the logs. Doing traffic dumps on a device with a SPAN/mirror port shows that the fortigate is not even attempting to send the logs, there is no record of any traffic going from it to the syslog server. 

 

Is there any reason that the FortiGate will not send them? The configuration appears correct.

17 REPLIES 17
ksapeth
New Contributor

Everything in the GUI for Local Traffic Log and Event Logging is enabled and this is the output of the syslogd filter:

set severity information set forward-traffic enable set local-traffic enable set multicast-traffic enable set sniffer-traffic enable set anomaly enable set voip enable set filter '' set filter-type include

How would I check for having logging enabled on fw policy? I can see logs in the GUI for my account logging in and out and failed logins.

emnoc
Esteemed Contributor III

( cli )

 

show full firewall policy | grep-C 4 log

 

 

Also i would check if memory logging shows anything also.

 

( cli )

 

execute log filter dev  ? ( select memory typically  "0" )

execute log filter cat 0

execute log display

execute log filter cat 1

execute log display

 

Ken

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
ksapeth
New Contributor

I ran "show full firewall policy | grep -c 4 log" and the output was just the word "log"

 

For the memory logging both execute log displays returned 0 logs found and 0 logs returned

 

 

emnoc
Esteemed Contributor III

You have no  firewall  policy with logging on. Can you   enable some high traffic fw.policy?

 

See this blogpost of a cli-cmd and firewall policy with  logging enabled and log-start if you want to log the start of the session.

 

This ( log start ) will display the sessionid at the start and b4 the close action for the session.

 http://socpuppet.blogspot...ffic-start-enable.html

Ken

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
ksapeth
New Contributor

What exactly does this do? Does the lack of a firewall policy for logging mean that is what prevents the logs from being sent? 

 

Since this is not my firewall I just want to be careful with what I am touching. Editing a firewall policy configuration seems like a change I would want to review with my customer first.

emnoc
Esteemed Contributor III

Your goal is to  check logging via syslog right ? So you need some action that raises a log event .

 

e.g

 

fw.traffic

cfg-change

user authen ( webgui/ssh )

 

So generate some activity and valid memory and then syslog. To handle your concerns yes a fw.policy change should be handle in a CRB settings even tho it's very low/generic in nature.

 

So try  the following

 

1: make 3-6 login attempts and fail them

2: monitor the log MEMORY

3: if success , repeat but monitor  SYSLOG

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
ksapeth
New Contributor

Just want to update this for others with the problem. Upgrading the Fortigate from 5.4.3 build 1111 to 5.6.4 build 1575 fixed the problem and syslog started sending once the update was completed.

Yuvi
New Contributor

Hi,

 

We have 500E FGT which we recently upgraded from 6.0.2 to 6.0.4 since then its not sending any events to the solarwinds syslog server

 

Below is the output of syslogd settings

status : enable server : 10.0.0.4 mode : udp port : 514 facility : local7 source-ip : format : default

 

I also see n numbers of packets when I run the below command

diag sniffer packet any 'dst 10.0.0.4' 4 0

 

when I see lem console in Solarwinds it says its not receiving logs from firewall since 10 days (basically after the upgrade date it stopped sending)

 

Any help is appreciated!

 

Thanks

 

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors