Fortigate 200D - Log Forwarding Traffic to remote syslog server

cashbuddy · ‎01-26-2017

Hi,

We are having some issues logging Forwarded Traffic (most important for us) to remote syslog server (splunk).

What we have done so far:

Log & Report -> Log Settings: (image attached)

IE-SV-For01-TC (setting) # show full-config
config log syslogd setting
    set status enable
    set server "192.168.1.160"
    set reliable disable
    set port 9998
    set csv disable
    set facility local0
    set source-ip 0.0.0.0
end

IE-SV-For01-TC (filter) # get
severity : information 
forward-traffic : enable 
local-traffic : enable 
multicast-traffic : enable 
sniffer-traffic : enable 
anomaly : enable 
netscan-discovery : enable 
netscan-vulnerability: enable 
voip : enable

Logging Options on the Policy & Objects -> Policy -> IPv4 is set to All sessions

I also installed Fortigate app & add-on for Splunk and i can see only fgt_event logged in to remote syslog.

Jan 26 10:33:34 192.168.1.150 date=2017-01-26 time=10:33:34 devname=fortigate devid=FG200D4Q16809336 logid=0100040704 type=event subtype=system level=notice vd="root" logdesc="System performance statistics" action="perf-stats" cpu=0 mem=15 totalsession=217 disk=1 bandwidth=10/88 setuprate=0 disklograte=0 fazlograte=0 msg="Performance statistics: average CPU: 0, memory: 15, concurrent sessions: 217, setup-rate: 0"

Can you please help us to log the traffic to remote syslog?

Regards,

Andrzej

cashbuddy · ‎02-01-2017

Sorry Guys,

All work fine with above settings. There's was a slight delay between Fortigate and Splunk server that's we didn't see any traffic packets coming

vivianwu_FTNT · ‎02-03-2017

Glad to hear it works

Fortigate 200D - Log Forwarding Traffic to remote syslog server

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website