Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Salas
New Contributor

IPS logs nots send to Syslog server

With firmware 5.2.1, 5.2.3, 5.2.4 IPS log are not sent to syslog device, also IPS alerts are not sending to email address.

Tested with Fortigate 60D, and 600C.

Also syslog filter became very limited:

 The example with 5.0.6, and 5.2.1

 

5.2.1

XX (filter) # set ? severity                 Lowest severity level to log. forward-traffic          Enable/disable log through traffic messages. local-traffic            Enable/disable log local in or out traffic messages. multicast-traffic        Enable/disable log multicast traffic messages. sniffer-traffic          Enable/disable log sniffer traffic messages. anomaly                  Enable/disable log anomaly messages. netscan-discovery        Enable/disable log netscan discovery events. netscan-vulnerability    Enable/disable log netscan vulnerability events. voip                     Enable/disable log VoIP messages. 5.0.6 (filter) # set ? analytics                         Enable/disable log analytics submitted messages. anomaly                           Enable/disable log attack anomaly messages. app-ctrl                          Enable/disable log application control. app-ctrl-all                      Enable/disable log application control (subcategory). attack                            Enable/disable log attack messages. blocked                           Enable/disable log filename blocked messages. discovery                         Enable/disable log netscan discovery events. dlp                               Enable/disable log DLP events. dlp-all                           Enable/disable log DLP match subcategories of DLP events. dlp-docsource                     Enable/disable log all document source scanning DLP events. email                             Enable/disable log email filter messages. email-log-google                  Enable/disable log Gmail email messages. email-log-imap                    Enable/disable log IMAP spam email detected messages. email-log-msn                     Enable/disable log MSN email messages. email-log-pop3                    Enable/disable log POP3 spam email detected messages. email-log-smtp                    Enable/disable log SMTP spam email detected messages. email-log-yahoo                   Enable/disable log Yahoo email messages. forward-traffic                   Enable/disable log through traffic messages. ftgd-wf-block                     Enable/disable log FortiGuard Web Filter block messages. ftgd-wf-errors                    Enable/disable log FortiGuard Web Filter error messages. infected                          Enable/disable log virus infected messages. local-traffic                     Enable/disable log local in or out traffic messages. multicast-traffic                 Enable/disable log multicast traffic messages. netscan                           Enable/disable log network vulnerability scanning events. oversized                         Enable/disable log file oversized messages. scanerror                         Enable/disable log virus scan error messages. severity                          Lowest severity level to log. signature                         Enable/disable log attack signature messages. suspicious                        Enable/disable log virus suspicious messages. switching-protocols               Enable/disable log file switching protocols messages. traffic                           Enable/disable log traffic messages. url-filter                        Enable/disable log URL filter messages. virus                             Enable/disable log virus messages. voip                              Enable/disable log VoIP messages. vulnerability                     Enable/disable log netscan vulnerability events. web                               Enable/disable log web filter messages. web-content                       Enable/disable log web content block messages. web-filter-activex                Enable/disable log ActiveX block messages. web-filter-applet                 Enable/disable log Java applet block messages. web-filter-command-block          Enable/disable log web filter command block messages. web-filter-cookie                 Enable/disable log cookie block messages. web-filter-ftgd-quota Enable/disable log daily FortiGuard web filter quota levels. web-filter-ftgd-quota-counting    Enable/disable log FortiGuard web filter quota counting messages. web-filter-ftgd-quota-expired     Enable/disable log FortiGuard web filter quota expired messages. web-filter-script-other           Enable/disable log other script filter messages.

 

6 REPLIES 6
jintrah_FTNT
Staff
Staff

Hi,

 

Are the IPS logs seen from FortiGate GUI? Did the issue occur after an upgrade to 5.2.x? or is this a new setup running 5.2.x?

 

Regards,

Salas
New Contributor

Yes, in GUI IPS logs are shown.

This occurs no matter upgrade or new setup.

 

Salas
New Contributor

After enabling "forward-traffic" in syslog filter, IPS messages are reaching syslog server, but IPS alert by e-mail still not working.

But now my syslog server is beeing flooded with traffic messages, which are useless for me.

In old firmwares everything was woking without enabling forward-traffic. I don't understand, why new firmwares came with reduced functionality ?

 

 

Salas
New Contributor

Yes anomaly is enabled, but it is not enought :(

Only when forward-traffic is enabled, IPS messages are being send to syslog server.

By the way, if i remmember correctly, after my  Fortigate 600C device was upgraded from 5.0.7 to 5.2.1 firmware, the forward-traffic was turned on automatically, and started flooding my syslog server with traffic messages, but i disabled it, because i don't need it.

 

Salas
New Contributor

Anomaly is enabled, but it'is not enough.

Fortigate support confirmed,  it's bug, and will be corrected in future firmware realseses.

 

AtiT
Valued Contributor

Hi,

Do you have anomaly enabled under the filter?

My understanding of the documentation it should be enough to log attacks:

http://help.fortinet.com/fgt/handbook/cli52_html/index.html#page/FortiOS%25205.2%2520CLI/config_log....

 

 

 

AtiT

AtiT
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors