Syslog from Fortigate 40F to Syslog Server with TCP

solo1 · ‎06-27-2024

I have purcased a Fortigate 40F that I have put at a small office.

I want to send syslogs to a Syslog Server with TCP. I managed to send syslog using UDP protocol, however when I switch to TCP protocol it stops working (with no error message).

The setup:

Config for syslogd settings:

config log syslogd setting
    set status enable
    set server "81.164.196.77"
    set mode reliable
    set facility syslog
end

Google Cloud Platform compute engine:

I have created a compute engine VM instance with Ubuntu 24.04.
I have tagged the compute engine with network tag "collector".

Google Clout Platform firewall:
I have created a Firewall rule named "collector-allow-ingest" with

target tags=collector
source filters ip ranges=0.0.0.0/0
protocols and ports: tcp:514, udp:601

This rule applies to the compute engine "collector".

Log receiving software at Compute Engine Instance
The compute engine runs LimaCharlie Adapter (https://downloads.limacharlie.io/adapter/linux/64) to receive syslog.

I start it with the following:

chmod +x ./lc_adapter
./lc_adapter syslog client_options.identity.installation_key=a-b-c-d-e client_options.identity.oid=f-g-h-i-j client_options.platform=text client_options.hostname=fortigate-40f client_options.sensor_seed_key=fortigate-40f port=514 iface=0.0.00 is_udp=false

Please help me debug this issue

I am a bit lost on how to debug this issue. Especially since it works with UDP. I have the same setup for a Palo Alto PA-440 firewall, and that works fine with TCP.

hbac · ‎06-27-2024

Hi @solo1,

You can run packet sniffer to see if FortiGate is communicating with syslog server:

diagnose sniffer packet any 'port 514' 6 0 l

Regards,

solo1 · ‎06-27-2024

Thank you for the tip with packet sniffing. I did this and for me it looks like the firewall is sending communication on protocol RSH (?) to the server. The server sends ACK back on TCP?

I ran this command in Ubuntu:

sudo tcpdump -c 100 -w /opt/ladapter/514.pcap -i ens4 port 514

I downloaded the file from the server and opened in Wireshark on my Windows computer:

Client > Server Data

<45>date=2024-06-27 time=10:40:57 devname="my-fortigate" devid="FGT40FTK2209B06Q" eventtime=1719477657419235659 tz="+0200" logid="0001000014" type="traffic" subtype="local" level="notice" vd="root" srcip=fe80::c13:848b:a999:17b srcport=5353 srcintf="wan" srcintfrole="wan" dstip=ff02::fb dstport=5353 dstintf="unknown-0" dstintfrole="undefined" replysrcintf="root" sessionid=31439361 proto=17 action="deny" policyid=0 policytype="local-in-policy6" service="udp/5353" trandisp="noop" app="udp/5353" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 rcvdpkt=0 appcat="unscanned" msg="Connection Failed"

514 > 31976 [ACK] Seq=1 Ack=1199 Win=1571 Len=0

PaulRoberts · ‎06-27-2024

At first blush it looks like this is yet another case of the Fortinet maybe not picking the appropriate origin interface. Assuming you have a private network address assigned to an "internal" interface of your FTG, fix this by adding "set interface portn" to the config log syslogd setting stanza so that it will send using that interface and address.

smaruvala · ‎07-03-2024

Hi,

From this it looks like the firewall is sending the data but syslog is not able to display or parse it. So it could be an issue with format or you can try to change mode as well as @pminarik mentioned.

Regards,

Shiva

solo1 · ‎07-02-2024

Where should the set interface portn command be set?

I tried the following:

config log syslogd setting
show

output:

config log syslogd setting
    set status enable
    set server "87.151.233.187"
    set mode reliable
    set facility syslog
end

next I tried to set interface:

set interface port1

and I got:

command parse error before 'port1'
Command fail. Return code -61

fdsantos · ‎07-02-2024

Hello,

You may try to set the "interface-select-method" to "specify" then kindly configure the interface after.

config log syslogd setting
    set interface-select-method specify
    set interface port1
end

Thank you

solo1 · ‎07-02-2024

I did the following:

set interface-select-method specify

This gave:

show
config log syslogd setting
    set status enable
    set server "87.151.233.187"
    set mode reliable
    set facility syslog
    set interface-select-method specify
end

When I tried to set port1 it gave me an error:

set interface port1

Error:

entry not found in datasourcevalue parse error before 'port1'
Command fail. Return code -3

fdsantos · ‎07-03-2024

Hello,

Is port1 on the list of your system interface? You may want to check if it is a part of a hardware or software switch or part of any logical interface, kindly use it instead of port1.

Thank you.

pminarik · ‎07-03-2024

There's two ways of doing Syslog over TCP - RFC 3195 and RFC 6587, do you know which one your Syslog server expects?

More info + how to switch between the two:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-change-port-and-protocol-for-Syslog...

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-FortiGate-syslog-via-TCP-and-log-par...

[ corrections always welcome ]