I have purcased a Fortigate 40F that I have put at a small office.
I want to send syslogs to a Syslog Server with TCP. I managed to send syslog using UDP protocol, however when I switch to TCP protocol it stops working (with no error message).
The setup:
Config for syslogd settings:
config log syslogd setting set status enable set server "81.164.196.77" set mode reliable set facility syslog end
Google Cloud Platform compute engine:
I have created a compute engine VM instance with Ubuntu 24.04.
I have tagged the compute engine with network tag "collector".
Google Clout Platform firewall:
I have created a Firewall rule named "collector-allow-ingest" with
This rule applies to the compute engine "collector".
Log receiving software at Compute Engine Instance
The compute engine runs LimaCharlie Adapter (https://downloads.limacharlie.io/adapter/linux/64) to receive syslog.
I start it with the following:
chmod +x ./lc_adapter
./lc_adapter syslog client_options.identity.installation_key=a-b-c-d-e client_options.identity.oid=f-g-h-i-j client_options.platform=text client_options.hostname=fortigate-40f client_options.sensor_seed_key=fortigate-40f port=514 iface=0.0.00 is_udp=false
Please help me debug this issue
I am a bit lost on how to debug this issue. Especially since it works with UDP. I have the same setup for a Palo Alto PA-440 firewall, and that works fine with TCP.
Hi @solo1,
You can run packet sniffer to see if FortiGate is communicating with syslog server:
diagnose sniffer packet any 'port 514' 6 0 l
Regards,
Thank you for the tip with packet sniffing. I did this and for me it looks like the firewall is sending communication on protocol RSH (?) to the server. The server sends ACK back on TCP?
I ran this command in Ubuntu:
sudo tcpdump -c 100 -w /opt/ladapter/514.pcap -i ens4 port 514
I downloaded the file from the server and opened in Wireshark on my Windows computer:
Client > Server Data
<45>date=2024-06-27 time=10:40:57 devname="my-fortigate" devid="FGT40FTK2209B06Q" eventtime=1719477657419235659 tz="+0200" logid="0001000014" type="traffic" subtype="local" level="notice" vd="root" srcip=fe80::c13:848b:a999:17b srcport=5353 srcintf="wan" srcintfrole="wan" dstip=ff02::fb dstport=5353 dstintf="unknown-0" dstintfrole="undefined" replysrcintf="root" sessionid=31439361 proto=17 action="deny" policyid=0 policytype="local-in-policy6" service="udp/5353" trandisp="noop" app="udp/5353" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 rcvdpkt=0 appcat="unscanned" msg="Connection Failed"
514 > 31976 [ACK] Seq=1 Ack=1199 Win=1571 Len=0
At first blush it looks like this is yet another case of the Fortinet maybe not picking the appropriate origin interface. Assuming you have a private network address assigned to an "internal" interface of your FTG, fix this by adding "set interface portn" to the config log syslogd setting stanza so that it will send using that interface and address.
Hi,
From this it looks like the firewall is sending the data but syslog is not able to display or parse it. So it could be an issue with format or you can try to change mode as well as @pminarik mentioned.
Regards,
Shiva
Where should the set interface portn command be set?
I tried the following:
config log syslogd setting show
output:
config log syslogd setting
set status enable
set server "87.151.233.187"
set mode reliable
set facility syslog
end
set interface port1
command parse error before 'port1'
Command fail. Return code -61
Hello,
You may try to set the "interface-select-method" to "specify" then kindly configure the interface after.
config log syslogd setting
set interface-select-method specify
set interface port1
end
Thank you
I did the following:
set interface-select-method specify
This gave:
show config log syslogd setting set status enable set server "87.151.233.187" set mode reliable set facility syslog set interface-select-method specify end
When I tried to set port1 it gave me an error:
set interface port1
Error:
entry not found in datasourcevalue parse error before 'port1'
Command fail. Return code -3
Hello,
Is port1 on the list of your system interface? You may want to check if it is a part of a hardware or software switch or part of any logical interface, kindly use it instead of port1.
Thank you.
I found out that "lan" was the correct port for me.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.