Syslog from Fortigate 40F to Syslog Server with TCP

solo1 · ‎06-27-2024

I have purcased a Fortigate 40F that I have put at a small office.

I want to send syslogs to a Syslog Server with TCP. I managed to send syslog using UDP protocol, however when I switch to TCP protocol it stops working (with no error message).

The setup:

Config for syslogd settings:

config log syslogd setting
    set status enable
    set server "81.164.196.77"
    set mode reliable
    set facility syslog
end

Google Cloud Platform compute engine:

I have created a compute engine VM instance with Ubuntu 24.04.
I have tagged the compute engine with network tag "collector".

Google Clout Platform firewall:
I have created a Firewall rule named "collector-allow-ingest" with

target tags=collector
source filters ip ranges=0.0.0.0/0
protocols and ports: tcp:514, udp:601

This rule applies to the compute engine "collector".

Log receiving software at Compute Engine Instance
The compute engine runs LimaCharlie Adapter (https://downloads.limacharlie.io/adapter/linux/64) to receive syslog.

I start it with the following:

chmod +x ./lc_adapter
./lc_adapter syslog client_options.identity.installation_key=a-b-c-d-e client_options.identity.oid=f-g-h-i-j client_options.platform=text client_options.hostname=fortigate-40f client_options.sensor_seed_key=fortigate-40f port=514 iface=0.0.00 is_udp=false

Please help me debug this issue

I am a bit lost on how to debug this issue. Especially since it works with UDP. I have the same setup for a Palo Alto PA-440 firewall, and that works fine with TCP.

hbac · ‎06-27-2024

Hi @solo1,

You can run packet sniffer to see if FortiGate is communicating with syslog server:

diagnose sniffer packet any 'port 514' 6 0 l

Regards,

solo1 · ‎06-27-2024

Thank you for the tip with packet sniffing. I did this and for me it looks like the firewall is sending communication on protocol RSH (?) to the server. The server sends ACK back on TCP?

I ran this command in Ubuntu:

sudo tcpdump -c 100 -w /opt/ladapter/514.pcap -i ens4 port 514

I downloaded the file from the server and opened in Wireshark on my Windows computer:

Client > Server Data

<45>date=2024-06-27 time=10:40:57 devname="my-fortigate" devid="FGT40FTK2209B06Q" eventtime=1719477657419235659 tz="+0200" logid="0001000014" type="traffic" subtype="local" level="notice" vd="root" srcip=fe80::c13:848b:a999:17b srcport=5353 srcintf="wan" srcintfrole="wan" dstip=ff02::fb dstport=5353 dstintf="unknown-0" dstintfrole="undefined" replysrcintf="root" sessionid=31439361 proto=17 action="deny" policyid=0 policytype="local-in-policy6" service="udp/5353" trandisp="noop" app="udp/5353" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 rcvdpkt=0 appcat="unscanned" msg="Connection Failed"

514 > 31976 [ACK] Seq=1 Ack=1199 Win=1571 Len=0

PaulRoberts · ‎06-27-2024

At first blush it looks like this is yet another case of the Fortinet maybe not picking the appropriate origin interface. Assuming you have a private network address assigned to an "internal" interface of your FTG, fix this by adding "set interface portn" to the config log syslogd setting stanza so that it will send using that interface and address.