ORIGINAL: Matthew Mollenhauer , so why not just have syslog-ng tail the appropriate debug log file and forward that?Debug logs are for just that, debugging. We aim to remove the complexity and summarise the raft of log information down to the critical detail which is displayed in the system log (see image). This can then be shipped to your SIEM via Syslog.
I' m going to assume that the logs you' re showing are from users that are authenticated on the FAC, as either local or remote users.
That is not how are using the FAC, we are only sending Radius Accounting records to the unit and using those to send FSSO records to our Fortigates. In this setup nothing is logged for user activity and as such nothing goes to our SIEM.
The screenshot I' m providing is for our Brisbane FAC that has during Business Hours around 450 logged in users, and each switchport reauthenticates once per hour. So I should be seeing ~5000 logs per day, not the 9 that I am getting. If the FAC can start including the Accounting records in it' s GUI and send those to syslog that' d be a big step.
I guess an alternative logging destination that would be nice to see would be get the FAC able to log to the FAZ...
And while removing the complexity of the information that is presented to a user is nice it' s also why log viewers have filters.
Regards,
Matthew
