Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Matthew_Mollenhauer
New Contributor III

Created on ‎06-26-2014 04:03 PM

Syslogs

I know I can get access to the debug logs by using https://fac/debug/ but it would be really nice to be able to get those same debug logs sent to our SIEM. We use our FAC' s as a part of our Dot1X solution where they take the Radius Accounting from our switches and send user logons to the Fortigates. Right now we are able to send: Switch, NPS & Fortigate logs to our siem, but not the FAC' s. So when a user fails to get logged onto a Fortigate I have to dig through the debug logs on the FAC to see that the users groups don' t match. And that' s on the assumption that the logs are still there. I know the FAC is just a linux machine running FreeReadius, so why not just have syslog-ng tail the appropriate debug log file and forward that? Regards, Matthew
3175
0 Kudos
2 REPLIES 2
Carl_Windsor_FTNT
Staff
Staff

Created on ‎06-27-2014 01:10 AM

ORIGINAL: Matthew Mollenhauer , so why not just have syslog-ng tail the appropriate debug log file and forward that?
Debug logs are for just that, debugging. We aim to remove the complexity and summarise the raft of log information down to the critical detail which is displayed in the system log (see image). This can then be shipped to your SIEM via Syslog.

Dr. Carl Windsor Field Chief Technology Officer Fortinet

Preview file
197 KB
1167
0 Kudos
Matthew_Mollenhauer
New Contributor III

Created on ‎06-27-2014 03:56 AM

I' m going to assume that the logs you' re showing are from users that are authenticated on the FAC, as either local or remote users. That is not how are using the FAC, we are only sending Radius Accounting records to the unit and using those to send FSSO records to our Fortigates. In this setup nothing is logged for user activity and as such nothing goes to our SIEM. The screenshot I' m providing is for our Brisbane FAC that has during Business Hours around 450 logged in users, and each switchport reauthenticates once per hour. So I should be seeing ~5000 logs per day, not the 9 that I am getting. If the FAC can start including the Accounting records in it' s GUI and send those to syslog that' d be a big step. I guess an alternative logging destination that would be nice to see would be get the FAC able to log to the FAZ... And while removing the complexity of the information that is presented to a user is nice it' s also why log viewers have filters. Regards, Matthew
Preview file
154 KB
1167
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.