I know I can get access to the debug logs by using https://fac/debug/ but it would be really nice to be able to get those same debug logs sent to our SIEM.
We use our FAC' s as a part of our Dot1X solution where they take the Radius Accounting from our switches and send user logons to the Fortigates.
Right now we are able to send: Switch, NPS & Fortigate logs to our siem, but not the FAC' s. So when a user fails to get logged onto a Fortigate I have to dig through the debug logs on the FAC to see that the users groups don' t match. And that' s on the assumption that the logs are still there.
I know the FAC is just a linux machine running FreeReadius, so why not just have syslog-ng tail the appropriate debug log file and forward that?
ORIGINAL: Matthew Mollenhauer
, so why not just have syslog-ng tail the appropriate debug log file and forward that?
Debug logs are for just that, debugging. We aim to remove the complexity and summarise the raft of log information down to the critical detail which is displayed in the system log (see image). This can then be shipped to your SIEM via Syslog.
Dr. Carl Windsor
Field Chief Technology Officer
I' m going to assume that the logs you' re showing are from users that are authenticated on the FAC, as either local or remote users.
That is not how are using the FAC, we are only sending Radius Accounting records to the unit and using those to send FSSO records to our Fortigates. In this setup nothing is logged for user activity and as such nothing goes to our SIEM.
The screenshot I' m providing is for our Brisbane FAC that has during Business Hours around 450 logged in users, and each switchport reauthenticates once per hour. So I should be seeing ~5000 logs per day, not the 9 that I am getting. If the FAC can start including the Accounting records in it' s GUI and send those to syslog that' d be a big step.
I guess an alternative logging destination that would be nice to see would be get the FAC able to log to the FAZ...
And while removing the complexity of the information that is presented to a user is nice it' s also why log viewers have filters.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.