Trying to send Syslog from Fortinet to Ubuntu Rsyslog but I only get "RT_FLOW" and "RT_IDS"

solo1 · ‎12-05-2024

I am working at a SOC where we receive traffic from Fortinet firewalls.

One of my contacts has configured syslog to my Ubuntu server, but I only see the following data:

<11>Dec 5 13:32:16 ti110211101x110 RT_IDS
<14>Dec 5 13:32:16 ti110211101x110 RT_FLOW

I would think that I should have this type of data:

<45>date=2024-07-03 time=09:29:01 devname="alpha-fortigate" devid="FGT40FTK2209B06Q" eventtime=1719991739997635239 tz="+0200" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" srcip=192.168.1.110 srcport=55178 srcintf="lan" srcintfrole="lan" dstip=1.1.1.1 dstport=53 dstintf="wan" dstintfrole="wan" srcuuid="f8eef6a8-718a-51ee-c800-48fa677761f7" dstuuid="f8eef6a8-718a-51ee-c800-48fa677761f7" srccountry="Reserved" dstcountry="Australia" sessionid=79980663 proto=6 action="close" policyid=1 policytype="policy" poluuid="feafac0e-718a-51ee-3d8f-17868e4a5bab" policyname="Default test" service="DNS" trandisp="snat" transip=192.168.94.242 transport=55178 duration=2 sentbyte=311 rcvdbyte=363 sentpkt=5 rcvdpkt=5 appcat="unscanned"

Are there any one that can see what is wrong?

sjoshi · ‎12-05-2024

Hi,

Can you please show your syslog settings on the FortiGate

chameleon-kvm99 # config log syslogd setting

chameleon-kvm99 (setting) # show

Let us know if this helps.
Salon Raj Joshi

solo1 · ‎12-16-2024

The client could not provide the config because it was a Juniper firewall, and not a Fortigate.. So if someone got the same problem then they now that this is not Fortigate :p

Trying to send Syslog from Fortinet to Ubuntu Rsyslog but I only get "RT_FLOW" and "RT_IDS"

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website