Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Holiday badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- syslogd settings in FortiOS-5 not saving using cl...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
syslogd settings in FortiOS-5 not saving using cli
Hello all, I have a Fortigate 110c Firmware version 5 build 228 and cannot get the syslogd settings to save. I have used the following CLI commands
config log syslogd setting
set status enable
set facility local7
set csv disable
set server 192.168.2.100 (not real IP)
set reliable disable
end
config log syslogd filter
set severity debug
set traffic enable
set web enable
set virus enable
set attack enable
end
When I run a " show" on either command I only see this.
------------------------------------
config log syslogd setting
show
config log syslogd setting
set status enable
set server " 192.168.2.100"
end
-------------------------------------
config log syslogd filter
show
config log syslogd filter
set severity debug
end
-------------------------------------
I even downloaded the config and cracked it open in wordpad. None of the other settings show there either.
I had the same problem in the Version 5 build 208 firmware as well. Is this a bug or am I missing something?
Mike Cook Fortigate 100E Firmware v5.6.2 build1486 (GA
Mike Cook Fortigate 100E Firmware v5.6.2 build1486 (GA
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
18 REPLIES 18
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is this a bug or am I missing something?The fgt doesn' t show the factory default values for settings -- if you want to see those default values, use " show full-configuration" . edit: at least I am assuming that' s what your issue is (i.e. setting default values to their default equates to no change at all). If that' s not your issue then you could try adding those missing lines via wordpad then load that edited config into the fgt.
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0
(FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That command show full-configuration does work. Although it does not solve my original problem. My settings are indeed saved but apparently the syslog format has changed and my CyberRoam Iview no longer understands it.
I contacted their support and after an exhausting 2 hours of remote work they concluded the problem lies with my update to FortiOS 5. Which overall has been a buggy nightmare.
Does anyone know or understand the changes to the syslog stream from version 4 to 5?
Mike Cook Fortigate 100E Firmware v5.6.2 build1486 (GA
Mike Cook Fortigate 100E Firmware v5.6.2 build1486 (GA
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have tried this with KIWI syslog as well and no dice. I can' t seem to get any syslog servers to work. Any help would be much appreciated.
Mike Cook Fortigate 100E Firmware v5.6.2 build1486 (GA
Mike Cook Fortigate 100E Firmware v5.6.2 build1486 (GA
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you run a sniffer trace from the FGT filtering on the destination IP address?
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Does anyone know or understand the changes to the syslog stream from version 4 to 5?Actually researched this for a bit -- only real changes I can see is from both 4.3 MR3 and 5.0. handbooks...4.3 MR3 wants you to set the server address while 5.0 wants you to set the source-ip address.
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0
(FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I will try both of those. Let me run a Wireshark sniff and see if I can see the data.
Mike Cook Fortigate 100E Firmware v5.6.2 build1486 (GA
Mike Cook Fortigate 100E Firmware v5.6.2 build1486 (GA
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
David, I did see that excerpt from a previous poster when researching this as well. I have put about 20 hours into this between researching and combing through documentation.
I appreciate you all taking the time to help out.
I did put a wireshark sniffer on the host machine and see no traffic going to the UDP 514, which probably explains the problem. I do however see other UDP traffic moving to the host fine.
All firewalls are off and snmp traps are being received.
Here is my config, ip has been changed for security.
config log syslogd setting
set status enable
set server " 192.1.10.45" (host running syslog)
set reliable disable
set port 514
set csv disable
set facility local7
set source-ip 192.1.10.1 (this is the fortigate interface)
end
config log syslogd filter
set app-ctrl enable
set attack enable
set dlp enable
set email enable
set forward-traffic enable
set local-traffic enable
set netscan enable
set severity debug
set traffic enable
set virus enable
set voip enable
set web enable
set analytics enable
set anomaly enable
set app-ctrl-all enable
set blocked enable
set discovery enable
set dlp-all enable
set dlp-docsource enable
set email-log-google enable
set email-log-imap enable
set email-log-msn enable
set email-log-pop3 enable
--More-- set email-log-smtp enable
--More-- set email-log-yahoo enable
--More-- set ftgd-wf-block enable
--More-- set ftgd-wf-errors enable
--More-- set infected enable
--More-- set multicast-traffic enable
--More-- set oversized enable
--More-- set scanerror enable
--More-- set signature enable
--More-- set suspicious enable
--More-- set switching-protocols enable
--More-- set url-filter enable
--More-- set vulnerability enable
--More-- set web-content enable
--More-- set web-filter-activex enable
--More-- set web-filter-applet enable
--More-- set web-filter-command-block enable
--More-- set web-filter-cookie enable
--More-- set web-filter-ftgd-quota enable
--More-- set web-filter-ftgd-quota-counting enable
--More-- set web-filter-ftgd-quota-expired enable
--More-- set web-filter-script-other enable
--More-- end
Really any help would be a lifesaver.
-----------------------------
Update- I installed wireshark on another machine with KiwiSyslog server, configured the " server ip" on the fortigate and still no UPD 514 traffic at all in the logs.
Thanks again.
Mike Cook Fortigate 100E Firmware v5.6.2 build1486 (GA
Mike Cook Fortigate 100E Firmware v5.6.2 build1486 (GA
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What traffic does the FGT say is going to the host? This may give you your answer.
Diag sniffer packet <interface> ' host=x.x.x.x'
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Well I take that back, now that I am actually on the computer (not remotely logged in) I can work with wireshark a bit more. I do see that syslog messages are being sent to the host. Neither IView or Kiwi seem to be able to decipher then.
I changed the serial and IPs below, but there is the stream.
142 8.775821000 10.1.10.1 10.1.10.45 Syslog 526 LOCAL7.NOTICE: date=2013-08-13 time=12:04:25 devname=ESC-Primary devid=FG100C3G09690876 logid=0000000013 type=traffic subtype=forward level=notice vd=root srcip=1921.2.109 srcport=62133 srcintf=" ESCMain" dstip=173.194.74.120 dstport=80 dstintf=" wan1" sessionid=6413 status=close policyid=3 dstcountry=" United States" srccountry=" Reserved" trandisp=snat transip=23.31.163.177 transport=62133 service=HTTP proto=6 applist=" block-p2p" duration=301 sentbyte=2713 rcvdbyte=1598 sentpkt=10 rcvdpkt=14
Mike Cook Fortigate 100E Firmware v5.6.2 build1486 (GA
Mike Cook Fortigate 100E Firmware v5.6.2 build1486 (GA
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Labels
-
FortiGate
8,683 -
FortiClient
1,756 -
5.2
801 -
FortiManager
727 -
5.4
639 -
FortiAnalyzer
556 -
FortiSwitch
474 -
FortiAP
470 -
FortiClient EMS
429 -
6.0
416 -
5.6
362 -
FortiMail
318 -
6.2
251 -
SSL-VPN
243 -
FortiAuthenticator v5.5
234 -
IPsec
208 -
FortiWeb
205 -
5.0
196 -
FortiNAC
188 -
FortiGuard
139 -
6.4
128 -
SD-WAN
115 -
FortiGateCloud
102 -
FortiAuthenticator
102 -
FortiSIEM
99 -
FortiCloud Products
96 -
FortiToken
91 -
Firewall policy
82 -
Customer Service
79 -
Wireless Controller
79 -
4.0MR3
64 -
FortiProxy
60 -
High Availability
56 -
FortiADC
54 -
Fortivoice
53 -
FortiEDR
51 -
vlan
51 -
ZTNA
49 -
Routing
46 -
FortiExtender
45 -
FortiSandbox
44 -
DNS
43 -
FortiDNS
42 -
LDAP
41 -
BGP
40 -
Authentication
38 -
FortiGate v5.4
35 -
SAML
35 -
NAT
35 -
FortiSwitch v6.4
34 -
Certificate
34 -
RADIUS
33 -
SSO
33 -
Interface
31 -
VDOM
30 -
FortiConnect
29 -
FortiLink
29 -
FortiWAN
27 -
Web profile
27 -
Application control
26 -
FortiConverter
25 -
Logging
25 -
FortiGate v5.2
24 -
Virtual IP
24 -
SSL SSH inspection
23 -
FortiPAM
22 -
Fortigate Cloud
20 -
FortiSwitch v6.2
19 -
FortiPortal
19 -
FortiMonitor
18 -
Traffic shaping
17 -
WAN optimization
16 -
FortiDDoS
15 -
OSPF
15 -
SSID
15 -
Automation
15 -
FortiGate v5.0
14 -
FortiSOAR
14 -
Static route
14 -
System settings
14 -
Web application firewall profile
14 -
IP address management - IPAM
14 -
SNMP
13 -
FortiGate-VM
12 -
FortiCASB
12 -
Admin
12 -
FortiManager v5.0
11 -
FortiRecorder
11 -
Security profile
11 -
FortiManager v4.0
10 -
IPS signature
10 -
FortiAP profile
10 -
Proxy policy
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
FortiBridge
9 -
Traffic shaping policy
9 -
Intrusion prevention
9 -
FortiDeceptor
8 -
RMA Information and Announcements
8 -
Port policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
DNS filter
7 -
Antivirus profile
7 -
Fabric connector
7 -
FortiToken Cloud
6 -
Explicit proxy
6 -
trunk
6 -
Packet capture
6 -
Traffic shaping profile
6 -
Web rating
6 -
Fortinet Engage Partner Program
6 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
API
4 -
Internet service database
4 -
Application signature
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
Cloud Management Security
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiNDR
3 -
NAC policy
3 -
Authentication rule and scheme
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Protocol option
3 -
SDN connector
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
TACACS
2 -
Schedule
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1 -
Multicast policy
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1710 | |
| 1093 | |
| 752 | |
| 446 | |
| 231 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.