- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Fortigate 100D Not Sending Logs to Syslog Server
I work at an MSSP and am trying to get my clients Fortigate 100D to send its logs to our syslog server. The server is listening on 514 TCP and UDP and is configured to receive the logs.
FortiOS Version: 5.4.3,build 1111
The Fortigate is configured in the CLI with the following settings:
get log syslogd setting status : enable server : 10.0.0.152 reliable : disable port : 514 csv : disable facility : local0
It is configured to log all events in the GUI (Local Traffic Log and Event Logging) and the log graph shows about 100MB of logs per day.
Logs are set to be stored on the Disk, Local Reports are disabled, logs are not sent to FortiAnalyzer, and logs are sent to my customers FortiCloud account but I cannot find any documention that would say that sending them to FortiCloud would prevent them from being sent to a syslog server.
The syslog server however is not receivng the logs. Doing traffic dumps on a device with a SPAN/mirror port shows that the fortigate is not even attempting to send the logs, there is no record of any traffic going from it to the syslog server.
Is there any reason that the FortiGate will not send them? The configuration appears correct.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There was no traffic going from the fortigate to the syslog server after running diag sniffer packet any 'dst 10.0.0.152' 4 0
Here is the output of the other command:
FG100D3G16837025 (setting) # show full-configuration config log syslogd setting set status enable set server "10.0.0.152" set reliable disable set port 514 set csv disable set facility local0 set source-ip "10.10.10.2" end
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is 10.10.10.2 up ?
Does the route table show a route for 10.0.0.152 ?
e.g
get router info routing all | grep 10.
NOTE: if all looks good, disable and re-enable the syslogd cfg. since v5.2.3 , I've seen strange things with fortiOS syslog-configurations that needs a kick in the pants ;)
config log syslogd setting set status disable
end
config log syslogd setting set status enable
end
PCNSE
NSE
StrongSwan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here are the routes:
S* 0.0.0.0/0 [10/0] via x.x.x.x, wan1 C 10.0.0.0/8 is directly connected, lan
I enabled and disabled the syslogd config and still nothing is sending.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is 10.10.10.2 up ? try to remote it , disable and re-enable . Does it work now ?
Ken
PCNSE
NSE
StrongSwan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10.10.10.2 is the fortigate, shouldnt that be the source IP since its sending the logs to the syslog server?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
unset that object
set disable
set enable
monitor
e.g
config log syslogd setting set status disable unset source-ip end
config log syslogd setting set status enable end
PCNSE
NSE
StrongSwan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I ran those commands so the source ip is now unset and syslog has been restarted, still no logs are being sent
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do you have logging enabled on any fw.policy? You should have login messaegs for webgui/ssh access by default. I would ensure logging is set for traffic? And review any log-filters
Ken
PCNSE
NSE
StrongSwan
