Work environment
- FortiGate 60E
- version 7.0.2
Syslog server settings
When setting in the GUI, set in the Log & Report> Log Settings screen. Enable Remote Logging and Archiving> Send logs to syslog. Enter IP address or FQDN of the Syslog server in the IP Address/FQDN field.
When set in the GUI, you cannot specify parameters other than the IP address for the Syslog server.
When setting with CLI, set in config log syslogd setting, config log syslogd2 setting, config log syslogd3 setting, or config log syslogd4 setting. That is, you can specify up to four Syslog servers.
The default config is as follows.
FortiGate-60E # show full-configuration log syslogd setting
config log syslogd setting
set status disable
endFirst set status to enable.
config log syslogd setting
set status enable
endAfter that, you need to set at least server.
config log syslogd setting
set server "10.10.10.2"
endThe config at this point is as follows.
FortiGate-60E (setting) # show full-configuration
config log syslogd setting
set status enable
set server "10.10.10.2"
set mode udp
set port 514
set facility local7
set source-ip ''
set format default
set priority default
set max-log-rate 0
set interface-select-method auto
endChange the option items as necessary.
FortiGate-60E (setting) # set
status Enable/disable remote syslog logging.
*server Address of remote syslog server.
mode Remote syslog logging over UDP/Reliable TCP.
port Server listen port.
facility Remote syslog facility.
source-ip Source IP address of syslog.
format Log format.
priority Set log transmission priority.
max-log-rate Syslog maximum log rate in MBps (0 = unlimited).
interface-select-method Specify how to select outgoing interface to reach server.Syslog severity setting
The Syslog severity setting filters the logs that are forwarded to the Syslog server.
This setting is done with the CLI config log syslogd filter.
The default config is as follows.
FortiGate-60E (filter) # show full-configuration
config log syslogd filter
set severity information
set forward-traffic enable
set local-traffic enable
set multicast-traffic enable
set sniffer-traffic enable
set anomaly enable
set voip enable
endAs you can see from the config above, the default severity is information.
The choices for the severity value are:
FortiGate-60E (filter) # set severity
emergency Emergency level.
alert Alert level.
critical Critical level.
error Error level.
warning Warning level.
notification Notification level.
information Information level.
debug Debug level.Traffic log settings
In order to forward the traffic log to the Syslog server, you need to configure the log settings in the firewall policy settings.
If set in the GUI, enable Logging Options> Log Allowed Traffic on the policy settings screen and specify All Sessions. The default is Security Events.
When setting with CLI, set with config firewall policy. Set the logtraffic value of the target policy to all.
config firewall policy
edit 1
set logtraffic all
next
end#For edit number, specify the number of the target policy.
The setting values of logtraffic are as follows.
FortiGate-60E (1) # set logtraffic
all Log all sessions accepted or denied by this policy.
utm Log traffic that has a security profile applied to it.
disable Disable all logging for this policy.Event log settings
When setting with the GUI, set with Log Settings> Event Logging on the Log & Report> Log Settings screen. By default all events are enabled.
When setting with CLI, set with config log eventfilter.
FortiGate-60E # show full-configuration log eventfilter
config log eventfilter
set event enable
set system enable
set vpn enable
set user enable
set router enable
set wireless-activity enable
set wan-opt enable
set endpoint enable
set ha enable
set security-rating enable
set fortiextender enable
set connector enable
set sdwan enable
set cifs enable
set switch-controller enable
end
Comments