[FortiGate] Setting to transfer logs to syslog server

Firewall (UTM)

Work environment

  • FortiGate 60E
    • version 7.0.2

Syslog server settings

When setting in the GUI, set in the Log & Report> Log Settings screen. Enable Remote Logging and Archiving> Send logs to syslog. Enter IP address or FQDN of the Syslog server in the IP Address/FQDN field.

When set in the GUI, you cannot specify parameters other than the IP address for the Syslog server.

When setting with CLI, set in config log syslogd setting, config log syslogd2 setting, config log syslogd3 setting, or config log syslogd4 setting. That is, you can specify up to four Syslog servers.

The default config is as follows.

FortiGate-60E # show full-configuration log syslogd setting
config log syslogd setting
    set status disable
end

First set status to enable.

config log syslogd setting
    set status enable
end

After that, you need to set at least server.

config log syslogd setting
    set server "10.10.10.2"
end

The config at this point is as follows.

FortiGate-60E (setting) # show full-configuration
config log syslogd setting
    set status enable
    set server "10.10.10.2"
    set mode udp
    set port 514
    set facility local7
    set source-ip ''
    set format default
    set priority default
    set max-log-rate 0
    set interface-select-method auto
end

Change the option items as necessary.

FortiGate-60E (setting) # set
status                     Enable/disable remote syslog logging.
*server                     Address of remote syslog server.
mode                       Remote syslog logging over UDP/Reliable TCP.
port                       Server listen port.
facility                   Remote syslog facility.
source-ip                  Source IP address of syslog.
format                     Log format.
priority                   Set log transmission priority.
max-log-rate               Syslog maximum log rate in MBps (0 = unlimited).
interface-select-method    Specify how to select outgoing interface to reach server.

Syslog severity setting

The Syslog severity setting filters the logs that are forwarded to the Syslog server.

This setting is done with the CLI config log syslogd filter.

The default config is as follows.

FortiGate-60E (filter) # show full-configuration
config log syslogd filter
    set severity information
    set forward-traffic enable
    set local-traffic enable
    set multicast-traffic enable
    set sniffer-traffic enable
    set anomaly enable
    set voip enable
end

As you can see from the config above, the default severity is information.

The choices for the severity value are:

FortiGate-60E (filter) # set severity
emergency       Emergency level.
alert           Alert level.
critical        Critical level.
error           Error level.
warning         Warning level.
notification    Notification level.
information     Information level.
debug           Debug level.

Traffic log settings

In order to forward the traffic log to the Syslog server, you need to configure the log settings in the firewall policy settings.

If set in the GUI, enable Logging Options> Log Allowed Traffic on the policy settings screen and specify All Sessions. The default is Security Events.

When setting with CLI, set with config firewall policy. Set the logtraffic value of the target policy to all.

config firewall policy
    edit 1
        set logtraffic all
    next
end

#For edit number, specify the number of the target policy.

The setting values of logtraffic are as follows.

FortiGate-60E (1) # set logtraffic
all        Log all sessions accepted or denied by this policy.
utm        Log traffic that has a security profile applied to it.
disable    Disable all logging for this policy.

Event log settings

When setting with the GUI, set with Log Settings> Event Logging on the Log & Report> Log Settings screen. By default all events are enabled.

When setting with CLI, set with config log eventfilter.

FortiGate-60E # show full-configuration log eventfilter
config log eventfilter
    set event enable
    set system enable
    set vpn enable
    set user enable
    set router enable
    set wireless-activity enable
    set wan-opt enable
    set endpoint enable
    set ha enable
    set security-rating enable
    set fortiextender enable
    set connector enable
    set sdwan enable
    set cifs enable
    set switch-controller enable
end


Comments

Copied title and URL