How do I configure remote syslog logging for a Fortinet Firewall

This article describes the steps to configure Fortinet Firewalls to send syslog data to the RocketCyber Firewall Analyzer

 

Configure your FortiGate firewall settings 

Configure the FortiGate firewall settings for your specific FortiOS operating system.

Firewalls running FortiOS 4.x 

  1. Open the FortiGate Management Console.
  2. Navigate to Log & Report > Log Config > Log Settings
  3. Select the Syslog check box.
  4. Expand the Options section and complete all fields. 
    1. In the Name/IP field, enter the IP address of the RocketAgent Syslog Server.
    2. In the Port field, enter 514.
    3. In the Level field, select the logging level where FortiGate should generate log messages.

      We recommend Level 6 - Information. 

    4. In the Facility field, enter a specific syslog facility for the RocketAgent syslog server or use the default.
    5. Make sure Enable CSV Format is unchecked.  
  5. Click Apply.

Firewalls running FortiOS 5.x or FortiOS 6.x 

In FortiOS 5.x and higher, syslog servers should be configured using a command line.


FortiOS allows up to 3 syslog servers on FortiOS 5.x and 4 syslog servers on ForiOS 6.x.

    • syslogd 
    • syslogd2
    • syslogd3
    • syslogd4

1. To configure your firewall running FortiOS 5.x or 6.x, open a command line on the device.

2. Before configuring one of the available syslog servers, find the first one that is not already in use by the following command:

config log {syslogd | syslogd2 | syslogd3 | syslogd4} setting

show

end

3. Enter the following commands to configure the chosen syslog server entry {syslogd|syslogd2|syslogd3|syslogd4} in the example below we are using syslogd and our RocketAgent syslog IP address is 192.168.3.15

config global
config log syslogd setting 
set status enable
set csv disable
set server 192.168.3.15
set source-ip 10.2.2.2
end

For the server parameter, enter the IP address of the RocketAgent syslog server.

For the source-ip, enter the IP address of the firewall that will be sending the syslog messages to the RocketAgent syslog server.

Additional details can be found in the Fortigate FortiOS CLI Reference Guides

https://help.fortinet.com/fgt/handbook/cli_html/index.html#page/FortiOS%25205.0%2520CLI/config_log.17.15.html

https://docs.fortinet.com/document/fortigate/6.0.0/cli-reference/260508/log-syslogd-syslogd2-syslogd3-syslogd4-setting