6 Replies Latest reply on Jul 1, 2015 7:25 PM by l.gatbonton

    Fortinet 1000c as analyzer

    l.gatbonton

      Hi Team,

       

      We have fortigate 1000c firewall and we want to send syslog to our LEM, but fortigate send logs to fortinet analyzer 300D only.  

       

      After that configuration setup, we cannot see any log came from this scenario to LEM.

       

      Please advise if there is any additional config to LEM or fortigate?

       

      Thank you.

        • Re: Fortinet 1000c as analyzer
          curtisi

          I ran into this when I was in Support.  In the Web GUI, Fortigate only presents the options for sending data to their analyzer.  You can't put the LEM in there and have it work, since the Analyzers are a little different.

           

          However, there is a number of CLI commands that will enable logging to the LEM.

           

          The CLI reference for Fortigate is available on-line, but the commands I've had luck with are below.  These start on page 300 of the command reference.

           

          First, check that you don't have an existing config.  Stuff in the curly brackets indicates a decision needs to be made.

           

          config log {syslogd | syslogd2 | syslogd3} setting

          show

          end

           

          Then, configure syslog to  go to the LEM.  I've added some notes where I can on what to set:

           

          config log {syslogd | syslogd2 | syslogd3} setting

          set status {enable | disable} <--- Set to ENABLE

          set csv {enable | disable} <--- This needs to be null (skip it) or DISABLE for the LEM to read the logs

          set facility {local0 | local1 | local2 | local3 | local4 | local5 | local6 | local7}

          set port <port_integer> <--- Defaults to 514, no value needed (you can skip this command)

          set reliable {enable | disable} <--- Skip!

          set server <address_ipv4 | FQDN> <--- This is where you specify the LEM

          set source-ip <address_ipv4> <--- If the device is sending from multiple IPs, set this to over-ride them all to the same IP

          set severity {alert | critical | debug | emergency | error | information | notification | warning}

          end

           

          I tested these commands on FortiOS 5.2.2 on a C110 and they worked, your mileage may vary with other versions and devices, but hopefully this is someplace to start.

          1 of 1 people found this helpful