• State Not Answered
  • Locked Locked
  • Replies 6 replies
  • Subscribers 22 subscribers
  • Views 692 views
  • Users 0 members are here
Options
Related
This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

Fortinet 1000c as analyzer

FormerMember
FormerMember

Hi Team,

We have fortigate 1000c firewall and we want to send syslog to our LEM, but fortigate send logs to fortinet analyzer 300D only.  

After that configuration setup, we cannot see any log came from this scenario to LEM.

Please advise if there is any additional config to LEM or fortigate?

Thank you.

  • 0

    I ran into this when I was in Support.  In the Web GUI, Fortigate only presents the options for sending data to their analyzer.  You can't put the LEM in there and have it work, since the Analyzers are a little different.

    However, there is a number of CLI commands that will enable logging to the LEM.

    The CLI reference for Fortigate is available on-line, but the commands I've had luck with are below.  These start on page 300 of the command reference.

    First, check that you don't have an existing config.  Stuff in the curly brackets indicates a decision needs to be made.

    config log {syslogd | syslogd2 | syslogd3} setting

    show

    end

    Then, configure syslog to  go to the LEM.  I've added some notes where I can on what to set:

    config log {syslogd | syslogd2 | syslogd3} setting

    set status {enable | disable} <--- Set to ENABLE

    set csv {enable | disable} <--- This needs to be null (skip it) or DISABLE for the LEM to read the logs

    set facility {local0 | local1 | local2 | local3 | local4 | local5 | local6 | local7}

    set port <port_integer> <--- Defaults to 514, no value needed (you can skip this command)

    set reliable {enable | disable} <--- Skip!

    set server <address_ipv4 | FQDN> <--- This is where you specify the LEM

    set source-ip <address_ipv4> <--- If the device is sending from multiple IPs, set this to over-ride them all to the same IP

    set severity {alert | critical | debug | emergency | error | information | notification | warning}

    end

    I tested these commands on FortiOS 5.2.2 on a C110 and they worked, your mileage may vary with other versions and devices, but hopefully this is someplace to start.

  • FormerMember
    0 FormerMember in reply to curtisi

    Hi Curtisi,

    Thank you for your suggestion.emoticons_happy.png

    Another question, can fortigate send syslog simultaneously in FortiAnalyzer and LEM?

  • 0 in reply to FormerMember

    You'd need to ask Fortigate that for a real answer, but I have seen people with the Analyzer and Syslog options set at the same time.

  • FormerMember
    0 FormerMember in reply to curtisi

    Hi Curtisi,

    Thank you for your help, this is now working well.

    Big help emoticons_happy.png

  • 0 in reply to FormerMember

    No problem!  Don't forget to mark the correct answer so future searches know this thread can solve their problem!

  • FormerMember
    0 FormerMember in reply to curtisi

    Hi Curtisi,

    Fortinet and Sonicwall last 4 days did not send any syslog in LEM, see below error below " Error processing log message".

    Any advise?

    Thank you.

SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 195,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process.

SolarWinds Customer Success Center Certification Media Vault Link Accounts
About THWACK Blogs For Government Edit Settings Free Tools & Trials
Legal Documents Terms of Use Privacy California Privacy Rights Security Information
©2024 SolarWinds Worldwide, LLC. All Rights Reserved.