- You can configure a Fortinet firewall to report the logs to a remote syslog server, specifying the destination port and syslog facility.
- Since logs cannot be sent via TPC or tagged at the source, it is necessary to report the logs to an In-house Relay which will tag them as firewall.fortinet.type.subtype and forward to Devo.
- The elements type and subtype are fixed and they identify the type and format of the event.
- These elements can have one of the following values (corresponding to the different log types):
For more information on how tags work, check the Introduction to tags article.
In-house Relay configuration
The first step is to install an In-house Relay for the correct tagging of these logs.
Then you can define a new rule where all the events coming to the port (eg. port 13003/TDP) are tagged as firewall.fortinet.type.subtype
- This rule should also cover the adding of the corresponding type.subtype to the firewall.fortinet depending on the events nature.
- This information is extracted from the message using a regular expression. The data captured is used to create the final label for each event.
You must consider the following fields when creating the new rule:
- Source Port → 13003
- Source Data → ,type=([^,]+),subtype=([^,]+)(,|$)
- target Tag → firewall.fortinet.\\D1.\\D2
- target Message → \\D0
To configure the sending via syslog through the Fortinet graphic interface, please follow these steps:
- Go to the Logs&Report → Logs settings area.
- Check the Syslog box in Logging & Remote Storage.
- Introduce your relay IP address in the IP field.
- In the Port field, enter the In-house Relay port that you have configured for the Fortinet logs.
- In the Minimum log level field, select Information. In this specific case, the value in the Facility field is irrelevant.
- Check the Enable CSV format box.
- Click Apply.
In the section Logs&Report → Logs settings → Event types you can select the event types you want to register:
To configure the Fortinet firewall log settings for logging to a remote syslog server via CLI, execute the following commands:
config log syslog settings
set status enable set csv enable set reliable disable set facility local7 set server xx.xx.xx.xx (In-House Relay IP) set port 13003 end