The tag used to label the logs from Fortinet firewall is  firewall.fortinet.type.subtype.
  • You can configure a Fortinet firewall to report the logs to a remote syslog server, specifying the destination port and syslog facility.
  • Since logs cannot be sent via TPC or tagged at the source, it is necessary to report the logs to an In-house Relay which will tag them as firewall.fortinet.type.subtype and forward to Devo.

Tag structure

  • The elements type and subtype are fixed and they identify the type and format of the event.
  • These elements can have one of the following values (corresponding to the different log types):
    • firewall.fortinet.anomaly.anomaly
    • firewall.fortinet.event.admin
    • firewall.fortinet.event.config
    • firewall.fortinet.event.dhcp
    • firewall.fortinet.event.dns
    • firewall.fortinet.event.ha
    • firewall.fortinet.event.hisPerformance
    • firewall.fortinet.event.ipsec
    • firewall.fortinet.event.pattern
    • firewall.fortinet.event.perf.historical
    • firewall.fortinet.event.sslvpnSession
    • firewall.fortinet.event.sslvpnUser
    • firewall.fortinet.event.system
    • firewall.fortinet.event.user
    • firewall.fortinet.event.vpn
    • firewall.fortinet.event.wireless
    • firewall.fortinet.ips.anomaly
    • firewall.fortinet.traffic.allowed
    • firewall.fortinet.traffic.forward
    • firewall.fortinet.traffic.local
    • firewall.fortinet.traffic.multicast
    • firewall.fortinet.traffic.other
    • firewall.fortinet.traffic.violation
    • firewall.fortinet.utm.appCtrl
    • firewall.fortinet.utm.emailfilter
    • firewall.fortinet.utm.ips
    • firewall.fortinet.utm.virus
    • firewall.fortinet.utm.webfilter

For more information on how tags work, check the Introduction to tags article.

In-house Relay configuration

The first step is to install an In-house Relay for the correct tagging of these logs.

Then you can define a new rule where all the events coming to the port (eg. port 13003/TDP) are tagged as firewall.fortinet.type.subtype.

  • This rule should also cover the adding of the corresponding type.subtype to the firewall.fortinet depending on the events nature. 
  • This information is extracted from the message using a regular expression. The data captured is used to create the final label for each event.

You must consider the following fields when creating the new rule:

  • Source Port  13003
  • Source Data  ,type=([^,]+),subtype=([^,]+)(,|$)
  • target Tag  firewall.fortinet.\\D1.\\D2
  • target Message  \\D0

Fortinet configuration

To configure the sending via syslog through the Fortinet graphic interface, please follow these steps:

  1. Go to the Logs&Report → Logs settings area.
  2. Check the Syslog box in Logging & Remote Storage.
  3. Introduce your relay IP address in the IP field.
  4. In the Port field, enter the In-house Relay port that you have configured for the Fortinet logs.
  5. In the Minimum log level field, select InformationIn this specific case, the value in the Facility field is irrelevant.
  6. Check the Enable CSV format box.
  7. Click Apply.

In the section Logs&Report → Logs settings → Event types you can select the event types you want to register:

To configure the Fortinet firewall log settings for logging to a remote syslog server via CLI, execute the following commands:

config log syslog settings

set status enable
set csv enable
set reliable disable
set facility local7
set server xx.xx.xx.xx (In-House Relay IP) 
set port 13003

Have we answered your question?

If not, please contact our technical support team via email by clicking the button below.