Advanced logging – FortiOS 6

Configuring logging to multiple Syslog servers

A single remote Syslog server can be configured in the GUI, in Log & Report > Log Settings, but for a larger network, you will have to configure it in the CLI.

When configuring multiple Syslog servers (or one Syslog server), you can configure reliable delivery of log messages from the Syslog server. Configuring of reliable delivery is available only in the CLI.

If VDOMs are enabled, you can configure separate FortiAnalyzer unit or Syslog server for each VDOM.

Configuring logging to multiple Syslog servers

To enable logging to multiple Syslog servers:

  1. Log in to the CLI.
  2. Enter the following commands:

config log syslogd setting set csv {disable | enable} set facility <facility_name> set port <port_integer> set reliable {disable | enable} set server <ip_address> set status {disable | enable}

end

  1. Enter the following commands to configure the second Syslog server:

config log syslogd2 setting set csv {disable | enable} set facility <facility_name> set port <port_integer> set reliable {disable | enable} set server <ip_address> set status {disable | enable}

end

  1. Enter the following commands to configure the third Syslog server:

config log syslogd3 setting set csv {disable | enable} set facility <facility_name> set port <port_integer> set reliable {disable | enable} set server <ip_address> set status {disable | enable}

end

  1. Enter the following commands to configure the fourth Syslog server:

config log syslogd4 setting set csv {disable | enable} set facility <facility_name> set port <port_integer> set reliable {disable | enable} set server <ip_address> set status {disable | enable}

end

Most FortiGate features are, by default, enabled for logging. You can disable individual FortiGate features you do not want the Syslog server to record, as in this example:

config log syslogd filter set local-traffic {enable | disable}

set severity {alert | critical | debug | emergency | error | information | notification | warning}

end

Using Automatic Discovery to connect to a FortiAnalyzer unit

Using Automatic Discovery to connect to a FortiAnalyzer unit

Automatic Discovery can be used if the FortiAnalyzer unit is on the same network.

To connect using automatic discovery

  1. Log in to the CLI.
  2. Enter the following command syntax:

config log fortianalyzer setting set status enable set server <ip_address> set gui-display enable set address-mode auto-discovery

end

If your FortiGate unit is in Transparent mode, the interface using the automatic discovery feature will not carry traffic. For more information about how to enable the interface to also carry traffic when using the automatic discovery feature, see the Fortinet Knowledge Base article, Fortinet Discovery Protocol in Transparent mode.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Ask your questions in the comments below!!! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Don't Forget To Buy Your Fortinet Hardware From The Fortinet GURU