Overview
You may want to add FortiGate firewall as a source to EventsManager and not sure how to do it or have created a source but no logs are retrieved.
Solution
In order for the logs to reach a Syslog server (EventsManager), you need to configure the client (FortiGate) to send the information to Syslog server via port 514. Follow the detailed steps below:
- Make sure that the client and the Syslog server can ping each other - run
ping
command from EventsManager server to FortiGate and vice versa. - Additionally, make sure that FortiGate unit can establish a connection over port 514 by running the following command for EventsManager server IP:
telnet <syslog_server_ip> 514
- Add FortiGate as a source to Events Manager.
- Configure Logon Credentials for the event source (FortiGate).
- Ensure that EventsManager is listening on port 514: From the Status tab, hover over Syslog - the configured ports are displayed. To change the ports, click on Syslog and enter the 514 port for both UDP and TCP.
By default the packets will be sent unreliably, therefore the UDP protocol will be used, but TCP can be configured too. It is best to ensure EventsManager is listening on both 514/TCP and 514/UDP. -
Configured Syslog reporting on the FortiGate device:
From the FortiGate GUI, go to Log & Report > Log Settings and in the CLI run the following commands:-
config log syslogd setting
-
set status enableset server <IP address or FQDN of Syslog EventsManager server>
-
end
The above Fortinet configuration is a very basic one - the FortiGate unit will forward the default logs to the Syslog server (EventsManager). You can find more details regarding all of the available options in the FortiOS CLI in the article Fortinet log/syslogd settings.
-
Testing
- From EventsManager, open Events Browser tab, right-click All Events and select Find Events.
- Select Monitored Machine from the In Column drop-down.
- Select the newly added FortiGate source from the Look for drop-down.
- Click Find - events received from FortiGate should be displayed.
Additionally, if there are a lot of unclassified events in the logs, you can mark them as Noise as described in the article Avoiding to Archive the Unnecessary Events.