You may want to add FortiGate firewall as a source to EventsManager and not sure how to do it or have created a source but no logs are retrieved.
In order for the logs to reach a Syslog server (EventsManager), you need to configure the client (FortiGate) to send the information to Syslog server via port 514. Follow the detailed steps below:
- Make sure that the client and the Syslog server can ping each other - run
pingcommand from EventsManager server to FortiGate and vice versa.
- Additionally, make sure that FortiGate unit can establish a connection over port 514 by running the following command for EventsManager server IP:
telnet <syslog_server_ip> 514
- Add FortiGate as a source to Events Manager.
- Configure Logon Credentials for the event source (FortiGate).
- Ensure that EventsManager is listening on port 514:
from the Status tab, hover over Syslog - the configured ports are displayed. To change the ports, click on Syslog and enter the 514 port for both UDP and TCP.
Configured Syslog reporting on the FortiGate device:
From the FortiGate GUI, go to Log & Report > Log Settings and in the CLI run the following commands:
config log syslogd setting
set status enableset server <IP address or FQDN of Syslog EventsManager server>
The above Fortinet configuration is a very basic one - the FortiGate unit will forward the default logs to the Syslog server (EventsManager). You can find more information about syslog configuration in the article Fortinet log/syslogd settings.
- From EventsManager, open Events Browser tab, right-click All Events and select Find Events.
- Select Monitored Machine from the In Column drop-down.
- Select the newly added FortiGate source from the Look for drop-down.
- Click Find - events received from FortiGate should be displayed.
Additionally, if there are a lot of unclassified events in the logs, you can mark them as Noise as described in the article Avoiding to Archive the Unnecessary Events.