Skip to main content

Fortigate Firewalls

Overview

Fortigate logs are collected via syslog in CEF format. The below configurations should be applicable to any system running FortiOS version 6.X which allows up to 4 syslog servers to be configured.

Configuring as the only syslog server

This is the configuration steps when the remote sensor is the only syslog destination for syslogs from the Fortigate.

  1. In the Administration UI, select Log & Report > Log Settings from the left channel.
  2. Enable the "Send logs to syslog" option.
  3. Enter the remote sensor IP.
  4. Click the "Apply" button at the bottom of the page.
  5. Open the "CLI Console" via the ">_" image in the upper right.
  6. Run the following to enter configuration mode: config log syslogd setting
  7. Run the following to set the CEF format: set format cef
  8. Run the following to check the configuration which should like similar to below: show full-configuration
firewall1 (setting) # show full-configuration
config log syslogd setting
    set status enable
    set server "<IP from step 3>"
    set mode udp
    set port 514
    set facility local7
    set source-ip ''
    set format cef
    set priority default
    set max-log-rate 0
end
  1. Run the following to make sure it is saved and exit: end
  2. Setup is complete

Configuring as an additional syslog server

This is the configuration steps when the remote sensor is being added as an additional syslog destination for syslogs from the Fortigate. The configuration below assumes it is the second syslog server (syslogd2) although another number could be used in the first command for a different number (eg syslogd3).

  1. Open the "CLI Console" via the ">_" image in the upper right of the Administration UI.
  2. Run the following to enter configuration mode: config log syslogd2 setting
  3. Run the following commands to enable configuration
set status enable
set server "<IP of remote sensor>"
set format cef
  1. Run the following to check the configuration which should like similar to below: show full-configuration
firewall1 (setting) # show full-configuration
config log syslogd2 setting
    set status enable
    set server "<IP of remote sensor>"
    set mode udp
    set port 514
    set facility local7
    set source-ip ''
    set format cef
    set priority default
    set max-log-rate 0
end
  1. Run the following to make sure it is saved and exit: end
  2. Setup is complete