General Discussions

Expand all | Collapse all

Syslog server on fortigate

  • 1.  Syslog server on fortigate

    Posted May 07, 2021 12:54 AM
    Hi,

    When configuring the syslog server on a fortigate, do we need to specify the source-ip from where the traffic will be generated? In my case, we have a fortigate with lots of vlans and networks and we need to be able to generate the logs from all these networks. If we dont specify the source-ip, does this mean that we will be able to generate the traffic toward the syslog server from all the networks that are present on the fortigate?

    BR


  • 2.  RE: Syslog server on fortigate

    Posted May 07, 2021 05:35 AM
    Im almost 100% sure if source-ip is not set it will use whatever the egress port ip that is used to get to the syslog server. Any logs that are related to other interfaces should still be logged appropriately regardless of the source-ip since the log data will contain that.


  • 3.  RE: Syslog server on fortigate

    Posted May 11, 2021 07:17 AM
    Hi Shane, 

    We are still not able to sent the logs to the kiwi syslog server:

    This is how our setting on fortigate looks like:

    config log syslogd setting
    set status enable
    set server "192.168.121.5"
    set mode udp
    set port 514
    set facility local7
    set source-ip ''
    set format default
    set priority default
    set max-log-rate 0
    set interface-select-method auto
    end

    The kiwi server is reachable through an IPsec tunnel and it resides on azure. We can ping this server from the fortigate. On the other hand behind our fortigate there are at least 20 vlans which we want to be able to sent logs from to the syslog server. We have not defined anything on phase-2 parameter regarding local-remote subnets but we are controlling the traffic through policys.

    Do I need to create a policy for every vlan in order to sent traffic to the syslog server, or does is it sufficient to only have the ipsec up and running? This is a little bit confusing since I have tested this with other firewall (meraki MX) and we did not had to create rules or specify source ip.


  • 4.  RE: Syslog server on fortigate

    Posted May 12, 2021 10:37 AM
    Hello Fisnik,
    your problem is the outgoing IP address.
    When your VPN Tunnel don't have an IP address, the Fortigate use the nearest IP to the target.
    And this is your outgoing IP for the VPN Tunnel.
    When this is a Tunnel over Public, then the wan ip.

    You need a source IP from the Fortigate, like LAN IP or any other local IP.
    Set the source-ip in syslogd to this local IP.
    Then you need a policy from this network (local IP) to the Network 192.168.121.
    x.
    Incoming interface local network and outgoing interface vpn.

    For all other traffic you need policies from incoming interface to the vpn interface.

    Best Regards
    Andreas



  • 5.  RE: Syslog server on fortigate

    Posted May 14, 2021 02:16 AM
    Hi Andreas,

    I see now so the source IP can be whatever IP that I already have behind the fortigate and this source IP should be matched to the one we configure on the syslog server. I just need to clarify something else, so through the firewall the one that is sending logs with be this source IP. This source IP collects all the logs and sent these toward the syslog server through the IPSec tunnel. If my assumption is correct than we only need one policy that allows traffic to be sent from the source-ip to the syslog server. Is this correct or am I thinking wrong?


  • 6.  RE: Syslog server on fortigate

    Posted May 14, 2021 03:15 AM
    Hello Fisnik,
    sorry no.

    The Source-ip is one of the Fortigate IP.
    And this is only for the syslog from the fortigate itself.
    Fortigate is no syslog proxy.

    When you want to sent syslog from other devices to a syslog server through the Fortigate, then you need for this policies.

    From incoming interface (syslog sent device network) to outgoing interface (syslog server network). Service Syslog.

    best regards
    Andreas


  • 7.  RE: Syslog server on fortigate

    Posted May 14, 2021 06:44 AM

    Im hiring someone today from within but will most likely be looking for another in the very near future like within the next month.... I will be in touch with andre

     






  • 8.  RE: Syslog server on fortigate

    Posted May 14, 2021 06:44 AM

    Sorry this was not meant for here.