Fortinet

Forward Fortinet firewall logs to the log collector using GUI

Follow the steps below to configure the FortiGate firewall:

  1. Log in to the FortiGate web interface

  2. Select Log & Report > Log Setting or Log & Report > Log Config > Log Setting (depending on the version of FortiGate)

  3. To export logs in the syslog format (or export logs to a different configured port):

  • Select the Log to Remote Host option or Syslog checkbox (depending on the version of FortiGate) Syslog format is preferred over WELF, in order to support vdom in Fortigate firewalls.

  • Enter the IP address and port of the “Log Collector”

  • In the Port field, enter the port the server uses for syslog messages. Please check Appendix A for default port list.

  • Select the logging level as Information or select the Log All Events checkbox (depending on the version of FortiGate)

  • Select the facility as local7

  1. Click Apply

CAUTION: Do not select CSV format for exporting the logs.

Configuring RuleSets for Logging Traffic

Follow the steps below to configure rulesets for logging all traffic from or to the FortiGate firewall:

  1. Select Firewall > Policy

  2. Choose a rule for which you want to log traffic and click Edit. You can configure any traffic to be logged separately if it is acted upon by a specific rule.

  3. Select the Log Traffic checkbox

  4. Click OK and then click Apply

Repeat the above steps for all rules for which you want to log traffic.

If “Log Collector” is unable to receive the logs from the Fortigate after configuring from UI, please carryout the steps to configure it through command prompt.

(For the models like Fortigate 60, Fortigate 200, etc.) Please follow the steps to enable the device to send the logs to “Log Collector”.

  • Start CLI on the Fortigate firewall.

  • Execute the following commands to enable Syslog:

Enable syslog:

config log syslogd2 setting set status enable set server <IP> set csv disable set facility local7 set port 1514 set reliable disable end <cr>

Execute the following commands to enable Traffic:

Enable traffic:

config log syslogd filter<cr> set severity information<cr> set traffic enable<cr> set web enable<cr> set email enable<cr> set attack enable<cr> set im enable<cr> set virus enable<cr> end <cr>

Note: Type "show log syslogd filter" to list all available traffic.

Note: In Fortigate OS v5.0, there is an option to send syslog using TCP.

Note: If BluSapphire “Log Collector“ is not getting logs from Fortigate, please check Fortigate OS version. If it is v5.0 or above, ensure option 'reliable' is disabled in syslog config. Then it will use UDP.

Syslog setting can only be done through CLI mode. There is no option in UI.

PreviousFortimanagerNextCisco ASA with FirePOWER services

Last updated