Configuring a Fortinet Firewall to Send Syslogs

This topic is intended for TOS Administrators.

Overview

To get rule and object usage reporting, your Fortinet devices must send syslogs to TOS. To do this, define TOS as a syslog server for each monitored Fortinet devices.

The firewalls in the organization must be configured to allow relevant traffic.

Syslog traffic must be configured to arrive to the TOS cluster that monitors the device - see Sending Additional Information via Syslog.

Syslog proxy is supported for specific devices. For more information on syslog proxy support for supported devices, see Configuring Devices to Send Logs.

Only rules that are marked for logging in the device are included in the syslogs.

Define TOS as a Syslog Server

Run the following commands on a FortiOS 5.x (and later) device:

config global
  config log syslogd setting
    set status enable
    set csv disable /* for FortiOS 5.x only */
    set facility local7
    set source-ip <Fortinet_Ip>
    set port 514
    set server <st_ip_address>
  end
  config log syslogd filter
    set severity information
    set forward-traffic enable
  end
end

It is important that you define all of the traffic, which you want to send to the syslog, correctly. For example, you can add the command set forward-traffic enable, but this is optional.

FortiGate supports multiple active syslog server destinations.

We recommend that you verify how many syslog servers your FortiGate device version supports, and then use syslogd, syslogd2,syslog3,…syslog<n> to configure the desired syslog server setting.