Fortigate syslog forwarding

Fortigate syslog forwarding DEFAULT

Configuring log forwarding

Forwarding mode only requires configuration on the client side. No configuration is needed on the server side. In aggregation mode, accepting the logs must be enabled on the FortiAnalyzer that is acting as the server.

Forwarding mode

Forwarding mode can be configured in the GUI. No configuration is required on the server side.

To configure the client:
  1. Go to System Settings > Log Forwarding.
  2. Click Create New in the toolbar. The Create New Log Forwarding pane opens.

  3. Fill in the information as per the below table, then click OK to create the new log forwarding. The FortiAnalyzer device will start forwarding logs to the server.


    Enter a name for the remote server.


    Set to On to enable log forwarding. Set to Off to disable log forwarding.

    Remote Server Type

    Select the type of remote server to which you are forwarding logs: FortiAnalyzer, Syslog, or Common Event Format (CEF).

    Server IP

    Enter the IP address of the remote server.

    Server Port

    Enter the server port number. Default:

    This option is only available when the server type in not FortiAnalyzer.

    Reliable Connection

    Turn on to use TCP connection. Turn off to use UDP connection.

    If you are forwarding logs to a Syslog or CEF server, ensure this option is supported before turning it on.

    Sending Frequency

    Select when logs will be sent to the server: Real-time, Every 1 Minute, or Every 5 Minutes (default).

    This option is only available when the server type is FortiAnalyzer.

    Log Forwarding Filters



    Device Filters

    Click Select Device, then select the devices whose logs will be forwarded.


    Log Filters

    Turn on to configure filter on the logs that are forwarded.

    Select All or Any of the Following Conditions in the Log messages that match field to control how the filters are applied to the logs.

    Add filters to the table by selecting the Log Field, Match Criteria, and Value for each filter.


    Enable Exclusions

    This option is only available when the remove server is a Syslog or CEF server.

    Turn on to configure filter on the logs that are forwarded.

    Add exclusions to the table by selecting the Device Type and Log Type. Then, add Log Fields to the Exclusion List by clicking Fields and specifying the excluded log fields in the Select Log Field pane.

Devices whose logs are being forwarded to another FortiAnalyzer device are added to the server as unregistered devices. To register devices, see Adding devices manually.

Aggregation mode

Aggregation mode can only be configured using the CLI. Aggregation mode configurations are not listed in the GUI table, but still use a log forwarding ID number.

Use the following CLI command to see what log forwarding IDs have been used:

get system log-forward

To configure the server:
  1. If required, create a new administrator with the Super_User profile. See Creating administrators.
  2. Enable log aggregation and, if necessary, configure the disk quota, with the following CLI commands:

    config system log-forward-service

    set accept-aggregation enable

    set aggregation-disk-quota <quota>


To configure the client:
  1. Open the log forwarding command shell:

    config system log-forward

  2. Create a new, or edit an existing, log forwarding entry:

    edit <log forwarding ID>

  3. Set the log forwarding mode to :

    set mode aggregation

  4. Set the server display name and IP address:

    set server-name <string>

    set server-ip <>

  5. Enter the user name and password of the super user administrator on the server:

    set agg-user <string>

    set agg-password <string>

  6. If required, set the aggregation time from 0 to 23 hours (default: 0, or midnight):

    set agg-time <integer>

  7. Enter the following to apply the configuration and create the log aggregation:


    The following line will be displayed to confirm the creation of the log aggregation:

    check for cfg[<log forwarding ID>] svr_disp_name=<server-name>


Configure Fortinet Firewalls

Firewall Analyzer supports the following versions of FortiGate:

  • FortiOS - v, , , , and or later
  • Fortinet - 50,, , , ,
  • Fortigate - , series 


 Firmware v or later is required

Prerequisite to get Application report

Information about Applications like Skype, FaceBook, YouTube and application categories accessed by users will be available in this report. This report is available for Fortigate only. Ensure Application Control service in their Fortigate firewall is enabled to generate the Application report.

Virtual Firewall (Virtual Domain) logs

There is no separate configuration required in Firewall Analyzer for receving logs from Virtual Firewalls of the Fortinet physical device. For configuring High Availablity for FortiGate Firewall with vdoms, refer the procedure given below.

Prerequisite to support vdom

In order to get the vdom support for Fortigate Firewall, ensure that the log format selected is Syslog instead of WELF. 

If Firewall Analyzer is unable to receive the logs from the Fortigate after configuring from UI, please carryout the steps to configure it through command prompt

To determine the version number of the Fortigate that you are running, use the command: get system status

Configuring the FortiGate Firewall

Follow the steps below to configure the FortiGate firewall:

  1. Log in to the FortiGate web interface
  2. Select Log & Report > Log Setting or Log & Report > Log Config > Log Setting (depending on the version of FortiGate)
  3. If you want to export logs in WELF format:
    • Select the Log in WebTrends Enhanced Log Format or the WebTrends checkbox (depending on the version of FortiGate)
    • Enter the IP address of the syslog server
    • Choose the logging level as Information or select the Log All Events checkbox (depending on the version of FortiGate)
  4. If you want to export logs in the syslog format (or export logs to a different configured port):
    • Select the Log to Remote Host option or Syslog checkbox (depending on the version of FortiGate) Syslog format is preffered over WELF, in order to support vdom in Fortigate firewalls.
    • Enter the IP address and port of the syslog server
    • Select the logging level as Information or select the Log All Events checkbox (depending on the version of FortiGate)
    • Select the facility as local7
  5. Click Apply


 Do not select CSV format for exporting the logs.

Configuring RuleSets for Logging Traffic

Follow the steps below to configure rulesets for logging all traffic from or to the FortiGate firewall:

  1. Select Firewall > Policy
  2. Choose a rule for which you want to log traffic and click Edit. You can configure any traffic to be logged separately if it is acted upon by a specific rule.
  3. Select the Log Traffic checkbox
  4. Click OK and then click Apply

Repeat the above steps for all rules for which you want to log traffic.

For more information, refer the Fortinet documentation.

If Firewall Analyzer is unable to receive the logs from the Fortigate after configuring from UI, please carryout the steps to configure it through command prompt

(For the models like Fortigate 60, Fortigate , etc.)
Please follow the steps to enable the device to send the logs to Firewall Analyzer.

  • Start CLI on the Fortigate firewall.
  • Execute the following commands to enable Syslog:

Enable syslog:
config log syslogd2 setting
set status enable
set server <IP>
set csv disable
set facility local7
set port
set reliable disable
end <cr>

  • Execute the following commands to enable Traffic:

Enable traffic:
config log syslogd filter<cr>
set severity information<cr>
set traffic enable<cr>
set web enable<cr>
set email enable<cr>
set attack enable<cr>
set im enable<cr>
set virus enable<cr>
end <cr>


 Type "show log syslogd filter" to list all available traffic.

Stop and start the Firewall Analyzer application/service and check if you are able to receive the Fortigate Firewall packets in Firewall Analyzer.


 In Fortigate OS v, there is an option to send syslog using TCP. If FirewallAnalyzer is not getting logs from Fortigate, please check Fortigate OS version. If it is v or above, ensure option 'reliable' is disabled in syslog config. Then it will use UDP.
Syslog setting can only be done through CLI mode. There is no option in UI.

Memory and logging optimizations

If further memory reduction or increase of logging rate are required, there are several optimization possibilities.

Disable extended traffic logging

config log fortianalyzer set extended-traffic-log {disable | enable} end

This feature is for ICSA compliance and is enabled by default.

When enabled, traffic logging volume is doubled because a log is generated when the sessions starts and stops.

When disabled, a log is only generated upon a session stop.

The extended-traffic-log enable command would also cause traffic hitting a deny policy (or the implicit deny policy) to be logged regardless if logging is enable or not on the deny policy.

Configure/Enable SNMP Protocol for Fortigate Firewall device

Using CLI Console:

Ensure SNMP is enabled in Fortigate box by using the below command: 

If it is disabled, enable it by using the below commands:

config system snmp sysinfo
set status enable

To enable the SNMP Manager running in Firewall Analyzer to make queries to SNMP Agent running in the firewall: 

config system snmp
edit <SNMP Community ID>
config hosts
edit <SNMP Community ID>
set interface <Interface through which Firewall Analyzer is connected to Firewall>
set ip <Firewall Analyzer machine IP address>

To ensure the source interface that connects Firewall Analyzer to Firewall device allows SNMP traffic, execute the below command: 

get system interface <interface name>

To allow SNMP traffic through the source interface use the below command:

config system interface internal
set allowaccess <proto1 proto2 SNMP>

Using Web UI:

  • Log in to the FortiGate web interface
  • Go to System > Config > SNMP v1/v2c
  • Select Enable for the SNMP Agent
  • Enter Description, Location and Contact information.
  • Click Apply


  • If you already have a SNMP community, edit it to provide Firewall Analyzer (SNMP Manager) IP address. Also specify the source interface through which Firewall Analyzer connects to Firewall.

  • If you want to add a new SNMP community, click 'Create New' button and enter Community Name. Provide Firewall Analyzer (SNMP Manager) IP address and the source interface through which Firewall Analyzer connects to Firewall.

To activate SNMP traffic in the source interface:

  • Go to System > Network > Interface.
  • For the interface allowing SNMP traffic, select Edit.
  • Select SNMP for Administrative Access.
  • Select OK

Configure Fortigate in High Availability Mode:

In case of Fortigate Firewalls , device_id is considered as resource name in Firewall Analyzer. In the High Availability mode, eventhough both active and standby Firewalls have the same name, the device_id will be different. So, Firewall Analyzer displays them as two devices. To avoid this, you can configure the device name (devname) of standby Firewall as device_id of active Firewall. Syslogs from the FortiGate Firewall will transmit the serial number of the device as the value of device_id field and the host name as the value of the device name (devname) field.


Active Firewall log: <>date= time= devname=DSACZ4 device_id=FGT80G log_id=
Standby Firewall log: <>date= time= devname=FGT80G device_id=FGT80G log_id=


For more details about FortiGate firewall monitoring features refer the below pages:

  1. Treasure x youtube
  2. Effect photoshop
  3. Transmission shop aurora
StatusSelect to enable the configuration.AddressIP address of the syslog server.PortListening port number of the syslog server. Usually this is UDP port Log LevelSelect the lowest severity to log from the following choices:
  • Emergency—The system has become unstable.
  • Alert—Immediate action is required.
  • Critical—Functionality is affected.
  • Error—An error condition exists and functionality could be affected.
  • Warning—Functionality might be affected.
  • Notification—Information about normal events.
  • Information—General information about system operations.
  • Debug—Detailed information about the system that can be used to troubleshoot unexpected behavior.

For example, if you select Error, the system sends the syslog server logs with level Error, Critical, Alert, and Emergency. If you select Alert, the system collects logs with level Alert and Emergency.CSVSend logs in CSV format. Do not use with FortiAnalyzer.FacilityIdentifier that is not used by any other device on your network when sending logs to FortiAnalyzer/syslog.EventSelect to enable logging for events.Event CategorySelect the types of events to send to the syslog server:

  • Configuration—Configuration changes.
  • Admin—Administrator actions.
  • System—System operations, warnings, and errors.
  • User—Authentication results logs.
  • Health Check—Health check results and client certificate validation check results.
  • SLB—Notifications, such as connection limit reached.
  • LLB—Notifications, such as bandwidth thresholds reached.
  • GLB—Notifications, such as the status of associated local SLB and virtual servers.
  • Firewall—Notifications for the "firewall"&#;module, such as SNAT source IP pool is using all of its addresses.
TrafficSelect to enable logging for traffic processed by the load balancing modules.Traffic Category
  • SLB—Server Load Balancing traffic logs related to sessions and throughput.
  • GLB—Global Load Balancing traffic logs related to DNS requests.
Attack LoggingSelect to enable logging for traffic processed by the security modules.Security Category
  • DoS—SYN flood protection logs.
  • IP Reputation—IP Reputation logs.
  • WAF—WAF logs.
  • Geo—Geo IP blocking logs.
Config Log Forwarding

Log Forwarding

You can forward logs from a FortiAnalyzer unit to another FortiAnalyzer unit, a syslog server, or a Common Event Format (CEF) server when you use the default forwarding mode in log forwarding.

The client is the FortiAnalyzer unit that forwards logs to another device. The server is the FortiAnalyzer unit, syslog server, or CEF server that receives the logs.

In addition to forwarding logs to another unit or server, the client retains a local copy of the logs. The local copy of the logs is subject to the data policy settings for archived logs.

To see a graphical view of the log forwarding configuration, and to see details of the devices involved, go to System Settings > Logging Topology. For more information, see Logging Topology.


Forwarding fortigate syslog

Configuring a Fortinet Firewall to Send Syslogs

To monitor with full accountability and get rule and object usage reporting, your Fortinet devices must send syslogs to TOS&#;Classic. To do this, define TOS&#;Classic as a syslog server for each monitored Fortinet devices.

The firewalls in the organization must be configured to allow relevant traffic.

Syslog traffic must be configured to arrive to the SecureTrack server that monitors the device (Central Server, Distribution Server or Remote Collector Server) from the IP and/or host name of the device.

For more information see Sending Additional Information via Syslog.

Syslog proxy is supported for specific devices. For more information on syslog proxy support for supported devices, see Configuring Devices to Send Logs.

Only rules that are marked for logging in the device are included in the syslogs.

To define TOS&#;Classic as a syslog server on a FortiOS 5.x device:

Run the following commands:

Config global config log syslogd setting set csv disable set facility local7 set source-ip <Fortinet_Ip> set port set server <st_ip_address> set status enable end config log syslogd filter set severity information end end

FortiGate supports multiple active syslog server destinations.

We recommend that you verify how many firewalls your FortiGate device version supports, and then use syslogd, syslogd2,syslog3,…syslog<n> to configure the desired syslog server setting.

To define TOS&#;Classic as a syslog server on a FortiOS 4.x device:

  1. Log into the device's web interface. Under Log & Report, click Log Config:

    log config

  2. In the Log Setting tab, select Syslog:

    fortinet syslog

  3. Configure the following settings:

    • Name/IP: A resolvable hostname or the IP address of the TOS&#;Classic server, remote collector or distribution server that is managing the device
    • Port:
    • Minimum log level: Information or higher
    • Facility: local7

      If you need to use a lower facility, configure TOS&#;Classic as described in this tech note.

    • Enable CSV Format: Not selected
FortiGate Syslog Configuration - Fortigate without VDOM Syslog Configuration - Syslog configuration

I do this, what is the problem. Or have you suddenly woken up jealousy. Yul, well, this is really not for correspondence. Let's discuss everything in private. Artem, what kind of kindergarten.

Now discussing:

In a house on the banks of the ancient Tiber not far from Rome itself. He was in a hurry. I was in a hurry to leave my little child here. Own son.

53 54 55 56 57