Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
jodros
New Contributor

FortiClient Logging to Syslog Server

I have a unique situation.  I am trying to configure our environment to use Fortinet for webfiltering.  This includes our 3600c's as well as FortiClients.  I have this configured except for one item.  We need to be able to collect all FortiClient logs while the machine is off net.  I know that sending logs to FAZ was an option and with the newest FortiClient, sending to a syslog server is now an option.  I configured the remote logging settings within the FortiClient XML to send logs to a syslog server and it is working, kinda.  The issue is that our syslog server is only accessible while on net.  However the FortiClient sends the logs in realtime to the syslog server while off net, into the ether of the Interwebz which will never be seen by the syslog server.  

 

So some initial thoughts, stand up a public-facing syslog server.  I am not really entertaining this option.  However, is there an option to queue logging until the FortiClient is back on net?  Or, is there a way for the FortiClient to send logs back to another device, than would then log them to a syslog server?  We do not have a FAZ but we have FortiManager.

 

Thanks

2 REPLIES 2
Christopher_McMullan

This is the full section for logging settings in the FortiClient XML configuration:

 

<forticlient_configuration> <system> <log_settings> <onnet_local_logging>[0|1]</onnet_local_logging> <level>6</level> <log_events>ipsecvpn,sslvpn,scheduler,update,firewall,av,clie ntmanager,proxy,shield,webfilter,endpoint,fssoma,wanacc, configd,vuln</log_events> <remote_logging> <log_upload_enabled>0</log_upload_enabled> <log_upload_server>0.0.0.0</log_upload_server> <log_upload_ssl_enabled>1</log_upload_ssl_enabled> <log_upload_freq_minutes>90</log_upload_freq_minutes> <log_retention_days>90</log_retention_days> <log_upload_freq_hours>1</log_upload_freq_hours> <log_last_upload_date>0</log_last_upload_date> <log_protocol>syslog</log_protocol> <!-- faz | syslog --> <netlog_server></netlog_server> <!-- server IP address --> <netlog_categories>7</netlog_categories> </remote_logging> </log_settings> </system> </forticlient_configuration>

 

It doesn't look like you can make the distinction you're looking for.

Regards, Chris McMullan Fortinet Ottawa

jodros
New Contributor

There is an option to upload logs to FortiAnalyzer, but I have also seen where that could be to a FortiManager.  Is that correct?  If so, is there a way FortiManager could send those logs to a syslog server?

 

Thanks

Labels
Top Kudoed Authors