Fortigate and rsyslog. Problem with facility

Mumphy · ‎08-07-2015

Hi everyone!

I have a problem that fortigate sends data to my rsyslog server to the regular /var/log/messages as well as my specified log /syslog/network.log. I only want the logs in /syslog/network.log

The server is running CentOS.

Thanks for all help I can get.

Here is my settings in the Fortigate:

set status enable

set server "x.x.x.x"

set port 514

Configuration from rsyslog.conf:

# rsyslog configuration file

# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html

#### MODULES ####

# The imjournal module bellow is now used as a message source instead of imuxsock.
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imjournal # provides access to the systemd journal
#$ModLoad imklog # reads kernel messages (the same are read from journald)
#$ModLoad immark # provides --MARK-- message capability

# Provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514

# Provides TCP syslog reception
#$ModLoad imtcp
#$InputTCPServerRun 514


#### GLOBAL DIRECTIVES ####

# Where to place auxiliary files
$WorkDirectory /var/lib/rsyslog

# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

# File syncing capability is disabled by default. This feature is usually not required,
# not useful and an extreme performance hit
#$ActionFileEnableSync on

# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf

# Turn off message reception via local log socket;
# local messages are retrieved through imjournal now.
$OmitLocalLogging on

# File to store the position in the journal
$IMJournalStateFile imjournal.state


#### RULES ####


local7.* /syslog/amafw01/network.log
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages

# The authpriv file has restricted access.
authpriv.* /var/log/secure

# Log all the mail messages in one place.
mail.* /var/log/maillog


# Log cron stuff
cron.* /var/log/cron

# Everybody gets emergency messages
*.emerg :omusrmsg:*

# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler

# Save boot messages also to boot.log
#local7.* /var/log/boot.log


# ### begin forwarding rule ###
# The statement between the begin ... end define a SINGLE forwarding
# rule. They belong together, do NOT split them. If you create multiple
# forwarding rules, duplicate the whole block!
# Remote Logging (we use TCP for reliable delivery)
#
# An on-disk queue is created for this action. If the remote host is
# down, messages are spooled to disk and sent when it is up again.
#$ActionQueueFileName fwdRule1 # unique name prefix for spool files
#$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)
#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
#$ActionQueueType LinkedList # run asynchronously
#$ActionResumeRetryCount -1 # infinite retries if host is down
# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
#*.* @@remote-host:514
# ### end of the forwarding rule ###

AndreaSoliva · ‎08-14-2015

Hi

I think you have to set the correct facility which means fully configure follwoing on the fortigate:

# config log syslogd setting # set status enable # set server [FQDN Syslog Server] # set reliable [Activate TCP-514 or UDP-514] # set port [Standard 514] # set csv [enable | disable] # set facility [By Standard local0] # set source-ip [If you need Source IP of FortiGate; Standard 0.0.0.0] # end

Keep in mind that on a 5.2 installation the correspoinding filter is on "warning" which does not log at all everything. This means set the filter to "information" and enable everything or disable what you do not need:

# config log syslogd filter # get severity : information forward traffic : enable local-traffic : enable multicast-traffic : enable sniffer-traffic : enable anomaly : enable netscan-discovery : enable netscan-vulnerability : enable voip : enable

On a Linux Server based on CentOS 5.x do following:

# vi /etc/sysconfig/syslogd --------------- /etc/sysconfig/syslogd --------------- # Options to syslogd # -m 0 disables 'MARK' messages. # -r enables logging from remote machines # -x disables DNS lookups on messages recieved with -r # See syslogd(8) for more details SYSLOGD_OPTIONS="-m 0 -r" # Options to klogd # -2 prints all kernel oops messages twice; once for klogd to decode, and # once for processing with 'ksymoops' # -x disables all klogd processing of oops messages entirely # See klogd(8) for more details KLOGD_OPTIONS="-x" # SYSLOG_UMASK=077 # set this to a umask value to use for all log files as in umask(1). # By default, all permissions are removed for "group" and "other". --------------- /etc/sysconfig/syslogd ---------------

The important config is "-r" which means from "remote". After that config the syslog.conf which means:

# vi /etc/syslog.conf --------------- /etc/syslog.conf ---------------

# Save Fortigate log messages to fortigate.log local0.* /var/log/fortigate.log

--------------- /etc/syslog.conf ---------------

Restart service:

# service syslog stop # service syslog start Now you should have a lot of traffic based on information which means everything as long as you have set the filter on FGT to information. To test if syslog message are reaching syslog server do:

# tcpdump -nnp -i eth0 ip dst [Syslog Server IP] and port 514

If you need logrotate do:

# vi /etc/logrotate.d/fortigate --------------- /etc/logrotate.d/fortigate--------------- /var/log/fortigate.log { rotate 30 daily sharedscripts postrotate nomail /usr/bin/killall -HUP syslogd endscript } --------------- /etc/logrotate.d/fortigate ---------------

To test logrotate do following:

# logrotate --force /etc/logrotate.d/fortigate # tail -f /var/log/fortigate.log

hope this helps

have fun

Andrea

emnoc · ‎08-14-2015

That's not how I do it ( rsyslog ) I love by local.X using the following see ( bottom ), just set the facility in the syslog settings.

You can use t/wshark to validate the syslog facility

e.g

tshark -R 'syslog' -R 'ip.src==1.1.1.1' -T fields -e syslog.facility

(1.1.1.1 would be your device )

config file ;

kfelix@syslog1:/etc$ ls rsyslog.conf rsyslog.conf kfelix@syslog1:/etc$ cat rsyslog.conf # /etc/rsyslog.conf Configuration file for rsyslog. # # For more information see # /usr/share/doc/rsyslog-doc/html/rsyslog_conf.html # # Default logging rules can be found in /etc/rsyslog.d/50-default.conf ################# #### MODULES #### ################# $ModLoad imuxsock # provides support for local system logging $ModLoad imklog # provides kernel logging support (previously done by rklogd) #$ModLoad immark # provides --MARK-- message capability # provides UDP syslog reception $ModLoad imudp $UDPServerRun 514 # provides TCP syslog reception $ModLoad imtcp $InputTCPServerRun 514 ########################### #### GLOBAL DIRECTIVES #### ########################### # # Use traditional timestamp format. # To enable high precision timestamps, comment out the following line. # $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat # Filter duplicated messages $RepeatedMsgReduction on # # Set the default permissions for all log files. # $FileOwner syslog $FileGroup adm $FileCreateMode 0640 $DirCreateMode 0755 $Umask 0022 $PrivDropToUser syslog $PrivDropToGroup syslog # # Where to place spool files # $WorkDirectory /var/spool/rsyslog # # Include all config files in /etc/rsyslog.d/ # $IncludeConfig /etc/rsyslog.d/*.conf local7.* /var/log/routers local6.* /var/log/switchs local5.* /var/log/firewalls local4.* /var/log/servers local3.* /var/log/fortimail

PCNSE

NSE

StrongSwan