Hot!Fortigate 100D Not Sending Logs to Syslog Server

Author
ksapeth
New Member
  • Total Posts : 9
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/04/06 07:38:57
  • Status: offline
2018/04/06 07:48:51 (permalink)
0

Fortigate 100D Not Sending Logs to Syslog Server

I work at an MSSP and am trying to get my clients Fortigate 100D to send its logs to our syslog server. The server is listening on 514 TCP and UDP and is configured to receive the logs.
 
FortiOS Version: 5.4.3,build 1111
 
The Fortigate is configured in the CLI with the following settings:
 
get log syslogd setting
status : enable
server : 10.0.0.152
reliable : disable
port : 514
csv : disable
facility : local0
 
It is configured to log all events in the GUI (Local Traffic Log and Event Logging) and the log graph shows about 100MB of logs per day. 
 
Logs are set to be stored on the Disk, Local Reports are disabled, logs are not sent to FortiAnalyzer, and logs are sent to my customers FortiCloud account but I cannot find any documention that would say that sending them to FortiCloud would prevent them from being sent to a syslog server.
 
The syslog server however is not receivng the logs. Doing traffic dumps on a device with a SPAN/mirror port shows that the fortigate is not even attempting to send the logs, there is no record of any traffic going from it to the syslog server. 
 
Is there any reason that the FortiGate will not send them? The configuration appears correct.
#1

16 Replies Related Threads

    mahesh secure
    Silver Member
    • Total Posts : 66
    • Scores: -1
    • Reward points: 0
    • Joined: 2015/12/10 01:04:48
    • Status: offline
    Re: Fortigate 100D Not Sending Logs to Syslog Server 2018/04/07 03:04:39 (permalink)
    0
    Hi

    Share the below command output ( connect Putty)

    Diagnos sniffer packet any 'dst 10.0.0.152' 4 0




    Also share the below details

    config log syslogd setting
    Show full-configuration


    Regards
    Mahesh
    #2
    ksapeth
    New Member
    • Total Posts : 9
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/04/06 07:38:57
    • Status: offline
    Re: Fortigate 100D Not Sending Logs to Syslog Server 2018/04/10 08:06:18 (permalink)
    0
    There was no traffic going from the fortigate to the syslog server after running diag sniffer packet any  'dst 10.0.0.152' 4 0
     
    Here is the output of the other command:
     
    FG100D3G16837025 (setting) # show full-configuration
    config log syslogd setting
    set status enable
    set server "10.0.0.152"
    set reliable disable
    set port 514
    set csv disable
    set facility local0
    set source-ip "10.10.10.2"
    end
    #3
    emnoc
    Expert Member
    • Total Posts : 5020
    • Scores: 308
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: Fortigate 100D Not Sending Logs to Syslog Server 2018/04/10 08:34:02 (permalink)
    0
    Is 10.10.10.2 up ?
     
    Does the  route table show  a route for 10.0.0.152 ?
     
     
    e.g
    get router info routing all | grep 10.
     
    NOTE: if all looks good, disable and re-enable the syslogd cfg. since v5.2.3 , I've seen strange things with  fortiOS syslog-configurations that needs a kick in the pants ;)
     
    config log syslogd setting
    set status disable
    end
    config log syslogd setting
    set status enable
    end
     
     
     
     

    PCNSE,  NSE , Forcepoint ,  StrongSwan Specialist
    #4
    ksapeth
    New Member
    • Total Posts : 9
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/04/06 07:38:57
    • Status: offline
    Re: Fortigate 100D Not Sending Logs to Syslog Server 2018/04/10 08:57:02 (permalink)
    0
    Here are the routes:
     
    S* 0.0.0.0/0 [10/0] via x.x.x.x, wan1
    C 10.0.0.0/8 is directly connected, lan
     
    I enabled and disabled the syslogd config and still nothing is sending.
    #5
    emnoc
    Expert Member
    • Total Posts : 5020
    • Scores: 308
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: Fortigate 100D Not Sending Logs to Syslog Server 2018/04/10 09:46:07 (permalink)
    0
    Is 10.10.10.2 up ? try to remote it , disable and re-enable . Does it work now ?
     
    Ken
     

    PCNSE,  NSE , Forcepoint ,  StrongSwan Specialist
    #6
    ksapeth
    New Member
    • Total Posts : 9
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/04/06 07:38:57
    • Status: offline
    Re: Fortigate 100D Not Sending Logs to Syslog Server 2018/04/10 10:00:22 (permalink)
    0
    10.10.10.2 is the fortigate, shouldnt that be the source IP since its sending the logs to the syslog server?
    #7
    emnoc
    Expert Member
    • Total Posts : 5020
    • Scores: 308
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: Fortigate 100D Not Sending Logs to Syslog Server 2018/04/10 10:03:07 (permalink)
    0
    unset  that object
     
    set disable
    set enable
    monitor
     
    e.g
     
    config log syslogd setting
    set status disable
    unset source-ip 
    end
    config log syslogd setting
    set status enable
    end

    PCNSE,  NSE , Forcepoint ,  StrongSwan Specialist
    #8
    ksapeth
    New Member
    • Total Posts : 9
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/04/06 07:38:57
    • Status: offline
    Re: Fortigate 100D Not Sending Logs to Syslog Server 2018/04/10 10:10:56 (permalink)
    0
    I ran those commands so the source ip is now unset and syslog has been restarted, still no logs are being sent
    #9
    emnoc
    Expert Member
    • Total Posts : 5020
    • Scores: 308
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: Fortigate 100D Not Sending Logs to Syslog Server 2018/04/10 10:20:07 (permalink)
    0
    Do you have logging enabled on any  fw.policy? You should have login messaegs for webgui/ssh access  by default. I would ensure logging is set for traffic? And  review any log-filters
     
    Ken
     

    PCNSE,  NSE , Forcepoint ,  StrongSwan Specialist
    #10
    ksapeth
    New Member
    • Total Posts : 9
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/04/06 07:38:57
    • Status: offline
    Re: Fortigate 100D Not Sending Logs to Syslog Server 2018/04/10 10:28:11 (permalink)
    0
    Everything in the GUI for Local Traffic Log and Event Logging is enabled and this is the output of the syslogd filter:

    set severity information
    set forward-traffic enable
    set local-traffic enable
    set multicast-traffic enable
    set sniffer-traffic enable
    set anomaly enable
    set voip enable
    set filter ''
    set filter-type include


    How would I check for having logging enabled on fw policy? I can see logs in the GUI for my account logging in and out and failed logins.
    #11
    emnoc
    Expert Member
    • Total Posts : 5020
    • Scores: 308
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: Fortigate 100D Not Sending Logs to Syslog Server 2018/04/10 10:43:04 (permalink)
    0
    ( cli )
     
    show full firewall policy | grep-C 4 log
     
     
    Also i would check if memory logging shows anything also.
     
    ( cli )
     
    execute log filter dev  ? ( select memory typically  "0" )
    execute log filter cat 0
    execute log display
    execute log filter cat 1
    execute log display
     
    Ken
     

    PCNSE,  NSE , Forcepoint ,  StrongSwan Specialist
    #12
    ksapeth
    New Member
    • Total Posts : 9
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/04/06 07:38:57
    • Status: offline
    Re: Fortigate 100D Not Sending Logs to Syslog Server 2018/04/10 10:53:18 (permalink)
    0
    I ran "show full firewall policy | grep -c 4 log" and the output was just the word "log"
     
    For the memory logging both execute log displays returned 0 logs found and 0 logs returned
     
     
    #13
    emnoc
    Expert Member
    • Total Posts : 5020
    • Scores: 308
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: Fortigate 100D Not Sending Logs to Syslog Server 2018/04/10 11:29:54 (permalink)
    0
    You have no  firewall  policy with logging on. Can you   enable some high traffic fw.policy?
     
    See this blogpost of a cli-cmd and firewall policy with  logging enabled and log-start if you want to log the start of the session.
     
    This ( log start ) will display the sessionid at the start and b4 the close action for the session.
     http://socpuppet.blogspot...ffic-start-enable.html
    Ken
     

    PCNSE,  NSE , Forcepoint ,  StrongSwan Specialist
    #14
    ksapeth
    New Member
    • Total Posts : 9
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/04/06 07:38:57
    • Status: offline
    Re: Fortigate 100D Not Sending Logs to Syslog Server 2018/04/10 11:58:10 (permalink)
    0
    What exactly does this do? Does the lack of a firewall policy for logging mean that is what prevents the logs from being sent? 
     
    Since this is not my firewall I just want to be careful with what I am touching. Editing a firewall policy configuration seems like a change I would want to review with my customer first.
    #15
    emnoc
    Expert Member
    • Total Posts : 5020
    • Scores: 308
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: Fortigate 100D Not Sending Logs to Syslog Server 2018/04/10 12:05:51 (permalink)
    0
    Your goal is to  check logging via syslog right ? So you need some action that raises a log event .
     
    e.g
     
    fw.traffic
    cfg-change
    user authen ( webgui/ssh )
     
    So generate some activity and valid memory and then syslog. To handle your concerns yes a fw.policy change should be handle in a CRB settings even tho it's very low/generic in nature.
     
    So try  the following
     
    1: make 3-6 login attempts and fail them
    2: monitor the log MEMORY
    3: if success , repeat but monitor  SYSLOG
     

    PCNSE,  NSE , Forcepoint ,  StrongSwan Specialist
    #16
    ksapeth
    New Member
    • Total Posts : 9
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/04/06 07:38:57
    • Status: offline
    Re: Fortigate 100D Not Sending Logs to Syslog Server 2018/05/15 07:31:16 (permalink)
    0
    Just want to update this for others with the problem. Upgrading the Fortigate from 5.4.3 build 1111 to 5.6.4 build 1575 fixed the problem and syslog started sending once the update was completed.
    #17
    Jump to:
    © 2018 APG vNext Commercial Version 5.5