I skipped over the word " reliable" there, which is key - I' m actually using UDP not TCP, which I guess was really the point of your question, sorry.

OK, no problem. Yes, both reliable and tcp are the key words. I' m having some difficulties setting it all up. Maybe someone already done it and could share the rsyslog config.

I recall I had problems when I tried reliable originally, so I' ve just tried it again, absolutely no luck at all. Seems to switch to port 601, but even after ensuring the syslog server is listening on TCP 601 and firewalls open, etc, the Fortigate appears to send no log entries at all. So, I don' t have a solution but I can confirm this is a generic issue and not one just affecting you.

I' ve tried with a different distro - still no go. Same results. Now using Debian 7 (wheezy) and rsyslog 7.4.3 Syslog over UDP works (RELIABLE=Disable). I' ve checked if my rsyslog configuration is OK by sending logs from one rsyslog server to the other with RELP input/output modules. If I send logs from fortigate with reliable=enable to the port number of rsyslog TCP input module (TCP:601) I get this in the log file:

 2013-08-02T15:36:01.080919+02:00 RPY 0 0 . 0 52#015
 2013-08-02T15:36:01.080919+02:00 <FGIP> Content-type: application/beep+xml#015
 2013-08-02T15:36:01.080919+02:00 <FGIP> #015 
 2013-08-02T15:36:01.080919+02:00 greeting />#015 
 2013-08-02T15:36:01.080919+02:00 <FGIP> END#015
 

Current rsyslog config:

 # provides UDP syslog reception
 $ModLoad imudp
 $UDPServerRun 514
 # provides TCP syslog reception
 $ModLoad imtcp
 $InputTCPServerRun 601
 # provides RELP syslog reception
 $ModLoad imrelp
 $InputRELPServerRun 602
 #disabled:
 #$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
 

only RFC3195 (input module: im3195) rsyslog has dropped RFC3195 support? is there a different way for fortios to send logs to syslog? (other than UDP and RFC3195)

I' m pretty sure the fortianalzyer is tcp based

Yes, it' s obvious that FA is the best solution. I' m looking for an alternative for systems having only one FG. Buying FA for only one or two FGs is an overkill.

Do you need tcp for syslog? just how unreliable is your udp/514 syslog ? FWIW, I work with a service provider that seem to log over 27 devices acrosss 4 syslog servers, whith no problems using nothing but udp. And I' m talk core ASR9K to netscaler and firewall, security event driven network. I think your overestimating sysloging reliability. You can check out this link for more information on syslogging support http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD32787&sliceId=1&docTypeID=DT_KCARTICLE_1_1&dialogID=52217616&stateId=0%200%2052219101 sh-3.2$ cat /etc/services | grep syslog syslog 514/udp # syslog-conn 601/udp # Reliable Syslog Service syslog-conn 601/tcp # Reliable Syslog Service You could deploy syslog-ng or rsyslogd and then you have reliable syslog via tcp. YMMV