Again, Fortigate’s documentation falls down at the simplest of things, this time, syslogging – To get your Fortigate to log to a syslogger (like Kiwi/Splunk) you’ll need to go in via the CLI as they have removed this option from the GUI as of FortiOS v5.0.
Log in via shell and enter the following:
config log syslogd setting
set status enable
set server [ip.or.dns-name.here]
end
I have seen where people say you need to explicitly:
set port 514
or set facility local7
but these are defaults and implied.
You can set up multiple syslog server locations by simply changing the first line to config log [syslog2|syslog3] setting
and filling in the details for the other syslog servers.
Why not follow @mylesagray on Twitter for more like this!
FortiOS v5.0 but command used very affectable…gui form user friendly….what is new version fortios …..
Does Splunk with Fortinet app support FortiOS 5.0.5? Trying to run this and not having great success, searching online and no other sites believe Splunk works with v5.0.x also ?
Splunk does work with v5.0.4 at least (it works as a syslog server and the reporting works to SOME extent) not sure on 5.0.5 we haven’t worked on this much more since 5.0.4 as we’ve had more important projects.
I will check this out though, if it doesn’t work it shouldn’t take too much work out what’s broken in the Fortinet app (likely column name changes etc).
Dear Myles Gray,
I have a Fortigate 100D with FortiOS 5.06 , this is my setting
config log syslogd setting
set status enable
set server “192.168.7.4”
set reliable disable
set port 515
set csv disable
set facility alert
set source-ip 192.168.9.2
end
I have a Splunk server on server 192.168.7.4 listening on port 515 TCP, my switchs can forward log to it normally, but I cannot get Fortigate works. Splunk server doesn’t receive any logs from Fortigate
Jack, we actually have moved on from Splunk to trialling a Logstash/ElasticSearch/Kibana stack as it is:
a) free
b) easy to configure and get the data we want
I’ll be putting a post up about this soon.
You’re sure you’ve enabled 515 TCP on your iptables? Did you check the output of `netstat -tlp` on your Splunk box to see if the port is listed?
Dear Myles, have any tutorial or can help me set Logstash / ElasticSearch / Kibana, to store / display my Fortigate logs?
Can you share the config file of logstash for fortigate
I’ll put this info up soon once we have it operating how we expect and i’ll do a full guide.
I’d be very interested as well.
We’re currently working on a logstash+elasticsearch+kibana setup, but not getting really anywhere yet.
Hi Myles, have you posted this guide yet?
It never happened Vedat unfortunately
Sounds all wonderful but the information is SO scarce. I just sopped at logstash+elasticsearch+Kibana and I’m on a loop tryng to figure it out. I’m very interested in the setup too !!
To set the level of messages you want to see:
config log syslogd filter
set severity warning