Fortinet white logo
Fortinet white logo

Administration Guide

Configuring log forwarding

Configuring log forwarding

Forwarding mode only requires configuration on the client side. No configuration is needed on the server side. In aggregation mode, accepting the logs must be enabled on the FortiAnalyzer that is acting as the server.

Forwarding mode

Forwarding mode can be configured in the GUI. No configuration is required on the server side.

To configure the client:
  1. Go to System Settings > Advanced > Log Forwarding > Settings.
  2. Click Create New in the toolbar. The Create New Log Forwarding pane opens.

  3. Fill in the information as per the below table, then click OK to create the new log forwarding. The FortiAnalyzer device will start forwarding logs to the server.

    Name

    Enter a name for the remote server.

    Status

    Set to On to enable log forwarding. Set to Off to disable log forwarding.

    Remote Server Type

    Select the type of remote server to which you are forwarding logs:

    • FortiAnalyzer

    • Syslog (this option can be used to foward logs to FortiSIEM and FortiSOAR)

    • Syslog Pack

    • Common Event Format (CEF)

    • Forward via Output Plugin

    Output Profile

    Select the output profile. You must configure output profiles to appear in the dropdown. For more information, see Output profiles.

    This option is only available when the server type is Forward via Output Plugin.

    Server FQDN/IP

    Enter the fully qualified domain name or IP for the remote server.

    This option is not available when the server type is Forward via Output Plugin.

    Server Port

    Enter the server port number. Default: 514.

    This option is only available when the server type is Syslog, Syslog Pack, or Common Event Format (CEF).

    Compression

    Turn on to enable log message compression when the remote FortiAnalyzer also supports this format. If the remote FortiAnalyzer does not support compression, log messages will remain uncompressed.

    This option is only available when the server type is FortiAnalyzer.

    Reliable Connection

    Turn on to use TCP connection. Turn off to use UDP connection.

    If you want to forward logs to a Syslog or CEF server, ensure this option is supported. RELP is not supported.

    If the connection goes down, logs are buffered and automatically forwarded when the connection is restored. The buffer limit is 12GB.

    This option is not available when the server type is Forward via Output Plugin.

    Sending Frequency

    Select when logs will be sent to the server: Real-time, Every 1 Minute, or Every 5 Minutes (default).

    This option is only available when the server type is FortiAnalyzer.

    Log Forwarding Filters

    Device Filters

    Click Select Device, then select the devices whose logs will be forwarded.

    Log Filters

    Turn on to configure filter on the logs that are forwarded.

    Select All or Any of the Following Conditions in the Log messages that match field to control how the filters are applied to the logs.

    Add filters to the table by selecting the Log Field, Match Criteria, and Value for each filter.

    Enable Exclusions

    Turn on to configure filter on the logs that are forwarded.

    Add exclusions to the table by selecting the Device Type and Log Type. Then, add Log Fields to the Exclusion List by clicking Fields and specifying the excluded log fields in the Select Log Field pane.

    Enable Masking

    Turn on to enable log field masking.

    In the Masking Data Fields, select any data fields that should be masked during log forwarding. The remote server will receive logs with the selected field values masked. Configure a Data Mask Key.

Note

When configuring Log Forwarding Filters, FortiAnalyzer does not support wildcard or subnet values for IP log field filters when using the Equal to and Not equal to operators.

If wildcards or subnets are required, use Contain or Not contain operators with the regex filter. For example, the following text filter excludes logs forwarded from the 172.10.0.0/16 subnet:

srcip !~ "172\.10\.[0-9]+\.[0-9]+

Devices whose logs are being forwarded to another FortiAnalyzer device are added to the server as unauthorized devices. To authorize devices, see Authorizing devices.

Aggregation mode

Aggregation mode can only be configured using the CLI. Aggregation mode configurations are not listed in the GUI table, but still use a log forwarding ID number.

Use the following CLI command to see what log forwarding IDs have been used:

get system log-forward

To configure the server:
  1. If required, create a new administrator with the Super_User profile. See Creating administrators.
  2. Enable log aggregation and, if necessary, configure the disk quota, with the following CLI commands:

    config system log-forward-service

    set accept-aggregation enable

    set aggregation-disk-quota <quota>

    end

To configure the client:
  1. Open the log forwarding command shell:

    config system log-forward

  2. Create a new, or edit an existing, log forwarding entry:

    edit <log forwarding ID>

  3. Set the log forwarding mode to aggregation:

    set mode aggregation

  4. Set the server display name and IP address:

    set server-name <string>

    set server-ip <xxx.xxx.xxx.xxx>

  5. Enter the user name and password of the super user administrator on the server:

    set agg-user <string>

    set agg-password <string>

  6. If required, set the aggregation time from 0 to 23 hours (default: 0, or midnight):

    set agg-time <integer>

  7. Enter the following to apply the configuration and create the log aggregation:

    end

    The following line will be displayed to confirm the creation of the log aggregation:

    check for cfg[<log forwarding ID>] svr_disp_name=<server-name>

For more information, see the FortiAnalyzer CLI Reference.

Configuring log forwarding

Configuring log forwarding

Forwarding mode only requires configuration on the client side. No configuration is needed on the server side. In aggregation mode, accepting the logs must be enabled on the FortiAnalyzer that is acting as the server.

Forwarding mode

Forwarding mode can be configured in the GUI. No configuration is required on the server side.

To configure the client:
  1. Go to System Settings > Advanced > Log Forwarding > Settings.
  2. Click Create New in the toolbar. The Create New Log Forwarding pane opens.

  3. Fill in the information as per the below table, then click OK to create the new log forwarding. The FortiAnalyzer device will start forwarding logs to the server.

    Name

    Enter a name for the remote server.

    Status

    Set to On to enable log forwarding. Set to Off to disable log forwarding.

    Remote Server Type

    Select the type of remote server to which you are forwarding logs:

    • FortiAnalyzer

    • Syslog (this option can be used to foward logs to FortiSIEM and FortiSOAR)

    • Syslog Pack

    • Common Event Format (CEF)

    • Forward via Output Plugin

    Output Profile

    Select the output profile. You must configure output profiles to appear in the dropdown. For more information, see Output profiles.

    This option is only available when the server type is Forward via Output Plugin.

    Server FQDN/IP

    Enter the fully qualified domain name or IP for the remote server.

    This option is not available when the server type is Forward via Output Plugin.

    Server Port

    Enter the server port number. Default: 514.

    This option is only available when the server type is Syslog, Syslog Pack, or Common Event Format (CEF).

    Compression

    Turn on to enable log message compression when the remote FortiAnalyzer also supports this format. If the remote FortiAnalyzer does not support compression, log messages will remain uncompressed.

    This option is only available when the server type is FortiAnalyzer.

    Reliable Connection

    Turn on to use TCP connection. Turn off to use UDP connection.

    If you want to forward logs to a Syslog or CEF server, ensure this option is supported. RELP is not supported.

    If the connection goes down, logs are buffered and automatically forwarded when the connection is restored. The buffer limit is 12GB.

    This option is not available when the server type is Forward via Output Plugin.

    Sending Frequency

    Select when logs will be sent to the server: Real-time, Every 1 Minute, or Every 5 Minutes (default).

    This option is only available when the server type is FortiAnalyzer.

    Log Forwarding Filters

    Device Filters

    Click Select Device, then select the devices whose logs will be forwarded.

    Log Filters

    Turn on to configure filter on the logs that are forwarded.

    Select All or Any of the Following Conditions in the Log messages that match field to control how the filters are applied to the logs.

    Add filters to the table by selecting the Log Field, Match Criteria, and Value for each filter.

    Enable Exclusions

    Turn on to configure filter on the logs that are forwarded.

    Add exclusions to the table by selecting the Device Type and Log Type. Then, add Log Fields to the Exclusion List by clicking Fields and specifying the excluded log fields in the Select Log Field pane.

    Enable Masking

    Turn on to enable log field masking.

    In the Masking Data Fields, select any data fields that should be masked during log forwarding. The remote server will receive logs with the selected field values masked. Configure a Data Mask Key.

Note

When configuring Log Forwarding Filters, FortiAnalyzer does not support wildcard or subnet values for IP log field filters when using the Equal to and Not equal to operators.

If wildcards or subnets are required, use Contain or Not contain operators with the regex filter. For example, the following text filter excludes logs forwarded from the 172.10.0.0/16 subnet:

srcip !~ "172\.10\.[0-9]+\.[0-9]+

Devices whose logs are being forwarded to another FortiAnalyzer device are added to the server as unauthorized devices. To authorize devices, see Authorizing devices.

Aggregation mode

Aggregation mode can only be configured using the CLI. Aggregation mode configurations are not listed in the GUI table, but still use a log forwarding ID number.

Use the following CLI command to see what log forwarding IDs have been used:

get system log-forward

To configure the server:
  1. If required, create a new administrator with the Super_User profile. See Creating administrators.
  2. Enable log aggregation and, if necessary, configure the disk quota, with the following CLI commands:

    config system log-forward-service

    set accept-aggregation enable

    set aggregation-disk-quota <quota>

    end

To configure the client:
  1. Open the log forwarding command shell:

    config system log-forward

  2. Create a new, or edit an existing, log forwarding entry:

    edit <log forwarding ID>

  3. Set the log forwarding mode to aggregation:

    set mode aggregation

  4. Set the server display name and IP address:

    set server-name <string>

    set server-ip <xxx.xxx.xxx.xxx>

  5. Enter the user name and password of the super user administrator on the server:

    set agg-user <string>

    set agg-password <string>

  6. If required, set the aggregation time from 0 to 23 hours (default: 0, or midnight):

    set agg-time <integer>

  7. Enter the following to apply the configuration and create the log aggregation:

    end

    The following line will be displayed to confirm the creation of the log aggregation:

    check for cfg[<log forwarding ID>] svr_disp_name=<server-name>

For more information, see the FortiAnalyzer CLI Reference.