Fortinet white logo
Fortinet white logo

Administration Guide

Syslog sources

Syslog sources

The FortiAuthenticator can parse username and IP address information from a syslog feed from a third-party device, and inject this information into FSSO so it can be used in FortiGate identity based policies.

Syslog objects include sources and matching rules. Sources identify the entities sending the syslog messages, and matching rules extract the events from the syslog messages. Messages coming from non-configured sources will be dropped.

note icon Injection of IPv6 addresses using Syslog-to-FSSO and API-to-FSSO is supported. IPv6 addresses are accepted by the backend parsing engine.

To configure syslog objects, go to Fortinet SSO Methods > SSO > Syslog Sources.

Syslog SSO must be enabled to configure syslog objects. Go to Fortinet SSO Methods > SSO > General to enable Syslog SSO. See General settings.

The following options and information are available:

Create New

Create a new syslog source or matching rule.

Delete

Select to delete the selected object or objects.

Edit

Select to edit the selected object.

View

Select Syslog Sources or Matching Rules from the dropdown menu.

Name

The name of the source or rule.

Client name/IP

The IP address or the client.

Syslog sources

Each syslog source must be defined for the syslog daemon to accept traffic. Each source must also be configured with a matching rule (either pre-defined or custom built; see below), and syslog service must be enabled on the network interface(s) that will listen to remote syslog traffic.

To add a new syslog source:
  1. In the syslog list, select Syslog Sources from the View dropdown menu.
  2. Select Create New. The Create New Syslog Source page ones.
  3. Enter the following information:
    NameEnter a name for the source.
    IP addressEnter the IP address of the source.

    TLS encryption

    Enable to specify if TLS encryption is required.

    Note: This option is only available when Allow TLS encryption under Enable Syslog SSO is enabled in Fortinet SSO Methods > SSO > General.

    Matching ruleSelect the requisite matching rule from the dropdown menu. A matching must already be created for the source.
    SSO user type

    Select the SSO user type:

    • External: Users are not defined on the FortiAuthenticator and user groups come from the source.
    • Local users: Users are defined on the FortiAuthenticator as local users, and user groups are retrieved from the local groups. Any group from the syslog messages are ignored.
    • Remote users: Users are defined on a remote LDAP server and user groups are retrieved from the LDAP server. Any group from the syslog messages are ignored.
    Strip off prefix or suffix from username if anyEnable to strip prefixes and suffixes from the SSO usernames.

    Use a different attribute when searching user in the remote LDAP server (other than the username attribute in the remote LDAP server config)

    Enable and in Remote LDAP user attribute, enter a remote LDAP user attribute to use when searching a user in the remote LDAP server.

    Note: The option is only available when SSO user type is set to Remote users.

    Use prefix or suffix in username as domain (other than the remote LDAP server domain)

    Enable to use prefix or suffix in username as the domain.

    Once enabled, in Default domain if not specified, enter a default domain.

    Note: The option is only available when SSO user type is set to Remote users.

  4. Select Save to add the source.

Matching rules

A matching rule is a query, or policy, that is applied to a syslog message in order to determine required information, such as the username and IP address. Rules are required for every syslog source.

Predefined rules are available for FortiNAC appliances, and Aruba and Cisco wireless controllers (see Predefined rules). For other systems, custom policies can be created to parse message files in various formats.

Predefined rules

Predefined matching rules are included for FortiNAC appliances, and Aruba and Cisco ACS or ISE wireless controllers.

Note

Each field containing a variable (e.g. Client IPv4 and Client IPv6 fields) needs one or more characters after the {{:variable}} to let FortiAuthenticator know where to stop the parsing. Any combination of characters will work. The examples below use ",".

FortiNAC

Trigger

FSSO

Auth Type Indicators

Logon: login

Logoff: logout

Username field

username={{:username}},

Client IPv4 field

IP={{:client_ip}},

Client IPv6 field

e.g. Framed-IPv6-Address={{:client_ipv6}},

Group field

tags="{{:group}}"

Group list separator

SSO syslog feed can parse multiple groups if the names are separated by a plus (+) symbol or a comma (,).

Aruba

Trigger

None; any logs are accepted.

Auth Type Indicators

Logon:User Authentication Successful (exact match required; no delimiter or value)

Username field

username={{:username}},

Client IPv4 field

IP={{:client_ip}},

Client IPv6 field

e.g. Framed-IPv6-Address={{:client_ipv6}},

Group field

AAA profile={{:group}}

Group list separator

SSO syslog feed can parse multiple groups if the names are separated by a plus (+) symbol or a comma (,).

Cisco

Trigger

NOTICE Radius-Accounting

Auth Type Indicators

Logon: Acct-Status-Type=Start

Update: Acct-Status-Type=Interim

Logoff: Acct-Status-Type=Stop

Username field

User-Name={{:username}},

Client IPv4 field

Framed-IP-Address={{:client_ip}},

Client IPv6 field

e.g. Framed-IPv6-Address={{:client_ipv6}},

Group field

e.g. profile={{:group}}

Group list separator

SSO syslog feed can parse multiple groups if the names are separated by a plus (+) symbol or a comma (,).

To create a new matching rule:
  1. In the syslog list, select Matching Rules from the View dropdown menu.
  2. Select Create New. The Create New Syslog Matching Rule page opens.
  3. Enter the following information:
    NameEnter a name for the source.
    DescriptionOptionally enter a description of the rule.

    Mode

    Select from the following two options:

    • Key-value pairs: parses syslog messages with key/value pairs.

    • List of values: parses syslog messages with a list of values.

    Fields to ExtractConfigure the fields to extract from the message.

    Field separator

    The field separator (default = ,).

    Note: The option is only available when the Mode is List of values.

    Trigger

    Optionally, enter a string that must be present in all syslog messages. This will act as a pre-filter (default = NOTICE Radius-Accounting).

    Note: The option is only available when the Mode is Key-value pairs.

    Field position

    Enter the position of the trigger field (default = 4).

    Note: The option is only available when the Mode is List of values.

    Field value

    Enter the value for the trigger field, e.g., USERID.

    Note: The option is only available when the Mode is List of values.

    Auth Type Indicators

    Enter strings to differentiate between the types of user activities: Logon (default = Acct-Status-Type=Start), Update (default = Acct-Status-Type=Interim) (optional), and Logoff (default = Acct-Status-Type=Stop) (optional).

    Note: The option is only available when the Mode is Key-value pairs.

    Logon field position

    Enter the Logon field position (default = 5).

    Note: The option is only available when the Mode is List of values.

    Logon field value

    Enter the Logon field value, e.g., login.

    Note: The option is only available when the Mode is List of values.

    Update field position

    Enter the Update field position (default = 0).

    Note: The option is only available when the Mode is List of values.

    Update field value

    Enter the Update field value.

    Note: The option is only available when the Mode is List of values.

    Logoff field position

    Enter the Logoff field position (default = 0).

    Note: The option is only available when the Mode is List of values.

    Logoff field value

    Enter the Logoff field value.

    Note: The option is only available when the Mode is List of values.

    Username fieldDefine the semantics of the username field. For example: User-Name={{:username}},

    where {{:username}} indicates where the username is extracted from.

    Note: The option is only available when the Mode is Key-value pairs.

    Username field position

    Enter the username field position (default = 10).

    Note: The option is only available when the Mode is List of values.

    Client IPv4 field

    Define the semantics of the client IPv4 address (default = Framed-IP-Address={{:client_ip}},).

    Note: The option is only available when the Mode is Key-value pairs.

    Client IPv4 field position

    Enter the client IPv4 field position (default = 9).

    Note: The option is only available when the Mode is List of values.

    Client IPv6 field

    Define the semantics of the client IPv6 address (default = Framed-IPv6-Address={{:client_ipv6}},).

    Note: The option is only available when the Mode is Key-value pairs.

    Client IPv6 field position

    Enter the client IPv6 field position (default = 0).

    Note: The option is only available when the Mode is List of values.

    Group field

    Optionally, define the semantics of the group. The group may not always be included in the syslog message, and may need to be retrieved from a remote LDAP server, e.g., profile = {{:group}}.

    Note: The option is only available when the Mode is Key-value pairs.

    Group field position

    Enter the group field position (default = 0).

    Note: The option is only available when the Mode is List of values.

    Group list separator

    Specify the separator (default = ,).

    Test RulePaste a sample log message into the text box, then select Test to test that the desired fields are correctly extracted.
  4. Select Save to add the new matching rule.

Syslog sources

Syslog sources

The FortiAuthenticator can parse username and IP address information from a syslog feed from a third-party device, and inject this information into FSSO so it can be used in FortiGate identity based policies.

Syslog objects include sources and matching rules. Sources identify the entities sending the syslog messages, and matching rules extract the events from the syslog messages. Messages coming from non-configured sources will be dropped.

note icon Injection of IPv6 addresses using Syslog-to-FSSO and API-to-FSSO is supported. IPv6 addresses are accepted by the backend parsing engine.

To configure syslog objects, go to Fortinet SSO Methods > SSO > Syslog Sources.

Syslog SSO must be enabled to configure syslog objects. Go to Fortinet SSO Methods > SSO > General to enable Syslog SSO. See General settings.

The following options and information are available:

Create New

Create a new syslog source or matching rule.

Delete

Select to delete the selected object or objects.

Edit

Select to edit the selected object.

View

Select Syslog Sources or Matching Rules from the dropdown menu.

Name

The name of the source or rule.

Client name/IP

The IP address or the client.

Syslog sources

Each syslog source must be defined for the syslog daemon to accept traffic. Each source must also be configured with a matching rule (either pre-defined or custom built; see below), and syslog service must be enabled on the network interface(s) that will listen to remote syslog traffic.

To add a new syslog source:
  1. In the syslog list, select Syslog Sources from the View dropdown menu.
  2. Select Create New. The Create New Syslog Source page ones.
  3. Enter the following information:
    NameEnter a name for the source.
    IP addressEnter the IP address of the source.

    TLS encryption

    Enable to specify if TLS encryption is required.

    Note: This option is only available when Allow TLS encryption under Enable Syslog SSO is enabled in Fortinet SSO Methods > SSO > General.

    Matching ruleSelect the requisite matching rule from the dropdown menu. A matching must already be created for the source.
    SSO user type

    Select the SSO user type:

    • External: Users are not defined on the FortiAuthenticator and user groups come from the source.
    • Local users: Users are defined on the FortiAuthenticator as local users, and user groups are retrieved from the local groups. Any group from the syslog messages are ignored.
    • Remote users: Users are defined on a remote LDAP server and user groups are retrieved from the LDAP server. Any group from the syslog messages are ignored.
    Strip off prefix or suffix from username if anyEnable to strip prefixes and suffixes from the SSO usernames.

    Use a different attribute when searching user in the remote LDAP server (other than the username attribute in the remote LDAP server config)

    Enable and in Remote LDAP user attribute, enter a remote LDAP user attribute to use when searching a user in the remote LDAP server.

    Note: The option is only available when SSO user type is set to Remote users.

    Use prefix or suffix in username as domain (other than the remote LDAP server domain)

    Enable to use prefix or suffix in username as the domain.

    Once enabled, in Default domain if not specified, enter a default domain.

    Note: The option is only available when SSO user type is set to Remote users.

  4. Select Save to add the source.

Matching rules

A matching rule is a query, or policy, that is applied to a syslog message in order to determine required information, such as the username and IP address. Rules are required for every syslog source.

Predefined rules are available for FortiNAC appliances, and Aruba and Cisco wireless controllers (see Predefined rules). For other systems, custom policies can be created to parse message files in various formats.

Predefined rules

Predefined matching rules are included for FortiNAC appliances, and Aruba and Cisco ACS or ISE wireless controllers.

Note

Each field containing a variable (e.g. Client IPv4 and Client IPv6 fields) needs one or more characters after the {{:variable}} to let FortiAuthenticator know where to stop the parsing. Any combination of characters will work. The examples below use ",".

FortiNAC

Trigger

FSSO

Auth Type Indicators

Logon: login

Logoff: logout

Username field

username={{:username}},

Client IPv4 field

IP={{:client_ip}},

Client IPv6 field

e.g. Framed-IPv6-Address={{:client_ipv6}},

Group field

tags="{{:group}}"

Group list separator

SSO syslog feed can parse multiple groups if the names are separated by a plus (+) symbol or a comma (,).

Aruba

Trigger

None; any logs are accepted.

Auth Type Indicators

Logon:User Authentication Successful (exact match required; no delimiter or value)

Username field

username={{:username}},

Client IPv4 field

IP={{:client_ip}},

Client IPv6 field

e.g. Framed-IPv6-Address={{:client_ipv6}},

Group field

AAA profile={{:group}}

Group list separator

SSO syslog feed can parse multiple groups if the names are separated by a plus (+) symbol or a comma (,).

Cisco

Trigger

NOTICE Radius-Accounting

Auth Type Indicators

Logon: Acct-Status-Type=Start

Update: Acct-Status-Type=Interim

Logoff: Acct-Status-Type=Stop

Username field

User-Name={{:username}},

Client IPv4 field

Framed-IP-Address={{:client_ip}},

Client IPv6 field

e.g. Framed-IPv6-Address={{:client_ipv6}},

Group field

e.g. profile={{:group}}

Group list separator

SSO syslog feed can parse multiple groups if the names are separated by a plus (+) symbol or a comma (,).

To create a new matching rule:
  1. In the syslog list, select Matching Rules from the View dropdown menu.
  2. Select Create New. The Create New Syslog Matching Rule page opens.
  3. Enter the following information:
    NameEnter a name for the source.
    DescriptionOptionally enter a description of the rule.

    Mode

    Select from the following two options:

    • Key-value pairs: parses syslog messages with key/value pairs.

    • List of values: parses syslog messages with a list of values.

    Fields to ExtractConfigure the fields to extract from the message.

    Field separator

    The field separator (default = ,).

    Note: The option is only available when the Mode is List of values.

    Trigger

    Optionally, enter a string that must be present in all syslog messages. This will act as a pre-filter (default = NOTICE Radius-Accounting).

    Note: The option is only available when the Mode is Key-value pairs.

    Field position

    Enter the position of the trigger field (default = 4).

    Note: The option is only available when the Mode is List of values.

    Field value

    Enter the value for the trigger field, e.g., USERID.

    Note: The option is only available when the Mode is List of values.

    Auth Type Indicators

    Enter strings to differentiate between the types of user activities: Logon (default = Acct-Status-Type=Start), Update (default = Acct-Status-Type=Interim) (optional), and Logoff (default = Acct-Status-Type=Stop) (optional).

    Note: The option is only available when the Mode is Key-value pairs.

    Logon field position

    Enter the Logon field position (default = 5).

    Note: The option is only available when the Mode is List of values.

    Logon field value

    Enter the Logon field value, e.g., login.

    Note: The option is only available when the Mode is List of values.

    Update field position

    Enter the Update field position (default = 0).

    Note: The option is only available when the Mode is List of values.

    Update field value

    Enter the Update field value.

    Note: The option is only available when the Mode is List of values.

    Logoff field position

    Enter the Logoff field position (default = 0).

    Note: The option is only available when the Mode is List of values.

    Logoff field value

    Enter the Logoff field value.

    Note: The option is only available when the Mode is List of values.

    Username fieldDefine the semantics of the username field. For example: User-Name={{:username}},

    where {{:username}} indicates where the username is extracted from.

    Note: The option is only available when the Mode is Key-value pairs.

    Username field position

    Enter the username field position (default = 10).

    Note: The option is only available when the Mode is List of values.

    Client IPv4 field

    Define the semantics of the client IPv4 address (default = Framed-IP-Address={{:client_ip}},).

    Note: The option is only available when the Mode is Key-value pairs.

    Client IPv4 field position

    Enter the client IPv4 field position (default = 9).

    Note: The option is only available when the Mode is List of values.

    Client IPv6 field

    Define the semantics of the client IPv6 address (default = Framed-IPv6-Address={{:client_ipv6}},).

    Note: The option is only available when the Mode is Key-value pairs.

    Client IPv6 field position

    Enter the client IPv6 field position (default = 0).

    Note: The option is only available when the Mode is List of values.

    Group field

    Optionally, define the semantics of the group. The group may not always be included in the syslog message, and may need to be retrieved from a remote LDAP server, e.g., profile = {{:group}}.

    Note: The option is only available when the Mode is Key-value pairs.

    Group field position

    Enter the group field position (default = 0).

    Note: The option is only available when the Mode is List of values.

    Group list separator

    Specify the separator (default = ,).

    Test RulePaste a sample log message into the text box, then select Test to test that the desired fields are correctly extracted.
  4. Select Save to add the new matching rule.