Event Log remote logging configuration page

A remote log server is a system provisioned specifically to collect logs for long term storage and analysis with preferred analytic tools. We recommend FortiAnalyzer.

The system has two configurations to support sending logs to remote log servers: remote log server settings for system event logs, and remote log server settings for DDoS logs.

The system event log configuration applies to system-wide data, such as system health indicators and system administrator activities.

Please see Attack Log remote logging configuration page for remote attack syslog servers.

Configure a maximum of 3 Event Log Remote servers.
Please seeAppendix G: FortiManager / FortiAnalyzer syslog integration for information regarding setting up those servers for FortiDDoS.

Before you begin:

You must have Read-Write permission for Log & Report settings.

To configure remote event log settings:

Go to Log & Report > Log Configuration > Event Log Remote.
Click Add.
Complete the configuration as described in the table below.
Save the configuration.

Remote log server settings

Remote log configuration guidelines

Settings	Guidelines
Status	Enable or disable this configuration. Note1: You must enable to configure via GUI or CLI. After configuration you can disable, if needed and the configuration will be maintained. Note 2: if disabled, the configuration still counts towards the maximum three allowed.
Address	IP address of the FortiAnalyzer, FortiManager, or other syslog server.
Port	Listening port number of the FortiAnalyzer/syslog server. Usually this is UDP port 514.
Log Level	Select the severity to log from the following choices. Levels below the selected level will not be sent: Emergency—The system has become unstable. Alert—Immediate action is required. Critical—Functionality is affected. Error—An error condition exists and functionality could be affected. Warning—Functionality might be affected. Notification—Information about normal events. Information—General information about system operations. Debug—Detailed information about the system that can be used to troubleshoot unexpected behavior
Format	• Default – Standard syslog format for most syslog servers, modified by the various format options seen in the table below. • CSV - Send logs in CSV format. This format is not supported by most servers. • CEF – Send logs in Common Event Format (UDP, un-encrypted version)
Facility	Identifier that is not used by FortiDDoS but might be useful for the syslog server.
Event Logging	Select to enable event logging.
Event Category	Select the Event Categories that you want included in the event syslogs. Note: All Event Categories are disabled by default. It is safe to enable all.

Event syslog formats

The following is an example of an event syslog message:

device_id=SYSLOG-AC1E997F type=generic pri=information itime=1431633173 msg="date=2015-05-

13,time=13:25:13,tz=PDT,devid=FI800B3913000032,log_

id=0000002168,type=event,subtype=config,level=information,msg_id=426204,user=admin,ui=ssh

(172.30.153.9),action=none,status=none,reason=none,msg='changed settings for 'ddos spp setting'

on domain 'SPP-1''"

Event syslog fields

Field	Example
Syslog device ID	device_id = FortiDDoS Serial Number
Syslog type	type=generic
Syslog log level	pri=information
Syslog time	itime=1431633173
Log datestamp	date=2015-05-13
Log timestamp	13:25:13
Log time zone	tz=PDT
Device ID	devid=FI800B3913000032
Log ID	log_id=0000002168
Log type	type=event
Log subtype	subtype=config
Log level	level=information
Message ID	msg_id=426204
Admin user	user=admin
Admin UI	ui=ssh(172.30.153.9)
Action	action=none
Status	status=none
Reason string	reason=none
Log message	msg='changed settings for 'ddos spp setting' on domain 'SPP-1''"

CLI commands:

Note: Before configuring, consult the format settings table in the handbook. CLI may allow settings that are not compatible with servers.

#config log setting remote

(remote)#edit {1 | 2 |3 |} Three event log remote servers allowed.

(1)# set status {enable | disable } Must be enabled to continue configuration

(1)# set ip-address <172.30.153.105>

(1)# set port <514>

(1)# set format {default | CSV | CEF } Note: choose “default” for FortiAnalyzer and most other syslog servers

(1)# set facility {kern | mail | daemon | auth | lpr | news | cron | auth-priv | ftp | ntp | audit | alert | clock | syslog | user | uucp | local0 | local1 | local2 | local3 | local4 | local5 | local6 | local7 }

(1)# set event-log-status {enable | disable }

(1)# set loglevel {Emergency | Alert | Critical | Error | Warning | Notification | Information | Debug }

(1)# set event-log-category { admin configuration default_gateway ha health_check spp_switching system update user } Select all required.

(1)# set fortianalyzer {enable | disable }

For FortiAnalyzer:

(1)# set encrypt-traffic-to-fortianalyzer (= OFTP)

No setting above = Standard FortiAnalyzer UDP RFC-3164

For FortiAnalyzer disabled:

(Name)# set proto {udp | tcp}

For UDP, no set = RFC3164, otherwise:

(1)# set rfc-5424

For TCP:

This is RFC-6587

(N1)# set tcp-framing {traditional | octet_counted }

Above is server-dependent

end

Event Log remote logging configuration page

A remote log server is a system provisioned specifically to collect logs for long term storage and analysis with preferred analytic tools. We recommend FortiAnalyzer.

The system has two configurations to support sending logs to remote log servers: remote log server settings for system event logs, and remote log server settings for DDoS logs.

The system event log configuration applies to system-wide data, such as system health indicators and system administrator activities.

Please see Attack Log remote logging configuration page for remote attack syslog servers.

Configure a maximum of 3 Event Log Remote servers.
Please seeAppendix G: FortiManager / FortiAnalyzer syslog integration for information regarding setting up those servers for FortiDDoS.

Before you begin:

You must have Read-Write permission for Log & Report settings.

To configure remote event log settings:

Go to Log & Report > Log Configuration > Event Log Remote.
Click Add.
Complete the configuration as described in the table below.
Save the configuration.

Remote log server settings

Remote log configuration guidelines

Settings	Guidelines
Status	Enable or disable this configuration. Note1: You must enable to configure via GUI or CLI. After configuration you can disable, if needed and the configuration will be maintained. Note 2: if disabled, the configuration still counts towards the maximum three allowed.
Address	IP address of the FortiAnalyzer, FortiManager, or other syslog server.
Port	Listening port number of the FortiAnalyzer/syslog server. Usually this is UDP port 514.
Log Level	Select the severity to log from the following choices. Levels below the selected level will not be sent: Emergency—The system has become unstable. Alert—Immediate action is required. Critical—Functionality is affected. Error—An error condition exists and functionality could be affected. Warning—Functionality might be affected. Notification—Information about normal events. Information—General information about system operations. Debug—Detailed information about the system that can be used to troubleshoot unexpected behavior
Format	• Default – Standard syslog format for most syslog servers, modified by the various format options seen in the table below. • CSV - Send logs in CSV format. This format is not supported by most servers. • CEF – Send logs in Common Event Format (UDP, un-encrypted version)
Facility	Identifier that is not used by FortiDDoS but might be useful for the syslog server.
Event Logging	Select to enable event logging.
Event Category	Select the Event Categories that you want included in the event syslogs. Note: All Event Categories are disabled by default. It is safe to enable all.

Event syslog formats

The following is an example of an event syslog message:

device_id=SYSLOG-AC1E997F type=generic pri=information itime=1431633173 msg="date=2015-05-

13,time=13:25:13,tz=PDT,devid=FI800B3913000032,log_

id=0000002168,type=event,subtype=config,level=information,msg_id=426204,user=admin,ui=ssh

(172.30.153.9),action=none,status=none,reason=none,msg='changed settings for 'ddos spp setting'

on domain 'SPP-1''"

Event syslog fields

Field	Example
Syslog device ID	device_id = FortiDDoS Serial Number
Syslog type	type=generic
Syslog log level	pri=information
Syslog time	itime=1431633173
Log datestamp	date=2015-05-13
Log timestamp	13:25:13
Log time zone	tz=PDT
Device ID	devid=FI800B3913000032
Log ID	log_id=0000002168
Log type	type=event
Log subtype	subtype=config
Log level	level=information
Message ID	msg_id=426204
Admin user	user=admin
Admin UI	ui=ssh(172.30.153.9)
Action	action=none
Status	status=none
Reason string	reason=none
Log message	msg='changed settings for 'ddos spp setting' on domain 'SPP-1''"

CLI commands:

Note: Before configuring, consult the format settings table in the handbook. CLI may allow settings that are not compatible with servers.

#config log setting remote

(remote)#edit {1 | 2 |3 |} Three event log remote servers allowed.

(1)# set status {enable | disable } Must be enabled to continue configuration

(1)# set ip-address <172.30.153.105>

(1)# set port <514>

(1)# set format {default | CSV | CEF } Note: choose “default” for FortiAnalyzer and most other syslog servers

(1)# set event-log-status {enable | disable }

(1)# set loglevel {Emergency | Alert | Critical | Error | Warning | Notification | Information | Debug }

(1)# set event-log-category { admin configuration default_gateway ha health_check spp_switching system update user } Select all required.

(1)# set fortianalyzer {enable | disable }

For FortiAnalyzer:

(1)# set encrypt-traffic-to-fortianalyzer (= OFTP)

No setting above = Standard FortiAnalyzer UDP RFC-3164

For FortiAnalyzer disabled:

(Name)# set proto {udp | tcp}

For UDP, no set = RFC3164, otherwise:

(1)# set rfc-5424

For TCP:

This is RFC-6587

(N1)# set tcp-framing {traditional | octet_counted }

Above is server-dependent

end

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Unified SASE

Single Vendor SASE

Cloud Network Security

Secure Endpoint Connectivity

Web Application / API Protection

Security Operations

Security Operations Automation

Identity

Early Detection & Prevention

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Communication & Surveillance

Unified SASE

Single Vendor SASE

Secure Endpoint Connectivity

Cloud Network Security

Cloud-Native Security

Web Application / API Protection

Security Operations

Security Operations Automation

Endpoint

Data Protection

Identity

Email

Early Detection & Prevention

Expert Services

Edge Firewall

Orchestration & management

SD Branch

Application Delivery

Single Vendor SASE

Secure Endpoint Connectivity

Secure Private Access

Thin Edge

Identity

Application Gateway

Enterprise Asset Management

Endpoint Agent

Agentless Security Posture

Identity

Wireless

Switching

Identity

Privilege Acccess Management

Next Generation Firewall

Orchestration & management

Expert Services

All

All

Account Management

SAAS Management

SAAS Application Security

Managed Services

Platform as a service (PAAS)

Other SAAS Services

4D Pillars

Cloud

Popular Solutions

Handbook

Event Log remote logging configuration page

Event Log remote logging configuration page

To configure remote event log settings:

Remote log server settings

Remote log configuration guidelines

Event syslog formats

Event Log remote logging configuration page

Event Log remote logging configuration page

To configure remote event log settings:

Remote log server settings

Remote log configuration guidelines

Event syslog formats