Override FortiAnalyzer and syslog server settings

In an HA cluster, secondary devices can be configured to use different FortiAnalyzer devices and syslog servers than the primary device. VDOMs can also override global syslog server settings.

Configure a different syslog server on a secondary HA device

To configure the primary HA device:
  1. Configure a global syslog server:
    config global
        config log syslog setting
            set status enable
            set server 172.16.200.44
            set facility local6
            set format default
        end
    end
  2. Set up a VDOM exception to enable setting the global syslog server on the secondary HA device:
    config global
        config system vdom-exception
            edit 1
                set object log.syslogd.setting
            next
        end
    end
To configure the secondary HA device:
  1. Configure a global syslog server:
    config global
        config log syslogd setting
            set status enable
            set server 172.16.200.55
            set facility local5
        end
    end
  2. After the primary and secondary device synchronize, generate logs on the secondary device.
To confirm that logs are been sent to the syslog server configured on the secondary device:
  1. On the primary device, retrieve the following packet capture from