Fortinet white logo
Fortinet white logo

Administration Guide

Override FortiAnalyzer and syslog server settings

Override FortiAnalyzer and syslog server settings

In an HA cluster, secondary devices can be configured to use different FortiAnalyzer devices and syslog servers than the primary device. VDOMs can also override global syslog server settings.

Configure a different syslog server on a secondary HA device

To configure the primary HA device:
  1. Configure a global syslog server:

    config global
        config log syslog setting
            set status enable
            set server 172.16.200.44
            set facility local6
            set format default
        end
    end
  2. Set up a VDOM exception to enable setting the global syslog server on the secondary HA device:

    config global
        config system vdom-exception
            edit 1
                set object log.syslogd.setting
            next
        end
    end
To configure the secondary HA device:
  1. Configure a global syslog server:

    config global
        config log syslogd setting
            set status enable
            set server 172.16.200.55
            set facility local5
        end
    end
  2. After the primary and secondary device synchronize, generate logs on the secondary device.

To confirm that logs are been sent to the syslog server configured on the secondary device:
  1. On the primary device, retrieve the following packet capture from the secondary device's syslog server:

    # diagnose sniffer packet any "host 172.16.200.55" 6
    interfaces=[any]
    filters=[host 172.16.200.55]
    
    ​​​​​​​266.859494 port2 out 172.16.200.2.7434 -> 172.16.200.55.514: udp 278
    0x0000   0000 0000 0000 0009 0f09 0004 0800 4500        ..............E.
    0x0010   0132 f3c7 0000 4011 9d98 ac10 c802 ac10        .2....@.........
    0x0020   c837 1d0a 0202 011e 4b05 3c31 3734 3e64        .7......K.<174>d
    0x0030   6174 653d 3230 3230 2d30 332d 3134 2074        ate=2020-03-14.t
    0x0040   696d 653d 3132 3a30 303a 3035 2064 6576        ime=12:00:05.dev
    0x0050   6e61 6d65 3d22 466f 7274 6947 6174 652d        name="FGT-81E-Sl
    0x0060   3831 455f 4122 2064 6576 6964 3d22 4647        ave-A".devid="FG
    0x0070   5438 3145 3451 3136 3030 3030 3438 2220        T81E4Q16000048".
    0x0080   6c6f 6769 643d 2230 3130 3030 3230 3032        logid="010002002
    0x0090   3722 2074 7970 653d 2265 7665 6e74 2220        7".type="event".
    0x00a0   7375 6274 7970 653d 2273 7973 7465 6d22        subtype="system"
    0x00b0   206c 6576 656c 3d22 696e 666f 726d 6174        .level="informat
    0x00c0   696f 6e22 2076 643d 2276 646f 6d31 2220        ion".vd="vdom1".
    0x00d0   6576 656e 7474 696d 653d 3135 3834 3231        eventtime=158421
    0x00e0   3234 3035 3835 3938 3335 3639 3120 747a        2405859835691.tz
    0x00f0   3d22 2d30 3730 3022 206c 6f67 6465 7363        ="-0700".logdesc
    0x0100   3d22 4f75 7464 6174 6564 2072 6570 6f72        ="Outdated.repor
    0x0110   7420 6669 6c65 7320 6465 6c65 7465 6422        t.files.deleted"
    0x0120   206d 7367 3d22 4465 6c65 7465 2031 206f        .msg="Delete.1.o
    0x0130   6c64 2072 6570 6f72 7420 6669 6c65 7322        ld.report.files"

Configure a different syslog server in the root VDOM on a secondary HA device

To configure the primary HA device:
  1. Configure a global syslog server:

    config global
        config log syslog setting
            set status enable
            set server 172.16.200.44
            set facility local6
            set format default
        end
    end
  2. Set up a VDOM exception to enable syslog-override in the secondary HA device root VDOM:

    config global
        config system vdom-exception
            edit 1
                set object log.syslogd.override-setting
                set scope inclusive
                set vdom root
            next
        end
    end
    
  3. In the VDOM, enable syslog-override in the log settings, and set up the override syslog server:

    config root
        config log setting
            set syslog-override enable
        end
        config log syslog override-setting
            set status enable
            set server 172.16.200.44
            set facility local6
            set format default
        end
    end

After syslog-override is enabled, an override syslog server must be configured, as logs will not be sent to the global syslog server.

To configure the secondary HA device:
  1. Configure an override syslog server in the root VDOM:

    config root
        config log syslogd override-setting
            set status enable
            set server 172.16.200.55         
            set facility local5
            set format default
        end
    end
  2. After the primary and secondary device synchronize, generate logs in the root VDOM on the secondary device.

To confirm that logs are been sent to the syslog server configured for the root VDOM on the secondary device:
  1. On the primary device, retrieve the following packet capture from the syslog server configured in the root VDOM on the secondary device:

    # diagnose sniffer packet any "host 172.16.200.55" 6
    interfaces=[any]
    filters=[host 172.16.200.55]
    
    156.759696 port2 out 172.16.200.2.1165 -> 172.16.200.55.514: udp 277
    0x0000   0000 0000 0000 0009 0f09 0004 0800 4500        ..............E.
    0x0010   0131 f398 0000 4011 9dc8 ac10 c802 ac10        .1....@.........
    0x0020   c837 048d 0202 011d af5f 3c31 3734 3e64        .7......._<174>d
    0x0030   6174 653d 3230 3230 2d30 332d 3134 2074        ate=2020-03-14.t
    0x0040   696d 653d 3131 3a33 353a 3035 2064 6576        ime=11:35:05.dev
    0x0050   6e61 6d65 3d22 466f 7274 6947 6174 652d        name="FGT-81E-Sl
    0x0060   3831 455f 4122 2064 6576 6964 3d22 4647        ave-A".devid="FG
    0x0070   5438 3145 3451 3136 3030 3030 3438 2220        T81E4Q16000048".
    0x0080   6c6f 6769 643d 2230 3130 3030 3230 3032        logid="010002002
    0x0090   3722 2074 7970 653d 2265 7665 6e74 2220        7".type="event".
    0x00a0   7375 6274 7970 653d 2273 7973 7465 6d22        subtype="system"
    0x00b0   206c 6576 656c 3d22 696e 666f 726d 6174        .level="informat
    0x00c0   696f 6e22 2076 643d 2272 6f6f 7422 2065        ion".vd="root".e
    0x00d0   7665 6e74 7469 6d65 3d31 3538 3432 3130        venttime=1584210
    0x00e0   3930 3537 3539 3334 3132 3632 2074 7a3d        905759341262.tz=
    0x00f0   222d 3037 3030 2220 6c6f 6764 6573 633d        "-0700".logdesc=
    0x0100   224f 7574 6461 7465 6420 7265 706f 7274        "Outdated.report
    0x0110   2066 696c 6573 2064 656c 6574 6564 2220        .files.deleted".
    0x0120   6d73 673d 2244 656c 6574 6520 3220 6f6c        msg="Delete.2.ol
    0x0130   6420 7265 706f 7274 2066 696c 6573 22          d.report.files"
    

Override FortiAnalyzer and syslog server settings

Override FortiAnalyzer and syslog server settings

In an HA cluster, secondary devices can be configured to use different FortiAnalyzer devices and syslog servers than the primary device. VDOMs can also override global syslog server settings.

Configure a different syslog server on a secondary HA device

To configure the primary HA device:
  1. Configure a global syslog server:

    config global
        config log syslog setting
            set status enable
            set server 172.16.200.44
            set facility local6
            set format default
        end
    end
  2. Set up a VDOM exception to enable setting the global syslog server on the secondary HA device:

    config global
        config system vdom-exception
            edit 1
                set object log.syslogd.setting
            next
        end
    end
To configure the secondary HA device:
  1. Configure a global syslog server:

    config global
        config log syslogd setting
            set status enable
            set server 172.16.200.55
            set facility local5
        end
    end
  2. After the primary and secondary device synchronize, generate logs on the secondary device.

To confirm that logs are been sent to the syslog server configured on the secondary device:
  1. On the primary device, retrieve the following packet capture from the secondary device's syslog server:

    # diagnose sniffer packet any "host 172.16.200.55" 6
    interfaces=[any]
    filters=[host 172.16.200.55]
    
    ​​​​​​​266.859494 port2 out 172.16.200.2.7434 -> 172.16.200.55.514: udp 278
    0x0000   0000 0000 0000 0009 0f09 0004 0800 4500        ..............E.
    0x0010   0132 f3c7 0000 4011 9d98 ac10 c802 ac10        .2....@.........
    0x0020   c837 1d0a 0202 011e 4b05 3c31 3734 3e64        .7......K.<174>d
    0x0030   6174 653d 3230 3230 2d30 332d 3134 2074        ate=2020-03-14.t
    0x0040   696d 653d 3132 3a30 303a 3035 2064 6576        ime=12:00:05.dev
    0x0050   6e61 6d65 3d22 466f 7274 6947 6174 652d        name="FGT-81E-Sl
    0x0060   3831 455f 4122 2064 6576 6964 3d22 4647        ave-A".devid="FG
    0x0070   5438 3145 3451 3136 3030 3030 3438 2220        T81E4Q16000048".
    0x0080   6c6f 6769 643d 2230 3130 3030 3230 3032        logid="010002002
    0x0090   3722 2074 7970 653d 2265 7665 6e74 2220        7".type="event".
    0x00a0   7375 6274 7970 653d 2273 7973 7465 6d22        subtype="system"
    0x00b0   206c 6576 656c 3d22 696e 666f 726d 6174        .level="informat
    0x00c0   696f 6e22 2076 643d 2276 646f 6d31 2220        ion".vd="vdom1".
    0x00d0   6576 656e 7474 696d 653d 3135 3834 3231        eventtime=158421
    0x00e0   3234 3035 3835 3938 3335 3639 3120 747a        2405859835691.tz
    0x00f0   3d22 2d30 3730 3022 206c 6f67 6465 7363        ="-0700".logdesc
    0x0100   3d22 4f75 7464 6174 6564 2072 6570 6f72        ="Outdated.repor
    0x0110   7420 6669 6c65 7320 6465 6c65 7465 6422        t.files.deleted"
    0x0120   206d 7367 3d22 4465 6c65 7465 2031 206f        .msg="Delete.1.o
    0x0130   6c64 2072 6570 6f72 7420 6669 6c65 7322        ld.report.files"

Configure a different syslog server in the root VDOM on a secondary HA device

To configure the primary HA device:
  1. Configure a global syslog server:

    config global
        config log syslog setting
            set status enable
            set server 172.16.200.44
            set facility local6
            set format default
        end
    end
  2. Set up a VDOM exception to enable syslog-override in the secondary HA device root VDOM:

    config global
        config system vdom-exception
            edit 1
                set object log.syslogd.override-setting
                set scope inclusive
                set vdom root
            next
        end
    end
    
  3. In the VDOM, enable syslog-override in the log settings, and set up the override syslog server:

    config root
        config log setting
            set syslog-override enable
        end
        config log syslog override-setting
            set status enable
            set server 172.16.200.44
            set facility local6
            set format default
        end
    end

After syslog-override is enabled, an override syslog server must be configured, as logs will not be sent to the global syslog server.

To configure the secondary HA device:
  1. Configure an override syslog server in the root VDOM:

    config root
        config log syslogd override-setting
            set status enable
            set server 172.16.200.55         
            set facility local5
            set format default
        end
    end
  2. After the primary and secondary device synchronize, generate logs in the root VDOM on the secondary device.

To confirm that logs are been sent to the syslog server configured for the root VDOM on the secondary device:
  1. On the primary device, retrieve the following packet capture from the syslog server configured in the root VDOM on the secondary device:

    # diagnose sniffer packet any "host 172.16.200.55" 6
    interfaces=[any]
    filters=[host 172.16.200.55]
    
    156.759696 port2 out 172.16.200.2.1165 -> 172.16.200.55.514: udp 277
    0x0000   0000 0000 0000 0009 0f09 0004 0800 4500        ..............E.
    0x0010   0131 f398 0000 4011 9dc8 ac10 c802 ac10        .1....@.........
    0x0020   c837 048d 0202 011d af5f 3c31 3734 3e64        .7......._<174>d
    0x0030   6174 653d 3230 3230 2d30 332d 3134 2074        ate=2020-03-14.t
    0x0040   696d 653d 3131 3a33 353a 3035 2064 6576        ime=11:35:05.dev
    0x0050   6e61 6d65 3d22 466f 7274 6947 6174 652d        name="FGT-81E-Sl
    0x0060   3831 455f 4122 2064 6576 6964 3d22 4647        ave-A".devid="FG
    0x0070   5438 3145 3451 3136 3030 3030 3438 2220        T81E4Q16000048".
    0x0080   6c6f 6769 643d 2230 3130 3030 3230 3032        logid="010002002
    0x0090   3722 2074 7970 653d 2265 7665 6e74 2220        7".type="event".
    0x00a0   7375 6274 7970 653d 2273 7973 7465 6d22        subtype="system"
    0x00b0   206c 6576 656c 3d22 696e 666f 726d 6174        .level="informat
    0x00c0   696f 6e22 2076 643d 2272 6f6f 7422 2065        ion".vd="root".e
    0x00d0   7665 6e74 7469 6d65 3d31 3538 3432 3130        venttime=1584210
    0x00e0   3930 3537 3539 3334 3132 3632 2074 7a3d        905759341262.tz=
    0x00f0   222d 3037 3030 2220 6c6f 6764 6573 633d        "-0700".logdesc=
    0x0100   224f 7574 6461 7465 6420 7265 706f 7274        "Outdated.report
    0x0110   2066 696c 6573 2064 656c 6574 6564 2220        .files.deleted".
    0x0120   6d73 673d 2244 656c 6574 6520 3220 6f6c        msg="Delete.2.ol
    0x0130   6420 7265 706f 7274 2066 696c 6573 22          d.report.files"