Log events to an external log host
To log events on an external log host, you must first add the log host to the Log Receivers View. Once you have added the log host server, configure the events to be logged externally on the Event Management View. The events will be sent as Syslog messages or SNMP Traps.
Add a server
- Click System > Settings.
- In the tree on the left select System Communication > Log Receivers.
- Click Add to add a log host.
- Select the type of server.
- Enter the IP address of the server.
- Enter the configuration parameters for the type of log host. The standard port information for each host type is automatically entered. See the table below for detailed information on each type of server.
- Click OK.
Settings
Field |
Definition |
Type |
Type of server that will receive Event and Alarm messages. Options include: Syslog CSV, SNMP Trap, and Syslog Command Event Format (CEF). |
IP address |
IP address of the server that will receive Event and Alarm messages. |
Port |
Connection port on the server. For Syslog CSV and Syslog CEF servers, the default = 514. For SNMP Trap servers the default =162 |
Facility |
Displays only when Syslog is selected as the Type. Allows you to configure the message type. The default is 4. Options include:
|
Security String |
Displays only when SNMP is selected as the Type. The security string sent with the Event and Alarm message. |
Configure events to log externally
- Click Logs > Events & Alarms > Management.
- Use the filters to locate the appropriate event. Refer to Event management for filter settings.
- For each event that should be logged externally, select one or more events and click Options. Select one of the following:
- External: Logs only to an external host.
- Internal & External: Logs both to an internal events database and an external host.
Syslog format
The following is an example of a syslog message:
<37>Apr 10 11:42:16 : 2009/04/10 11:42:16 EDT,3,2587,Probe - MAP IP To MAC Success,0,1127,,BuildingB-3750,192.168.10.1,,Successfully read IP address mappings from device BuildingB-3750
Format
Column |
Data From Example |
Definition |
---|---|---|
1 |
<37> |
Syslog category: This is the defined facility and the severity Default Facility = 4 Security message Severity = 5 Notice |
2 |
Apr 10 11:42:16 : |
Time of the syslog generation. |
3 |
2009/04/10 11:42:16 EDT |
Log time. |
4 |
3 |
Log type:
|
5 |
2587 |
Database ID AlarmID or ElementID |
6 |
Probe - MAP IP To MAC Success |
Name of the event that generated the syslog message. |
7 |
0 |
Severity:
|
8 |
1127 |
Entity ID |
9 |
|
Unique Identifier (user ID) |
10 |
BuildingB-3750 |
Entity Name |
11 |
192.168.10.1 |
Entity IP address |
12 |
|
Entity physical address |
13 |
Successfully read IP address mappings from device |
Log Message |
SNMP trap format
The following is an example of an SNMP message:
1.3.6.1.4.1.16856.1.1.5="2009/04/10 11:37:02 EDT", 1.3.6.1.4.1.16856.1.1.6=1, 1.3.6.1.4.1.16856.1.1.7=2585, 1.3.6.1.4.1.16856.1.1.8="Probe - MAP IP To MAC Success", 1.3.6.1.4.1.16856.1.1.9=0, 1.3.6.1.4.1.16856.1.1.10=1127, 1.3.6.1.4.1.16856.1.1.15=, 1.3.6.1.4.1.16856.1.1.11=BuildingB-3750, 1.3.6.1.4.1.16856.1.1.12=192.168.10.1, 1.3.6.1.4.1.16856.1.1.13=, 1.3.6.1.4.1.16856.1.1.14="Successfully read IP address mappings from device BuildingB-3750."
Format
MIB Object |
Data From Example |
Definition |
---|---|---|
1.3.6.1.4.1.16856.1.1.5 |
"2009/04/10 11:37:02 EDT" |
The log time stamp in the format YYYY/MM/DD hh:mm:ss z |
1.3.6.1.4.1.16856.1.1.6 |
1 |
The type of log message 1 - Event message 2 - Alarm Message |
1.3.6.1.4.1.16856.1.1.7 |
2585 |
The database identifier of the log message |
1.3.6.1.4.1.16856.1.1.8 |
"Probe - MAP IP To MAC Success" |
Name of the event that generated the syslog message. |
1.3.6.1.4.1.16856.1.1.9 |
0 |
The log severity 0 - Normal 1 - Minor 2 - Major 3 - Critical |
1.3.6.1.4.1.16856.1.1.10 |
1127 |
The database identifier of the log entity |
1.3.6.1.4.1.16856.1.1.15 |
|
The unique identifier of the log entity "User ID" |
1.3.6.1.4.1.16856.1.1.11 |
BuildingB-3750 |
The textual name of the log entity |
1.3.6.1.4.1.16856.1.1.12 |
192.168.10.1 |
The IP address of the log entity. The format is 0.0.0.0" |
1.3.6.1.4.1.16856.1.1.13 |
|
The Physical address of the log entity. The format is 00:00:00:00:00:00" |
1.3.6.1.4.1.16856.1.1.14 |
"Successfully read IP address mappings from device BuildingB-3750." |
The textual log message |
Common event format (CEF)
Fields contained within a CEF syslog message include:
CEF:Version|Device Vendor|Device Product|Device Version|Signature ID|Name|Severity|Extension
Example:
<37>Jul 22 11:24:20 : CEF:0|Fortinet|NAC Control Server|4.1.1.219.P9|6111|Login Failure|1|rt=Jul 22 11:24:20 602 EDT cat=Network shost=NAC Director msg=User qa failed to log in.
Format
Column Title |
Data From Example |
Definition |
---|---|---|
Facility |
<37> |
Syslog category: This is the defined facility and the severity Default Facility = 4 Security message Severity = 5 Notice This is not part of the CEF format, but is contained within the syslog message. |
Date/Time |
Jul 22 11:24:20 |
Date and time the syslog message was generated. This is not part of the CEF format but is contained within the syslog message. |
CEF: Version |
CEF:0 |
Version number defines the fields that are expected to follow this field. |
Device Vendor |
Fortinet |
These fields uniquely identify the type of device sending the syslog message. In this case, the sending entity is FortiNAC. |
Device Product |
NAC Control Server |
|
Device Version |
4.1.1.219.P9 |
|
Signature ID |
6111 |
Unique identifier per event type. This can be a string or an integer. |
Name |
Login Failure |
Name of the event that generated the syslog message. |
Severity |
1 |
Severity: 0 Normal 1 Minor 2 Major 3 Critical |
Extension |
rt=Jul 22 11:24:20 602 EDT cat=Network shost=NAC Director msg=User qa failed to log in. |
Extension is a place holder for additional data. The extensions contained in this message include: rt - receiptTime - Time stamp that indicates when the event was generated. cat-category-Type of device sending the syslog message. msg - message- Message giving more details about the event. |