Fortinet white logo
Fortinet white logo

Administration Guide

7.4.0

Log events to an external log host

Log events to an external log host

To log events on an external log host, you must first add the log host to the Log Receivers View. Once you have added the log host server, configure the events to be logged externally on the Event Management View. The events will be sent as Syslog messages or SNMP Traps.

Add a server

  1. Click System > Settings.
  2. In the tree on the left select System Communication > Log Receivers.
  3. Click Add to add a log host.
  4. Select the type of server.
  5. Enter the IP address of the server.
  6. Enter the configuration parameters for the type of log host. The standard port information for each host type is automatically entered. See the table below for detailed information on each type of server.
  7. Click OK.
Settings

Field

Definition

Type

Type of server that will receive Event and Alarm messages. Options include: Syslog CSV, SNMP Trap, and Syslog Command Event Format (CEF).

IP address

IP address of the server that will receive Event and Alarm messages.

Port

Connection port on the server. For Syslog CSV and Syslog CEF servers, the default = 514. For SNMP Trap servers the default =162

Facility

Displays only when Syslog is selected as the Type. Allows you to configure the message type. The default is 4. Options include:

  • 0 kernel messages
  • 1 user-level messages
  • 2 mail system
  • 3 system daemons
  • 4 security/authorization messages
  • 5 messages generated internally by syslogd
  • 6 line printer subsystem
  • 7 network news subsystem
  • 8 UUCP subsystem
  • 9 clock daemon
  • 10 security/authorization messages
  • 11 FTP daemon
  • 12 NTP subsystem
  • 13 log audit
  • 14 log alert
  • 15 clock daemon
  • 16 local use 0 (local0)
  • 17 local use 1 (local1)
  • 18 local use 2 (local2)
  • 19 local use 3 (local3)
  • 20 local use 4 (local4)
  • 21 local use 5 (local5)
  • 22 local use 6 (local6)
  • 23 local use 7 (local7)

Security String

Displays only when SNMP is selected as the Type. The security string sent with the Event and Alarm message.

Configure events to log externally

  1. Click Logs > Events & Alarms > Management.
  2. Use the filters to locate the appropriate event. Refer to Event management for filter settings.
  3. For each event that should be logged externally, select one or more events and click Options. Select one of the following:
    • External: Logs only to an external host.
    • Internal & External: Logs both to an internal events database and an external host.

Syslog format

The following is an example of a syslog message:

<37>Apr 10 11:42:16 : 2009/04/10 11:42:16 EDT,3,2587,Probe - MAP IP To MAC Success,0,1127,,BuildingB-3750,192.168.10.1,,Successfully read IP address mappings from device BuildingB-3750

Format

Column

Data From Example

Definition

1

<37>

Syslog category: This is the defined facility and the severity

Default Facility = 4 Security message

Severity = 5 Notice

2

Apr 10 11:42:16 :

Time of the syslog generation.

3

2009/04/10 11:42:16 EDT

Log time.

4

3

Log type:

  • 1 Event
  • 2 Alarm
  • 3 Security Alarm

5

2587

Database ID AlarmID or ElementID

6

Probe - MAP IP To MAC Success

Name of the event that generated the syslog message.

7

0

Severity:

  • 0 Normal
  • 1 Minor
  • 2 Major
  • 3 Critical

8

1127

Entity ID

9

Unique Identifier (user ID)

10

BuildingB-3750

Entity Name

11

192.168.10.1

Entity IP address

12

Entity physical address

13

Successfully read IP address mappings from device
BuildingB-3750

Log Message

SNMP trap format

The following is an example of an SNMP message:

1.3.6.1.4.1.16856.1.1.5="2009/04/10 11:37:02 EDT", 1.3.6.1.4.1.16856.1.1.6=1, 1.3.6.1.4.1.16856.1.1.7=2585, 1.3.6.1.4.1.16856.1.1.8="Probe - MAP IP To MAC Success", 1.3.6.1.4.1.16856.1.1.9=0, 1.3.6.1.4.1.16856.1.1.10=1127, 1.3.6.1.4.1.16856.1.1.15=, 1.3.6.1.4.1.16856.1.1.11=BuildingB-3750, 1.3.6.1.4.1.16856.1.1.12=192.168.10.1, 1.3.6.1.4.1.16856.1.1.13=, 1.3.6.1.4.1.16856.1.1.14="Successfully read IP address mappings from device BuildingB-3750."

Format

MIB Object

Data From Example

Definition

1.3.6.1.4.1.16856.1.1.5

"2009/04/10 11:37:02 EDT"

The log time stamp in the format YYYY/MM/DD hh:mm:ss z

1.3.6.1.4.1.16856.1.1.6

1

The type of log message

1 - Event message

2 - Alarm Message

1.3.6.1.4.1.16856.1.1.7

2585

The database identifier of the log message

1.3.6.1.4.1.16856.1.1.8

"Probe - MAP IP To MAC Success"

Name of the event that generated the syslog message.

1.3.6.1.4.1.16856.1.1.9

0

The log severity

0 - Normal

1 - Minor

2 - Major

3 - Critical

1.3.6.1.4.1.16856.1.1.10

1127

The database identifier of the log entity

1.3.6.1.4.1.16856.1.1.15

The unique identifier of the log entity "User ID"

1.3.6.1.4.1.16856.1.1.11

BuildingB-3750

The textual name of the log entity

1.3.6.1.4.1.16856.1.1.12

192.168.10.1

The IP address of the log entity. The format is 0.0.0.0"

1.3.6.1.4.1.16856.1.1.13

The Physical address of the log entity. The format is 00:00:00:00:00:00"

1.3.6.1.4.1.16856.1.1.14

"Successfully read IP address mappings from device BuildingB-3750."

The textual log message

Common event format (CEF)

Fields contained within a CEF syslog message include:

CEF:Version|Device Vendor|Device Product|Device Version|Signature ID|Name|Severity|Extension

Example:

<37>Jul 22 11:24:20 : CEF:0|Fortinet|NAC Control Server|4.1.1.219.P9|6111|Login Failure|1|rt=Jul 22 11:24:20 602 EDT cat=Network shost=NAC Director msg=User qa failed to log in.

Format

Column Title

Data From Example

Definition

Facility

<37>

Syslog category: This is the defined facility and the severity

Default Facility = 4 Security message

Severity = 5 Notice

This is not part of the CEF format, but is contained within the syslog message.

Date/Time

Jul 22 11:24:20

Date and time the syslog message was generated.

This is not part of the CEF format but is contained within the syslog message.

CEF: Version

CEF:0

Version number defines the fields that are expected to follow this field.

Device Vendor

Fortinet

These fields uniquely identify the type of device sending the syslog message. In this case, the sending entity is FortiNAC.

Device Product

NAC Control Server

Device Version

4.1.1.219.P9

Signature ID

6111

Unique identifier per event type. This can be a string or an integer.

Name

Login Failure

Name of the event that generated the syslog message.

Severity

1

Severity:

0 Normal

1 Minor

2 Major

3 Critical

Extension

rt=Jul 22 11:24:20 602 EDT cat=Network shost=NAC Director msg=User qa failed to log in.

Extension is a place holder for additional data. The extensions contained in this message include:

rt - receiptTime - Time stamp that indicates when the event was generated.

cat-category-Type of device sending the syslog message.

msg - message- Message giving more details about the event.

Log events to an external log host

Log events to an external log host

To log events on an external log host, you must first add the log host to the Log Receivers View. Once you have added the log host server, configure the events to be logged externally on the Event Management View. The events will be sent as Syslog messages or SNMP Traps.

Add a server

  1. Click System > Settings.
  2. In the tree on the left select System Communication > Log Receivers.
  3. Click Add to add a log host.
  4. Select the type of server.
  5. Enter the IP address of the server.
  6. Enter the configuration parameters for the type of log host. The standard port information for each host type is automatically entered. See the table below for detailed information on each type of server.
  7. Click OK.
Settings

Field

Definition

Type

Type of server that will receive Event and Alarm messages. Options include: Syslog CSV, SNMP Trap, and Syslog Command Event Format (CEF).

IP address

IP address of the server that will receive Event and Alarm messages.

Port

Connection port on the server. For Syslog CSV and Syslog CEF servers, the default = 514. For SNMP Trap servers the default =162

Facility

Displays only when Syslog is selected as the Type. Allows you to configure the message type. The default is 4. Options include:

  • 0 kernel messages
  • 1 user-level messages
  • 2 mail system
  • 3 system daemons
  • 4 security/authorization messages
  • 5 messages generated internally by syslogd
  • 6 line printer subsystem
  • 7 network news subsystem
  • 8 UUCP subsystem
  • 9 clock daemon
  • 10 security/authorization messages
  • 11 FTP daemon
  • 12 NTP subsystem
  • 13 log audit
  • 14 log alert
  • 15 clock daemon
  • 16 local use 0 (local0)
  • 17 local use 1 (local1)
  • 18 local use 2 (local2)
  • 19 local use 3 (local3)
  • 20 local use 4 (local4)
  • 21 local use 5 (local5)
  • 22 local use 6 (local6)
  • 23 local use 7 (local7)

Security String

Displays only when SNMP is selected as the Type. The security string sent with the Event and Alarm message.

Configure events to log externally

  1. Click Logs > Events & Alarms > Management.
  2. Use the filters to locate the appropriate event. Refer to Event management for filter settings.
  3. For each event that should be logged externally, select one or more events and click Options. Select one of the following:
    • External: Logs only to an external host.
    • Internal & External: Logs both to an internal events database and an external host.

Syslog format

The following is an example of a syslog message:

<37>Apr 10 11:42:16 : 2009/04/10 11:42:16 EDT,3,2587,Probe - MAP IP To MAC Success,0,1127,,BuildingB-3750,192.168.10.1,,Successfully read IP address mappings from device BuildingB-3750

Format

Column

Data From Example

Definition

1

<37>

Syslog category: This is the defined facility and the severity

Default Facility = 4 Security message

Severity = 5 Notice

2

Apr 10 11:42:16 :

Time of the syslog generation.

3

2009/04/10 11:42:16 EDT

Log time.

4

3

Log type:

  • 1 Event
  • 2 Alarm
  • 3 Security Alarm

5

2587

Database ID AlarmID or ElementID

6

Probe - MAP IP To MAC Success

Name of the event that generated the syslog message.

7

0

Severity:

  • 0 Normal
  • 1 Minor
  • 2 Major
  • 3 Critical

8

1127

Entity ID

9

Unique Identifier (user ID)

10

BuildingB-3750

Entity Name

11

192.168.10.1

Entity IP address

12

Entity physical address

13

Successfully read IP address mappings from device
BuildingB-3750

Log Message

SNMP trap format

The following is an example of an SNMP message:

1.3.6.1.4.1.16856.1.1.5="2009/04/10 11:37:02 EDT", 1.3.6.1.4.1.16856.1.1.6=1, 1.3.6.1.4.1.16856.1.1.7=2585, 1.3.6.1.4.1.16856.1.1.8="Probe - MAP IP To MAC Success", 1.3.6.1.4.1.16856.1.1.9=0, 1.3.6.1.4.1.16856.1.1.10=1127, 1.3.6.1.4.1.16856.1.1.15=, 1.3.6.1.4.1.16856.1.1.11=BuildingB-3750, 1.3.6.1.4.1.16856.1.1.12=192.168.10.1, 1.3.6.1.4.1.16856.1.1.13=, 1.3.6.1.4.1.16856.1.1.14="Successfully read IP address mappings from device BuildingB-3750."

Format

MIB Object

Data From Example

Definition

1.3.6.1.4.1.16856.1.1.5

"2009/04/10 11:37:02 EDT"

The log time stamp in the format YYYY/MM/DD hh:mm:ss z

1.3.6.1.4.1.16856.1.1.6

1

The type of log message

1 - Event message

2 - Alarm Message

1.3.6.1.4.1.16856.1.1.7

2585

The database identifier of the log message

1.3.6.1.4.1.16856.1.1.8

"Probe - MAP IP To MAC Success"

Name of the event that generated the syslog message.

1.3.6.1.4.1.16856.1.1.9

0

The log severity

0 - Normal

1 - Minor

2 - Major

3 - Critical

1.3.6.1.4.1.16856.1.1.10

1127

The database identifier of the log entity

1.3.6.1.4.1.16856.1.1.15

The unique identifier of the log entity "User ID"

1.3.6.1.4.1.16856.1.1.11

BuildingB-3750

The textual name of the log entity

1.3.6.1.4.1.16856.1.1.12

192.168.10.1

The IP address of the log entity. The format is 0.0.0.0"

1.3.6.1.4.1.16856.1.1.13

The Physical address of the log entity. The format is 00:00:00:00:00:00"

1.3.6.1.4.1.16856.1.1.14

"Successfully read IP address mappings from device BuildingB-3750."

The textual log message

Common event format (CEF)

Fields contained within a CEF syslog message include:

CEF:Version|Device Vendor|Device Product|Device Version|Signature ID|Name|Severity|Extension

Example:

<37>Jul 22 11:24:20 : CEF:0|Fortinet|NAC Control Server|4.1.1.219.P9|6111|Login Failure|1|rt=Jul 22 11:24:20 602 EDT cat=Network shost=NAC Director msg=User qa failed to log in.

Format

Column Title

Data From Example

Definition

Facility

<37>

Syslog category: This is the defined facility and the severity

Default Facility = 4 Security message

Severity = 5 Notice

This is not part of the CEF format, but is contained within the syslog message.

Date/Time

Jul 22 11:24:20

Date and time the syslog message was generated.

This is not part of the CEF format but is contained within the syslog message.

CEF: Version

CEF:0

Version number defines the fields that are expected to follow this field.

Device Vendor

Fortinet

These fields uniquely identify the type of device sending the syslog message. In this case, the sending entity is FortiNAC.

Device Product

NAC Control Server

Device Version

4.1.1.219.P9

Signature ID

6111

Unique identifier per event type. This can be a string or an integer.

Name

Login Failure

Name of the event that generated the syslog message.

Severity

1

Severity:

0 Normal

1 Minor

2 Major

3 Critical

Extension

rt=Jul 22 11:24:20 602 EDT cat=Network shost=NAC Director msg=User qa failed to log in.

Extension is a place holder for additional data. The extensions contained in this message include:

rt - receiptTime - Time stamp that indicates when the event was generated.

cat-category-Type of device sending the syslog message.

msg - message- Message giving more details about the event.