Description
This article describes how to configure the FortiAnalyzer to forward local logs to a Syslog server.
Scope
FortiAnalyzer.
Solution
Step 1:
Login to the FortiAnalyzer Web UI and browse to System Settings -> Advanced -> Syslog Server. Select the 'Create New' button as shown in the screenshot below.
Provide the name for the syslog profile along with the IP address. The port number may be changed if the syslog server is running on a different port than the default.
Step 2: Login to the CLI with Putty or any terminal client and run the following command:
Login to the FortiAnalyzer Web UI and browse to System Settings -> Advanced -> Syslog Server. Select the 'Create New' button as shown in the screenshot below.
Provide the name for the syslog profile along with the IP address. The port number may be changed if the syslog server is running on a different port than the default.
Step 2: Login to the CLI with Putty or any terminal client and run the following command:
config system locallog syslogd setting
set status enable
set syslog-name <syslog profile name>
set status enable
set syslog-name <syslog profile name>
For example:
config system locallog syslogd setting
set status enable
set syslog-name "kiwi_syslog"
end
set status enable
set syslog-name "kiwi_syslog"
end
Verify by trying to login to the Web UI admin page with an unauthorized user. It will be possible to see logs in the syslog server as shown below:
03-25-2016 11:59:38 Local7.Alert 192.168.146.76 date=2016-03-25 time=11:59:57 devname=FAZ2000B device_id=FL-2KB3R10600008 log_id=0001010019 type=event subtype=system pri=alert user="adda" userfrom="GUI(192.168.242.88)" msg="User 'adda' login failed from GUI(192.168.242.88), reason:Authentication failure. Please try again..." adminprof=""
