Description
This article will describe troubleshooting steps and ideal configuration to enable syslog messages for security events/Incidents to be sent from FortiNAC to an external syslog server or SIEM solution.
Scope
Version: All.
FortiNAC, Syslog.
Solution
Configuration steps:
1. Add the external Syslog Server/SIEM solution to FNAC.
Go to System -> Settings -> System Communication -> Log Receivers.
Add a new entry with matching server IP and leave the other entries as shown in this image:
Relevant documents:
- FortiNAC administration guide: Log receivers.
- FortiSIEM configuration guide: FortiNAC.
- FortiNAC administration guide: Log events to an external log host.
2. Define Events to monitor and create Alarms.
In this example, a configuration will be shown for FortiNAC to send Admin Login success/failure Events in FNAC to the external Syslog server.
a) Enable Internal/External logging on the respective event:
Go to Logs -> Events & Alarms -> Management.
Find the Admin login success and failure events.
In this example, both Internal/External logs are enabled in order to see the Event being generated in FortiNAC Event View. This will allow for confirmation that an event is generated and an alarm can be created to forward the message to the external syslog server.
b) Create Event-Alarm mapping.
Go to Logs -> Event & Alarms -> Mappings.
Create a new entry for the Admin User login Failure/Success and enable the below options to send an alarm to external log hosts.
c) Test the configuration.
Perform some tests to see the alarm generated in Logs -> Events & Alarms -> Alarms.
Perform the following actions:
- Log out of the admin account.
- Enter a wrong password to generate an admin login failure.
- Correctly log in with the admin account.
At this point, alarms should be generated and a syslog message should be sent to the Syslog Server by enabling a packet capture in FortiNAC.
execute tcpdump -i port1 host 192.168.178.61 and port 514 -xv
naclab1.lab.local.syslog > DESKTOP-box.syslog: SYSLOG, length: 182
Facility authpriv (10), Severity notice (5)
Msg: Jun 28 18:03:31 : CEF:0|Fortinet|FortiNAC-VM-CA|7.2.2.0062|12484|Admin User Login Failure|1|rt=Jun 28 18:03:31.437 CEST cat=User suid=admin msg=Admin user admin failed to log in.
naclab1.lab.local.syslog > DESKTOP-box.syslog: SYSLOG, length: 175
Facility authpriv (10), Severity notice (5)
Msg: Jun 28 18:03:38 : CEF:0|Fortinet|FortiNAC-VM-CA|7.2.2.0062|12485|Admin User Login Success|1|rt=Jun 28 18:03:38.490 CEST cat=User suid=admin msg=Admin user admin logged in.
naclab1.lab.local.syslog > DESKTOP-box.syslog: SYSLOG, length: 182
Facility authpriv (10), Severity notice (5)
Msg: Jun 28 18:03:31 : CEF:0|Fortinet|FortiNAC-VM-CA|7.2.2.0062|12484|Admin User Login Failure|1|rt=Jun 28 18:03:31.437 CEST cat=User suid=admin msg=Admin user admin failed to log in.
naclab1.lab.local.syslog > DESKTOP-box.syslog: SYSLOG, length: 175
Facility authpriv (10), Severity notice (5)
Msg: Jun 28 18:03:38 : CEF:0|Fortinet|FortiNAC-VM-CA|7.2.2.0062|12485|Admin User Login Success|1|rt=Jun 28 18:03:38.490 CEST cat=User suid=admin msg=Admin user admin logged in.
Note: In some cases, a reboot of FortiNAC or process restart may be necessary for the configuration to take effect.
Troubleshooting/Validation
Confirm the following are configured:
- The IP address of the syslog server is configured in the appliance. For instructions, refer to the Log Receivers section of the Administration Guide.
- The desired events are configured to be logged externally under Logs -> Event Management. For instructions, refer to the Configure events to log externally section of the Administration Guide.
If configured properly, verify the logs are being sent by the appliance:
- Start tcpdump to capture syslog traffic to be sent to the log receiver, saving output to a txt file. In the appliance CLI, enter:
tcpdump -nni eth0 host <log receiver IP> and port 514 -vvv | tee tcpdumpSyslog.txt
- Perform an action to trigger the desired event.
- Verify the event was triggered. Navigate to Logs -> Events & Alarm and search for the event and generated alarm.
- If the event and the alarm were generated, the tcpdump output should show the syslog message.
- Press Ctrl-C at any time to stop tcpdump.
If tcpdump shows a syslog message but the log receiver does not report the message, verify network connectivity, such as ACLs potentially blocking port 514.
If tcpdump does not show a message being sent or the event being generated, open a support ticket and attach the following:
- A description of the issue.
- The IP address of the server to receive the syslog.
- A screen capture of Logs -> Event Management showing the desired event's configuration.
- A screen capture of System Communication -> Log Receivers.
- A screen capture of Logs -> Events showing the event generated (if generated).
- A screen capture of Help -> About.
- tcpdumpSyslog.txt.
