This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Fortinet Fortigate 6.x how to get log by syslog tcp and parse it in sentinel collector

Hi

I have Fortinet Fortigate 6.x  and sentinel 8.6

How I can connect Fortinet Fortigate 6.x by Fortinet colector there is oficialy suported only version 5.x and other problem is that Fortinet default use Octet Counting delivery of syslog by RFC6587

I do not get any message from syslog  conector  it look like problem is that fortinet send data in format

<189>date=2022-06-28 time=15:16:11 devname="node1" devid="FG100FTK21020555" eventtime=1656422170966525520 tz="+0200" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="v-public" srcip=10.26.129.113 srcport=29804 srcintf="V_LB_AGW" srcintfrole="dmz" dstip=10.26.135.17 dstport=443 dstintf="V_FAS" dstintfrole="dmz" srccountry="Reserved" dstcountry="Reserved" ..

It looks like there is a problem that it is not compatible withRFC5424   in HEADER is missing

Timestamp HOSTNAME and  APP-NAME  (it is impossible to route this message).
Probably to set this one can help but I do not know.
Switch to legacy TCP logging (according to RFC3195)
#config log syslogd setting
Set mode <udp|legacy-reliable>
end

It is there somebody who has some experience with Fortinet 6.x configuration to connect to Sentinel Fortinet collector.

Thank you, Jiri

Tags:

  • 0  

    The message you quoted does not look like it is using octet-counting. It starts with < which is the PRI element of the syslog header. If octet-counting was used, the syslog frame would start with a digit.

    You could try using a dedicated syslog connector and event source server (port) in simple mode for Fortinet.

  • 0

    Hi

       I do not know whether gortigate could be use TCP to send log ...

    this screenshot that I set on my fortigate lab.

    the 227 is my sentinel...1514 is UDP 1514 port.

    Wencheng