Fortinet Fortigate 6.x how to get log by syslog tcp and parse it in sentinel collector

Hi

I have Fortinet Fortigate 6.x  and sentinel 8.6

How I can connect Fortinet Fortigate 6.x by Fortinet colector there is oficialy suported only version 5.x and other problem is that Fortinet default use Octet Counting delivery of syslog by RFC6587

I do not get any message from syslog  conector  it look like problem is that fortinet send data in format

<189>date=2022-06-28 time=15:16:11 devname="node1" devid="FG100FTK21020555" eventtime=1656422170966525520 tz="+0200" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="v-public" srcip=10.26.129.113 srcport=29804 srcintf="V_LB_AGW" srcintfrole="dmz" dstip=10.26.135.17 dstport=443 dstintf="V_FAS" dstintfrole="dmz" srccountry="Reserved" dstcountry="Reserved" ..

It looks like there is a problem that it is not compatible withRFC5424   in HEADER is missing

Timestamp HOSTNAME and  APP-NAME  (it is impossible to route this message).
Probably to set this one can help but I do not know.
Switch to legacy TCP logging (according to RFC3195)
#config log syslogd setting
Set mode <udp|legacy-reliable>
end

It is there somebody who has some experience with Fortinet 6.x configuration to connect to Sentinel Fortinet collector.

Thank you, Jiri

Tags: