Logmanager documentation
Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Back to homepage
  1. Logmanager documentation
  2. /
  3. Log source devices configuration
  4. /
  5. FortiGate

FortiGate

You can configure FortiGate to send logs to Logmanager through GUI or CLI configuration.

Configuring via GUI

Configuring via GUI

Configuring via GUI

LOGmanager_IP is IP address of your Logmanager server.

Configuring via CLI

For log collecting from a FortiGate device, please follow the next few steps.

Login to the FortiGate device via CLI and set the following commands:

FortiGate # conf log syslogd setting

FortiGate (setting) # set status enable

FortiGate (setting) # set server "<Logmanager_IP_address>"

FortiGate (setting) # show
config log syslogd setting
set status enable
set server "<Logmanager_IP_address>"
set source-ip "<FortiGate_IP_address>"
end

FortiGate (setting) # end
Logmanager_IP_address is IP address of your Logmanager server.
FortiGate_IP_address is IP address of your FortiGate device.

FortiOS version 6.x

FortiOS version 6.x is in default settings, sending interim updates on every firewall session that is open and set to logging. This can cause a huge increase in the number of messages sent by FortiGate. The reason is that instead of one log message at the end of every session, each session is logged multiple times with increasing counters of transmitted data (ex: a web session of 30 minutes on a webserver can cause 30 logs instead of 1).

To disable this behaviour use this configuration:

config log syslogd filter
   set filter "logid(20)"
   set filter-type exclude
end

Log collection optimization

The default logging scheme and sending logs to the syslog is not quite optimal. By default, FortiOS logs the following:

  1. Start of the session,
  2. Session progress every few minutes,
  3. End of the session.

This means that if you have, for example, a long running session (which survives cluster restarts), it generates a large volume of traffic, which can break the appearance of the traffic dashboards.

Examplelog:

<189>date=2023-03-30 time=15:10:32 devname="fortigate" devid="FGTXXXXXXXXXX" eventtime=1680181831275545540 tz="+0200" logid="0000000020" type="traffic" subtype="forward" level="notice" vd="logmanager" srcip=192.0.0.20 srcport=5800 srcintf="interface" srcintfrole="lan" dstip=192.0.0.112 dstport=51100 dstintf="interface" dstintfrole="lan" srccountry="Reserved" dstcountry="Reserved" sessionid=89863 proto=17 action="accept" policyid=1 policytype="policy" poluuid="921f6344-c8e9-51ed-6b51-36e37acbdaf5" policyname="policy_name" service="udp/51100" trandisp="noop" duration=264373 sentbyte=46193641625 rcvdbyte=0 sentpkt=61293266 rcvdpkt=0 appcat="unscanned" sentdelta=25083758 rcvddelta=0 devtype="Router" mastersrcmac="00:00:00:00:00:00" srcmac="00:00:00:00:00:00" srcserver=0

If you choose to drop this information, you can save 10 to 80% (depending on the traffic) of the log events from FortiGate.

Configuring optimization from the CLI:

  config log syslogd filter
    config free-style
      edit 1
         set category traffic
         set filter "(logid 0000000020)"
         set filter-type exclude
      next
   end
end
gdoc_arrow_left_alt FortiAuthenticator FortiMail gdoc_arrow_right_alt