Logmanager documentation
Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Back to homepage
  1. Logmanager documentation
  2. /
  3. Log source devices configuration
  4. /
  5. FortiGate

FortiGate

You can configure FortiGate to send logs to Logmanager through GUI or CLI configuration.

Configuring via GUI

Configuring via GUI

Configuring via GUI

Logmanager_IP_address is IP address of your Logmanager server.

Configuring via CLI

For log collecting from FortiGate device please follow next few steps.

Login to FortiGate device via CLI and set the following commands:

FortiGate # conf log syslogd setting

FortiGate (setting) # set status enable

FortiGate (setting) # set server "<Logmanager_IP_address>"

FortiGate (setting) # show
config log syslogd setting
set status enable
set server "<Logmanager_IP_address>"
set source-ip "<FortiGate_IP_address>"
end

FortiGate (setting) # end
Logmanager_IP_address is IP address of your Logmanager server.
FortiGate_IP_address is IP address of your FortiGate device.

FortiOS version 6.x

FortiOS version 6.x is in default settings sending interim updates on every firewall session that is open and set to logging. This can cause huge increase in number of messages sent by FortiGate. Reason is that instead of one log message on end of every sessions, each session is logged multiple times with increasing counters of transmited data (ex: web session of 30minutes on webserver can cause 30logs instead of 1).

To disable this behaviour use this configuration:

config log syslogd filter
   set filter "logid(20)"
   set filter-type exclude
end

Log collection optimization

The default logging scheme and sending logs to syslog is not quite optimal. By default, FortiOS logs the following:

  1. Start of session
  2. Session progress, every few minutes
  3. End of session

This means that if you have for example, a long running session (which survives cluster restarts), it generates a large volume of traffic, which can break the appearance of the Traffic dashboards.

Examplelog:

<189>date=2023-03-30 time=15:10:32 devname="fortigate" devid="FGTXXXXXXXXXX" eventtime=1680181831275545540 tz="+0200" logid="0000000020" type="traffic" subtype="forward" level="notice" vd="logmanager" srcip=192.0.0.20 srcport=5800 srcintf="interface" srcintfrole="lan" dstip=192.0.0.112 dstport=51100 dstintf="interface" dstintfrole="lan" srccountry="Reserved" dstcountry="Reserved" sessionid=89863 proto=17 action="accept" policyid=1 policytype="policy" poluuid="921f6344-c8e9-51ed-6b51-36e37acbdaf5" policyname="policy_name" service="udp/51100" trandisp="noop" duration=264373 sentbyte=46193641625 rcvdbyte=0 sentpkt=61293266 rcvdpkt=0 appcat="unscanned" sentdelta=25083758 rcvddelta=0 devtype="Router" mastersrcmac="00:00:00:00:00:00" srcmac="00:00:00:00:00:00" srcserver=0

If you choose to drop this information, you can save 10 to 80% (depending on traffic) of the log events from FortiGate.

Configuring optimization from the CLI:

  config log syslogd filter
    config free-style
      edit 1
         set category traffic
         set filter "(logid 0000000020)"
         set filter-type exclude
      next
   end
end