If you've spent any time configuring user authentication on... Full Story
By Manny Fernandez
April 27, 2020
Syslog Filtering on FortiGate Firewall & Syslog-NG
We recommend sending FortiGate logs to a FortiAnalyzer as it produces great reports and great, usable information. However sometimes, you need to send logs to other platforms such as SIEMs. When sending to a SIEM, you usually have an EPS or Event Per-Second charge, although some have moved to total amount of data. You may want to filter some logs from being sent to a particular syslog server. Here is a quick How-To setting up syslog-ng and FortiGate Syslog Filters.
I am going to install syslog-ng on a CentOS 7 in my lab. I always deploy the minimum install.
Installing Syslog-NG
This will be a brief install and not a lot of customization. Syslog-NG has a corporate edition with support. Syslog-NG (paid and community versions) allow you to create a distributed syslog environment. In another life, I owned an MSSP and we had an instance of syslog-ng running on our Linux firewalls and they would collect locally and forward to our SOC for processing and archival.
Note: Although this article contains a syslog-ng install, you can obviously use any syslog solution.
After you have a vanilla CentOS box up and running, you will need to install the repository and then the packages.
yum install wget wget https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm rpm -Uvh epel-release-latest-7.noarch.rpm cd /etc/yum.repos.d/ wget https://copr.fedorainfracloud.org/coprs/czanik/syslog-ng324/repo/epel-7/czanik-syslog-ng325-epel-7.repo yum install syslog-ng #Ensure you answer yes when prompted Remove the default syslog package yum erase rsyslog Enable auto start and manually start syslog-ng systemctl enable syslog-ng systemctl start syslog-ng
After you install syslog-ng you will need to configure the /etc/syslog-ng/syslog-ng.conf file.
Look for the ling that is remarked out with the # and remove the #. The config should like the one below.
Note: You will need to sudo or su if not the file will be read-only. If you are using vi as I do, the command to allow you to edit the file will be i and once you are done, you need to hit esc then x
You will also need to either disable the firewall or create a rule allowing UDP 514 or whatever port you defined in the /etc/syslog-ng/syslog-ng.conf
Configuring the FortiGate
The FortiGate allows you to configure multiple FortiAnalyzers (FAZ) and multiple syslog servers. I will not cover FAZ in this article but will cover syslog.
LAB-FW-01 # config log syslogd syslogd Configure first syslog device. syslogd2 Configure second syslog device. syslogd3 Configure third syslog device. syslogd4 Configure fourth syslog device.
When configuring syslog servers on the FortiGate, you can see on the snippet above that you have 4 syslog servers you can create. In this example I will use syslogd the first one available to me.
config log syslogd setting
set status enable
set server "10.1.106.218"
set source-ip "10.1.106.1"
end
In my example, I am enabling this syslog instance with the set status enable then I will set the IP address of the server using set server "10.1.106.218" and the source-ip with the set source-ip "10.1.106.1".
There are other configurations you can add such as format (default, csv, or cef), etc.
config log syslogd setting set status enable set server "10.1.106.218" set mode udp set port 514 set facility local7 set source-ip "10.1.106.1" set format default set priority default set max-log-rate 0 end
Configuring Filters
By replacing the settings in the syslog configuration to filter you can now define filters for that syslog instance’s configuration. Remember that each filter is tied to the syslog instance number. That is, if you want to create a filter for your syslogd2 instance, you would need to enter config log syslogd2 filter and so on for the others.
config log syslogd filter
set severity information
set forward-traffic enable
set local-traffic enable
set multicast-traffic enable
set sniffer-traffic enable
set anomaly enable
set voip enable
set filter "logid(0100032002)"
set filter-type include
end
As you can see in my filter, I ONLY want authentication messages with the following message id 0100032002
The other important command above is the filter-type . With this command, you can make the matched message ID’s from the previous line either include or exclude meaning that I want everything except 0100032002 or I ONLY want 0100032002.
To find the message IDs, you should go to the Fortinet Docs repository. The link provided is specifically for 6.4 but you can look for your version for FortiOS. Look for the Log Message Reference section of the doc page.
Recent posts
-
-
DNS is one of those technologies that quietly underpins... Full Story
-
BGP issues on FortiGate firewalls usually trace back to... Full Story
-
Every time your laptop talks to your router, a... Full Story
-
If you've spent any time configuring NAT on a... Full Story
-
If you have spent any time configuring firewall policies... Full Story
-
High availability on FortiGate is one of those features... Full Story
-
If you've configured SD-WAN on a FortiGate, you've almost... Full Story
-
FortiLink is the management protocol that turns a FortiSwitch... Full Story
-
FortiSwitches are pretty rock solid from Mean Time Between... Full Story
-
This is a quicky tip. Have you ever gone... Full Story
-
DNS is one of those quiet pieces of internet... Full Story
-
This article is an updated version of the previous... Full Story
-
You will add ns2 as a secondary (slave) BIND9... Full Story
-
In the process of deploying my lab, I needed... Full Story
-
RFC 8805, used to be known as Self-Correcting IP... Full Story
-
Years back, I wrote an article about certificate pinning. ... Full Story
-
FortiGates have the ability to send alerts to Microsoft... Full Story
-
In this post, I am going to walk through... Full Story
-
Troubleshooting VoIP on a FortiGate can feel like trying... Full Story
-
Prior to FortiOS 7.0, there were three commands to... Full Story
-
In this post, I am going to go over... Full Story
-
What we are going to do: We are going... Full Story
-
Choosing between FGCP (FortiGate Clustering Protocol) and FGSP (FortiGate... Full Story
-
Creating a VLAN on macOS (The "Pro" Move) A... Full Story
-
This blog post explores the logic behind how macOS... Full Story
-
Pretty Fly for a Wi-Fi Tell My Wi-Fi Love... Full Story
-
Part of my daily gig is creating BoMs (Bill-of-Materials)... Full Story
-
ICMP introduces several security risks, but careful filtering, rate... Full Story
-
The command diag debug application dhcps -1 enables full... Full Story
-
In the world of FortiOS, execute tac report is... Full Story
-
LLDP; What is it The Link Layer Discovery Protocol... Full Story
-
What it actually does When you run diagnose fdsm... Full Story
-
Monkey Bites are bite-sized, high-impact security insights designed for... Full Story
-
I have run macOS in macOS with Parallels but... Full Story
-
Don't be confused with my other FortiNAC posts where... Full Story
-
This is the third session in a multi-part article... Full Story
-
Today I was configuring key-based authentication on a FortiGate... Full Story
-
Netcat, often called the "Swiss Army knife" of networking,... Full Story
-
At its core, IEEE 802.1X is a network layer... Full Story
-
In case you did not see the previous FortiNAC... Full Story
-
This is our 5th session where we are going... Full Story
-
Now that we have Wireshark installed and somewhat configured,... Full Story
-
The Philosophy of Packet Analysis Troubleshooting isn't about looking... Full Story
-
Overview FortiOS 8.0 introduces custom tags as a first-class... Full Story
-
These are two distinct mechanisms on FortiOS, and conflating... Full Story
-
Replacement messages are the pages and text blocks that... Full Story