Does this information look incorrect or out-of-date? Please contact us at firstname.lastname@example.org.
You can forward logs from a FortiAnalyzer unit to another FortiAnalyzer unit, a syslog server, or a Common Event Format (CEF) server.
The client is the FortiAnalyzer unit that forwards logs to another device. The server is the FortiAnalyzer unit, syslog server, or CEF server that receives the logs.
In addition to forwarding logs to another unit or server, the client retains a local copy of the logs. The local copy of the logs is subject to the data policy settings for archived logs. See Log storage for more information.
Forwarding mode only requires configuration on the client side. No configuration is needed on the server side. In aggregation mode, accepting the logs must be enabled on the FortiAnalyzer that is acting as the server.
Forwarding mode can be configured in the GUI. No configuration is required on the server side.
To configure the client:
- Go to System Settings > Log Forwarding.
- Click Create New in the toolbar. The Create New Log Forwarding pane opens.
- Fill in the information as per below, then click OK to create the new log forwarding. The FortiAnalyzer device will start forwarding logs to the server.
- Name: Enter a name for the remote server.
- Status: Set to On to enable log forwarding. Set to Off to disable log forwarding.
- Remote Server Type: Select the type of remote server to which you are forwarding logs: FortiAnalyzer, Syslog, or Common Event Format (CEF).
- Server IP: Enter the IP address of the remote server.
- Server Port: Enter the server port number. Default: 2514. This option is only available when the server type in not FortiAnalyzer.
- Reliable Connection: Turn on to use TCP connection. Turn off to use UDP connection. If you are forwarding logs to a Syslog or CEF server, ensure this option is supported before turning it on.
- Sending Frequency: Select when logs will be sent to the server: Real-time, Every 1 Minute, or Every 5 Minutes (default). This option is only available when the server type is FortiAnalyzer.
- Log Forwarding Filters:
- Device Filters: Click Select Device, then select the devices whose logs will be forwarded.
- Log Filters: Turn on to configure filter on the logs that are forwarded.
- Select All or Any of the Following Conditions in the Log messages that match field to control how the filters are applied to the logs.
- Add filters to the table by selecting the Log Field, Match Criteria, and Value for each filter.
- Enable Exclusions: This option is only available when the remove server is a Syslog or CEF server.
- Turn on to configure filter on the logs that are forwarded.
- Add exclusions to the table by selecting the Device Type and Log Type. Then, add Log Fields to the Exclusion List by clicking Fields and specifying the excluded log fields in the Select Log Field pane.
Devices whose logs are being forwarded to another FortiAnalyzer device are added to the server as unregistered devices. To register devices, see Adding devices manually.
Aggregation mode can only be configured using the CLI. Aggregation mode configurations are not listed in the GUI table, but still use a log forwarding ID number.
Use the following CLI command to see what log forwarding IDs have been used:
get system log-forward
To configure the server:
- If required, create a new administrator with the Super_User profile. See Creating administrators.
- Enable log aggregation and, if necessary, configure the disk quota, with the following CLI commands:
config system log-forward-service
set accept-aggregation enable
set aggregation-disk-quota <quota>
To configure the client:
- Open the log forwarding command shell:
config system log-forward
- Create a new, or edit an existing, log forwarding entry:
edit <log forwarding ID>
- Set the log forwarding mode to
set mode aggregation
- Set the server display name and IP address:
set server-name <string>
set server-ip <xxx.xxx.xxx.xxx>
- Enter the user name and password of the super user administrator on the server:
set agg-user <string>
set agg-password <string>
- If required, set the aggregation time from 0 to 23 hours (default: 0, or midnight):
set agg-time <integer>
- Enter the following to apply the configuration and create the log aggregation:
- The following line will be displayed to confirm the creation of the log aggregation:
check for cfg[<log forwarding ID>] svr_disp_name=<server-name>