Fortigate syslog port reddit.
Fortigate - Overview.
Fortigate syslog port reddit Fortigate is setup: config log syslogd3 setting set status enable set server "10. Wondering the best way to have a Fortigate firewall log DNS requests to the level where DNS requests will be sent in Syslog into Azure Sentinel via Syslog CEF forwarder VM's - if at all possible. Product. -There should be an option there to point to syslog server. You gotta make configuration on firewall for forwarding logs via syslog. 2 Graylog does many many things the Faz doesn't - like putting firewalls not made by Fortinet on the same dashboard. We are getting far too many logs and want to trim that down. Getting Logstash to bind on 514 is a pain because it's a "privileged" port. Then gave up and sent logs directly to filebeat! I can get the logs into elastic no problem from syslog-NG, but same problem, message field was all in a block and not parsed. di sniffer packet portx 'host x. 6 #FGT2 has log on syslog server #10. When I changed it to set format csv, and saved it, all syslog traffic ceased. :D If you wanna do something with Python, networking, Forti-stuff, and dissecting protocols, maybe try to parse some IPsec traffic, or process Syslog sent from the FortiGate, or generate a RADIUS accounting packet so that FortiGate can ingest it as RSSO, etc. I have noticed a user talking about getting his Fortigate syslogs to filter in his (or her) ELK stack with GROK filters. 60" set port 11556 set format cef end. Syslog cannot. However, as soon as changes are made to the firewall rules for example, the Syslog settings are removed again. Network Access: Ensure that the network allows communication between the Fortigate device and your Syslog server (typically UDP port 514). I would like to send log in TCP from fortigate 800-C v5. If I disable logging to syslog, CPU drops to 1% Syslog-config is quite basic: config log syslogd setting set status enable set server "10. 255 /broadcast addresses, also all blocked. Azure Monitor Agent (AMA): The agent parses the logs and then sends them to your Microsoft Sentinel (Log Analytics) workspace via HTTPS 443. This way the indexers and syslog don't have to figure out the type of log it is. We have a syslog server that is setup on our local fortigate. I found, syslog over TCP was implemented in RFC6587 on fortigate v6. How do I go about sending the FortiGate logs to a syslog server from the FortiMananger? I've defined a syslog-server on the FortiMananger under System Settings > Advanced. In this case, 903 logs were sent to the configured Syslog server in the past Like Switch port 1 connects to internal on the Fortigate. What is even stranger is that even if I create a new physical port (e. I can see that the probe is receiving the syslog packets because if I choose "Log Data to Disk" I am able to see the syslog entries in the local log on the probe. It's easy to configure on the Fortigate, getting Zabbix to process it will probably be abit more difficult but just play with it and read the documentation on Zabbix for SNMP Traps. Then the devices connecting to the switch would be untagged. This will create various test log entries on the unit's hard drive, to a configured Syslog server, to a FortiAnalyzer device, to a WebTrends device, or to the unit's System Dashboard (System -> Status). Hi Everyone; I'm trying to only forward IPS events to a Aug 22, 2024 · FortiGate. 1 ( BO segment is 192. 90. Here's a small sample of one of my dashboards: Imgur Hey, I get some weired Loglines in my Fortigate - it concludes in IP 208. The categories are tailored for logging on a unix/linux system, so they don't necessarily make much sense for a FortiGate (see the link). When enabled, the FortiGate unit implements the RAW profile of RFC 3195 for reliable delivery of log messages to the syslog server. and seeing alot of traffic on port 137 udp to 192. Now, here is the problem. reliable {enable | disable}: Enable reliable delivery of syslog messages to the syslog server. 9|00013|traffic:forward close|3|deviceExternalId=>our fw serial number> FTNTFGTeventtime=1670180696638926545 FTNTFGTtz=+0100 This article describes how to configure FortiGate to send encrypted Syslog messages to the Syslog server (rsyslog - Ubuntu Server 20. X. It is possible you could write a rule assigning all events from your UDM a level, say 3, this way they are on the dashboard and if you find interesting ones from there, update your rules to give it a note I would like to install a FortiSwitch FS-124F-POE in my company as a distribution switch. I was under the assumption that syslog follows the firewall policy logging rules, however now I'm not so sure. Jan 15, 2025 · Actively listens for Syslog messages in CEF format originating from FortiGate on TCP/UDP port 514. 210. Lab Network) I give it rather than the physical port name (ex. A problem I once had was that the FortiGate wasn't starting new sessions however and I had to clear the previous sessions first. 50. we still do the following for new builds config system fortiguard set fortiguard-anycast disable set protocol udp set port 53 set update-server-location usa I tried to set up syslog forwarding to Sumo Logic but it doesn't seem to be working. The below image is captured from the log activity showing the source IP and destination IP as being the same device (my firewall) with the source and First off is the imput actually running, port under 1024 are protected and often don't work, so it's best to use a higher port if you can like 5140 etc. Solution . Yes, you can use it as a syslog server for other brands bit the log won't be "parsed" so you can't search by source, destination, etc but you can still do a basic text search. With syslog, a 32bit/4byte IP address, turns into a 7 to 19 character dotted quad, a 32bit/4byte timestamp, turns into a min 15byte field. 99. However, as soon as I create a VLAN (e. NOTICE: Dec 04 20:04:56 FortiGate-80F CEF:0|Fortinet|Fortigate|v7. Enable or disable a reliable connection with the syslog server. I have managed to set it up to ingest syslog data from my Fortigate device but when viewing the logs in log activity the source and destination information along with the port infomation. It's not automated but much easier than having to strip out stuff in excel. But the logged firewall traffic lines are missing. I have tried this and it works well - syslogs gts sent to the remote syslog server via the standard syslog port at UDP port 514. Could anyone take the time to help me sort this out? I am literally mindfucked on how to even do this. Thx, found it while waiting for your answer :-) The firewall is sending logs indeed: 116 41. Purpose. I have tried set status disable, save, re-enable, to no avail. Is it possible to manage the FortiSwitch on the FortiGate with FortiLink without connecting it directly? The simplified topology would be: FortiGate <-----> HPE Switch <-----> FortiSwitch Lots of people here suggesting HA reserved management interface, but IMO “set standalone-mgmt-vdom enable” is a much better option. I have been messing arround with trying to get a FortiGate to log to this machine. x end Then on the WAN interface I have: set netflow-sampler both Is anyone experiencing something similar? Is there any additional config that you reckon I need? Thanks for any help. 02. Syslog collector at each client is on a directly-connected subnet and connectivity tests are all fine. set status enable. Diskless firewalls with SYSLOG forwarding if you already have a setup is also an option, though think how you'll parse it for the information you want and the ability to report on it if so. It's only potentially relevant for the receiving Syslog server (you should set it to an expected value, if the server expects a specific one). Secure Connection. Typically you'd have it set so VLAN100 and VLAN200 would be tagged on port 1. Basically trying to get DNS requests into our SIEM so we can reverse engineer situation when/if required, from a single view. Not receiving any logs on the other end. set port 1601 #FGT2 has two vdoms, root is management, other one is NAT #FGT2 mode is 1000D, v5. Syslog Server Port. Solution: To send encrypted packets to the Syslog server, FortiGate will verify the Syslog server certificate with the imported Certificate Authority (CA) certificate during the TLS handshake. " Now I am trying to understand the best way to configure logging to a local FortiAnalyzer VM and logging to a SIEM via syslog to a local collector. I can see from my Firewall logs that syslog data is flowing from devices to the Wazuh server, it's just not presenting anything in the OpenSearch area. The docs for syslog-ng say to remove rsyslog. And use trusted host for the admin logins account so this way you control what ip subnet has access. I went so far as to enable verbose logging on syslog-ng, that SCALE uses to send, and cannot even tell where it's trying to send over the requested IP and port. config log syslogd setting. If you do post there, give as much detail as possible (model, firmware, config snippet if possible, and screenshots of the results. 1" set port 1601 Where: portx is the nearest interface to your syslog server, and x. Enter the IP address or FQDN of the syslog server. We're looking to build several IPSec tunnels to the VM. ”. I can telnet to port 514 on the Syslog server from any computer within the BO network. port 443, 445,80 etc are all being dropped. Protocol and Port. We are doing large scale nat (not cgn because the firewall uses symmetric nat) and need this log info in order to comply with court subpoenas. Hi brother, Im using port 514 udp for forwarding syslog events. 2. Hi, I am new to this whole syslog deal. Additionally, I have already verified all the systems involved are set to the correct timezone. Fortigate logs comes via syslog. Syslog-ng configs are very readable and easy to work with. “The root cause behind this issue appears to be Palo Alto evaluating the IKE traffic as "ipvanish" which shares the same port (500) but doesn't meet the Palo Alto security rules and is therefore blocked. For example, for this public ip and port, the private ip was xyz. Since you mentioned NSG , assume you have deployed syslog in Azure. x I have a Syslog server sitting at 192. It appears that ASA should use udp/514 by default - it's only if you choose something else that only high ports are available. For the FortiGate it's completely meaningless. Have you tested this? I have a branch office 60F at this address: 192. I really like syslog-ng, though I have actually not touched it in a while for work, to be fair. Hi, port mirroring = all the traffic will go to the ndr - no messages of the firewall itself syslog = message which the firewall generates itself, for example a connection was allowed, a connection was blocked, depending on your firewall you can also have ids messages like: this connection is suspicious, or vpn login information, and firewall internal messages lika a policy was changed or an By default it will listen on port 514; you can configure the Fortigate to send logs to that port or change ports with the port => xxx configuration. FortiNDR (formerly FortiAI) Logging. 8 . 49. miglogd is below 1%. Scenario 1: If a syslog server is configured in Global and syslog-override is disabled in the VDOM: config global. My boss had me set up a device with our ConnectWise SIEM which I have done and now wants me to get our FortiGate 60E syslogs to be sent to the SIEM. 172. The following command can be used to check the log statistics sent from FortiGate: diagnose test application syslogd 4 . I already have HPE core switches attached directly to my FortiGate. UDP/514 Make a test, install a Ubuntu system, install rsyslog, send the fortigate syslog data to this system, check if it works, install a Wazuh agent on this system and read the syslog file, check the archive logs, test your decoder and rules set on the Wazuh Manager. Sep 20, 2024 · From the output, the log counts in the past two days are the same between these two daemons, which proves the Syslog feature is running normally. 9, is that right? We want to limit noise on the SIEM. x is your syslog server IP. Solution: The Syslog server is configured to send the FortiGate logs to a syslog server IP. 9 end Aug 12, 2019 · The syslog message stream has the following ABNF [RFC5234] definition: TCP-DATA = *SYSLOG-FRAME SYSLOG-FRAME = MSG-LEN SP SYSLOG-MSG ; Octet-counting ; method MSG-LEN = NONZERO-DIGIT *DIGIT NONZERO-DIGIT = %d49-57. x ) HQ is 192. x. set server "192. When i change in UDP mode i receive 'normal' log. Enable it and put in the IP address of your syslog server or CLI: #config log syslogd setting #set server <IP Address> #set port 514 -Already default #set status enable CLI however, allows you to add up to 4 syslog servers At this point, I am about done with Sonicwall and am starting to look into PAN, FortiGate, Check Point and Cisco, among others, for a different NGFW solution in hopes that I can have better reporting and analytics, in addition to better security tools/features. When I make a change to the fortigate syslog settings, the fortigate just stops sending syslog. Hi there, I have a FortiGate 80F firewall that I'd like to send syslog data from to my SIEM (Perch/ConnectWise SIEM). 1. Get app Get the Reddit app Log of FortiOS because my actual 7. . diag sniffer packet any 'port 514' 4 n . Fortinet Syslog Issues Am trying to send logs to syslog server but fortigate 3810a is But I am sorry, you have to show some effort so that people are motivated to help further. my-firewall (netflow) # show config system netflow set collector-ip x. 70" set mode reliable set port 9005 set format csv end. 112. I'm not 100% sure, but I think the issue is that the FortiGate doesn't send a timestamp in it's syslog data. I ran tcpdump to make sure the packets are getting to the server, and netstat to make sure the port is open. 132. I currently have the IP address of the SIEM sensor that's reachable and supports syslog ingestion to forward it to the cloud (SIEM is a cloud solution). I am having all of the syslog from the Fortigate go to port 514, and attempting to have I don't have personal experience with Fortigate, but the community members there certainly have. Can Anyone Identify any issues with this setup? Documentation and examples are sparse. FortiAnalyzer. I'm sending syslogs to graylog from a Fortigate 3000D. Reviewing the events I don’t have any web categories based in the received Syslog payloads. In order to change these settings, it must be done in CLI : config log syslogd setting set status enable set port 514 set mode udp set mode config system log-forward edit 1 set mode forwarding set fwd-max-delay realtime set server-name "Syslog" set server-ip "192. Are they available in the tcpdump ? <connection>syslog</connection> <port>514</port> <protocol>udp</protocol> </remote> I can't see that i'm missing anything for data to be showing in Wazuh. but only for the duration of the outage which is about 10 to 12 minutes usually and then it Fortigate - Overview. I even performed a packet capture using my fortigate and it's not seeing anything being sent. I am looking for a free syslog server or type of logging system to log items such as bandwidth usage, interface stats, user usage, VPN stats. 6. FAZ can get IPS archive packets for replaying attacks. I followed Sumo Logic's documentation and of course I set up the Syslog profile and the log forwarding object on the Palo Alto following their documentation as well. For example, I am sending Fortigate logs in and seeing only some events in the dashboard. 8. 1) under the "data" switch, port forwarding stops working. Give each source class (cisco ASA, fortigate, etc) its own port in syslog and its own index/sourcetype on the splunk side. Enable/disable connection secured by TLS/SSL. 5 FortiGate and the FortiLink Guide on a port), it sends a trap or syslog to FortiNAC “hey This information is sent to a syslog server where the user can submit queries. View community ranking In the Top 5% of largest communities on Reddit (Help) Syslog IPS Event Only Fortigate . if you have a different port configured for sending syslog you can change the 514 to the port number you are using, and seeing if the FG is actually trying to send syslog Oct 11, 2016 · Here's a reddit thread about someone producing Graylog dashboards for fortigate logs and noticing the syslog format can change based on even enabling and disabling firewall features, same hardware, same firmware; it's crazy. Syslog Gathering and Parsing with FortiGate Firewalls I know that I've posted up a question before about this topic, but I still want to ask for any further suggestions on my situation. The you have the sys log port (which is same port used by Analyzer for logging) open to internet and someone found it with port scan. set status enable set server primary port GT60FTK2209HYSH instance 0 changed state from discarding to forwarding FortiLink: port51 in Fortigate-uplink ready now FortiLink: enable port port51 port-id=51 FortiLink: disabled port port51 port-id=51 from b(0) fwd(4) FortiLink: enable port port51 port-id=51 FortiLink: port51 echo reply timing out echo-miss(50) You can ingest logs from systemd/rsyslog via journalbeat/filebeat (you'd point your switches to the syslog port on the server) and via SNMP with netbeat. Note: If the Syslog Server is connected over IPSec Tunnel Syslog Server Interface needs to be configured using Tunnel Interface using the following commands: config log Apr 2, 2019 · port <port_integer>: Enter the port number for communication with the syslog server. I would also add "Fortigate" and "Fortigate <Model Name>" as tags to any question you pose. Have you checked with a sniffer if the device is trying to send syslog?? You can try . x and udp port 514' 1 0 l interfaces=[portx] Aug 24, 2023 · how to change port and protocol for Syslog setting in CLI. port 1 is the uplink to the Fortigate. They just have to index it. This requires editing when you add new device. 0 patch installed. 55 - supposed the DNS entry for Blocked stuff in the Fortigate, but the blocked Domains are looking like gibberish - jimojatlbo. FAZ has event handlers that allow you to kick off security fabric stitch to do any number of operations on FGT or other devices. Packet captures show 0 traffic on port tcp/514 destined for the syslog collector on the primary LAN interface while ping tests from firewall to the syslog collector succeeds. Syslog cannot do this. HA* TCP/5199. On my Rsyslog i receive log but only "greetings" log. I added the syslog from the fortigate and maybe that it is why Im a little bit confused what the difference exactly is. Meaning you crush both kneecaps of your fortigate to put it down on it's knees and kill performance. I have been attempting this and have been utterly failing. 459980 <office external ip> <VM IP> Syslog 1337 LOCAL7. In the example below, vlan 2, 3, and 5 exist on the fortigate. 16. This way you'll have a fully indexed and searchable interface to your logs and stats, and be able to make graphs, charts and dashboards in Kibana. Looking for some confirmation on how syslog works in fortigate. syslog is configured to use 10. What might work for you is creating two syslog servers and splitting the logs sent from the firewall by type e. I've tried sending the data to the syslog port and then to another port specifically opened for the Fortigate content pack. The syslog server is running and collecting other logs, but nothing from FortiGate. Solution FortiGate will use port 514 with UDP protocol by default. Send logs to Azure Monitor Agent (AMA) on localhost, utilizing TCP port 28330. Change your https admin port to a different port off of 443. Do i setup the syslog or tcp input in beats? Or in logstash? Working on creating log Reports & Dashboards and wondering if there is a way to get the fortigate to report a port by the alias (ex. Currently I have a Fortinet 80C Firewall with the latest 4. 88. 99" set mode udp. I ship my syslog over to logstash on port 5001. Very much a Graylog noob. 9 to Rsyslog on centOS 7. Steps I have taken so A reddit dedicated to the profession of Computer System Administration. Syslog Server: A dedicated Syslog server (local or virtual) that can receive logs over the network. The key is to understand where the logs are. What about any intermediate firewalls between your syslog server and the fortigate itself ? You can check for inbound traffic from nsg logs towards syslog server in sentinel itself. Do you have any idea, why this happens and how to solve this? The primary unit is NOT running at high CPU. Turn off http and turn on https , disable 80 to 443 redirect . I have configured as below, but I am still seeing logs from the two source interfaces sent to our Syslog Collector. Enter the syslog server port number. :) FortiAnalyzer is a great product and an easy button for a single vendor and single product line. syslog going out of the FG in uncompressed (by default, is there a compression option?) Example syslog line in CEF format: Get the Reddit app Scan this QR code to download the app now I am having all of the syslog from the Fortigate go to port 514, and attempting to have logstash May 29, 2018 · I know one can get the Fortinet (Meru) Controller to send its syslog to a remtor syslog server, by specifying the "syslog-host <hostname/IP_Address of remotr syslog server> under the configuration mode. 8 set secondary 9. It's seems dead simple to setup, at least from the GUI. I have a working grok filter for FortiOS 5. Because your tagged ports look incorrect. 88/32 if that’s your primary office static ip. At any rate this looks like a code bug. 1 as the source IP, forwarding to 172. Feb 26, 2025 · There is no limitation on FG-100F to send syslog. But you have to make changes on firewall side. A server that runs a syslog application is required in order to send syslog messages to an xternal host. SSL/TLS actions taken by Fortigates Provides records of when Fortigates intervened (with or without decrypting) in SSL/TLS traffic Fortigate - Web Traffic However, this VDOM I'm working with now has had his syslogd setting configured before with an IP I have never seen before and probably the port and mode has been tweaked aswel (I suspect this because I tried putting my Splunk Forwarder IP right there and didn't received any logs through port 514). port11 or port3) via Syslog? Alright, so it seems that it is doable. It is possible to perform a log entry test from the FortiGate CLI using the 'diag log test' command. An overview of incoming messages from Fortigates Includes Fortigate hostnames, serial numbers, and full message details Fortigate - SSL/TLS Interventions. x set collector-port 9996 set source-ip x. It really is a bad solution to have the fortigate do it because it requires you to build the downlink in a way which disabled all offloading. Is it best practice to utilize VPN peering to the FortiGate vnet, and use azure route table policies from the other vnets? Thanks! Any tips or articles are welcome! i have configured Syslog globally on a Fortigate with multiple VDOMs and synchronized the configuration with the FortiManager (Syslog settings visible in FortiManager). You can ship to 3 different syslog servers at the same time with a Fortigate but you have to configure them via CLI (as well as the custom port). Eg 192. Kind of hit a wall. ASA sends syslog on UDP port 514 by default, but protocol and port can be chosen. Here is an example of my Fortigate: What is a decent Fortigate syslog server? Hi everyone. I have configured this via the GUI so no CLI commands yet (now thinking maybe CLI would've been the better option). set I have two FortiGate 81E firewalls configured in HA mode. 19' in the above example. Reply reply LeThibz Jan 23, 2025 · Fortigate Firewall: Configure and running in your environment. We're deploying a FortiGate VM in azure to secure and route on-prem, and vendor traffic between VNets. (Already familiar with setting up syslog forwarding) I currently have my home Fortigate Firewall feeding into QRadar via Syslog. de for example - any idea what this can be? The reason it got blocked is "New" I have pointed the firewall to send its syslog messages to the probe device. In a multi-VDOM setup, syslog communication works as explained below. I'm ingesting Netflow, CEF, Syslog, and Plaintext from the FortiGate, and Syslog is the only one with a broken timestamp. I've also included a type directive to set the type of any logs received on this port with 'fortinet'. The default port is 514. Nov 24, 2005 · FortiGate. 0. How would the communication, syslog or otherwise, work without a route? I wrestled with syslog-NG for a week for this exact same issue. That is not mentioning the extra information like the fieldnames etc. You don't have to. What I don't understand however is: My remote FortigateVM (v7. For some reason logs are not being sent my syslog server. If you have other syslog inputs or other things listening on that port you'll need to change it. I don't use Zabbix but we use Nagios. TCP/514. g firewall policies all sent to syslog 1 everything else to syslog 2. Automation for the masses. 1" set server-port 514 set fwd-server-type syslog set fwd-reliable enable config device-filter edit 1 set device "All_FortiAnalyzer" next end next end Aug 10, 2024 · set port 514 end . In our fortianalyzer I am seeing most traffic during an outage being blocked by "local-policy-in" rule. SOC sends us a log degradation ticket yesterday regarding the Branch 2 firewall. never use port 514. Syslog config is below config log syslogd2 setting set status enable set server "FQDN OF SERVER HERE" set mode reliable set port CUSTOMPORTHERE set facility local0 set source-ip "Fortigate LAN Interface IP Here" set enc-algorithm high-medium end config system dns set primary 8. Regarding what u/retrogamer-999 wrote, yes I already did that, I should've clarified it, sorry for that. 1' can be any IP address of the FortiGate's interface that can reach the syslog server IP of '192. FortiAnalyzer is in Azure and logs to FAZ are working flawlessly. 91. Scope: FortiGate. Go to your vip rule on FortiGate, and set the source to all your known source device IPs, instead of “all”. 168. The default is disable. 1 belongs to root vdom and it is a MGMT interface #root vdom has default route to the gateway FGT2(global)#show log syslogd setting set status enable set server "1. ScopeFortiGate CLI. It does make it easy to parse log results, and it provides a repository for those logs so you don't need storage onboard the firewall for historical data, but if you already have a good working syslog setup, I don't think there would be a great of benefit in Im looking for an easy python Look elsewhere is the easy answer. To top it off, even deleting the VLAN's doesn't make the port forward work again. 10. The drawback and limitation of HA reserved management interface is that you can only use your OOBM interface for HTTPS/SSH mgmt access; you cannot use it to separate other mgmt plane functions, such as SYSLOG, NTP, DNS, etc. What I recently did was to use the traffic log view on the Analyzer, add a column for port/service, create a custom chart, add whatever other details you want and GROUP BY service/port. To ensure optimal performance of your FortiGate unit, Fortinet recommends disabling local reporting hen using a remote logging service. Look into SNMP Traps. end config log syslogd filter set severity <level> - I use "information". Reliable Connection. Is this something that needs to be tweaked in the CLI? I do get application categories but I’m looking for the actual hostname/url categorization. set port 514. HQ logs show no syslog has been seen from the Branch 2 firewall in several days. I have an issue. 04). When I had set format default, I saw syslog traffic. Log fetching on the log-fetch server side. 0 but it's not available for v5. What's the next step? Even during a DDoS the solution was not impacted. I start troubleshooting, pulling change records (no changes), checking current config (looks fine). 9. The GameCube (Japanese: ゲームキューブ Hepburn: Gēmukyūbu?, officially called the Nintendo GameCube, abbreviated NGC in Japan and GCN in Europe and North America) is a home video game console released by Nintendo in Japan on September 14, 2001; in North America on November 18, 2001; in Europe on May 3, 2002; and in Australia on May 17, 2002. Anything else say 59090. The source '192. 0/24 for internal and 188. I have a tcpdump going on the syslog server. Anyone else have better luck? Running TrueNAS-SCALE-22. FortiGate customers with syslog based collection of firewall logs need them to be accurate for forensic, legal, and regulatory purposes. I added the syslog sensory and set the included lines to "any" with nothing in the exclude filter. Any ideas? View community ranking In the Top 5% of largest communities on Reddit. This is not true of syslog, if you drop connection to syslog it will lose logs. port 5), and try to forward to that, it still doesn't work. SYSLOG-MSG is defined in the syslog protocol [RFC5424] and may also be considered to be the payload in [RFC3164] SPAN the switchports going to the fortigate on the switch side. Really frustrating Read the official syslog-NG blogs, watched videos, looked up personal blogs, failed. 4) does not have a route to the FortiAnalyzer. g. First time poster. This needs to be addressed ASAP by their engineering team. The configuration works without any issues. What did you try yet and what are the possiblities of a Fortigate to send/transfer logs? I would design it like that: Fortigate sends out via syslog to Promtail, which has a listener for it Promtail then sends out to Loki The FAZ I would really describe as an advanced, Fortinet specific, syslog server. Splunk (expensive), Graylog or an ELK stack, and there are a couple of good tools to just send/receive - the venerable choices being syslog-ng and rsyslog. FAZ-VM can also act as a repository for SYSLOG and do log forwarding as CEF with conditional filtering if you're looking forward SOC/SIEM sorta stuff. Here is what I have cofnigured: Log & Report set server <IP of syslog box> set port <port> *** I use 5001 since logstash is a pain to get to bind to 514 since it's a privileged port. llzrhepjmjadbodlejajfinkhnqxdvebhxlwwlmhtgbdglizwepgtwcmolosntkgkibhiihrtfxanasnzqki