Fortigate reliable syslog does not work with NXLog

#1 h.petroll 3 years ago

The config on the Forti is standard:

config log syslogd setting
    set status enable
    set server "10.0.172.41"
    set mode reliable
    set port 2570
end

If we switch to mode legacy-reliable we can see log entries but the look rubbish. On the NXLog we use im_tcp as input and we route it with om_file into a text file. Pretty straight forward but it does not work.

Has anyone ever used Fortinet tcp syslog with NXLog?

Regards Hardy

Permalink

#2 rafDeactivated Nxlog ✓ 3 years ago (Last updated 3 years ago )

#1 h.petroll

Hi, we have a test setup with one Fortigate (v6.4.4) and we wanted to use tcp for log collection. We can see the Forti sending the packets (tcpdump) to our NXLog-Server and we can see them arriving (tcpdump) but the packets are not being processed by the NXLog. Using udp evertyhing works fine. The config on the Forti is standard: config log syslogd setting set status enable set server "10.0.172.41" set mode reliable set port 2570 end If we switch to mode legacy-reliable we can see log entries but the look rubbish. On the NXLog we use im_tcp as input and we route it with om_file into a text file. Pretty straight forward but it does not work. Has anyone ever used Fortinet tcp syslog with NXLog? Regards Hardy

Hi,

Im not keen on Fortigate so I'm not sure if I'm able to help, however, accepting data over tcp shouldn't be a problem. You said log entries but the look rubbish - what does it mean? Could you share a sample, as well as sample of raw input data and maybe your full conf?

Best regards,
Rafal