How to send logs to a syslog server on Observium using a Fortigate as the syslog client

This is a detailed guide on how to send logs to a syslog server on Observium using a Fortigate as the syslog client.

1.Configure rsyslogd for Observium

1.1 Check version of rsyslogd

Make sure you have rsyslog installed and the that it is current. This guide is for Rsyslog version 8 and later.

rsyslogd -v

1.2 Enable remote logging

Remove the comment (remove #) from the following lines: module(load=”imtcp”) and input(type=”imtcp” port=”514″)

# provides TCP syslog reception
module(load="imtcp")
input(type="imtcp" port="514")

1.3 Create directory /etc/rsyslog.d/30-observium.conf

Create directory /etc/rsyslog.d/30-observium.conf and add the following lines to the file.

#---------------------------------------------------------
# send remote logs to observium

# provides UDP syslog reception
module(load="imudp")

input(type="imudp"
      port="514"
      ruleset="observium")

## provides TCP syslog reception (uncomment if required)
#module(load="imptcp")
#
#input(type="imptcp"
#      port="514"
#      ruleset="observium")

module(load="omprog")

# observium syslog template
template(name="observium"
         type="string"
         string="%fromhost%||%syslogfacility%||%syslogpriority%||%syslogseverity%||%syslogtag%||%$year%-%$month%-%$day% %timereported:8:25%||%msg%||%programname%\n")

# observium RuleSets
ruleset(name="observium") {
    action(type="omprog"
           binary="/opt/observium/syslog.php"
           template="observium")
    stop
}

#---------------------------------------------------------

1.4 Restart rsyslog

Restart rsyslog for the configuration to be applied.

service rsyslog restart

2. Configure SNMP on the Fortigate.

2.1 Add SNMP string and SNMP server (Observium Server IP) to Fortigate

The name in this instance is the community string to authenticate the agent and server “SNMPGUIDE!”.

config system snmp community
    edit 1
        set name "SNMPGUIDE!"
            config hosts
                edit 1
                    set ip 91.203.x.x 255.255.255.255
                next
            end
        set events cpu-high mem-low log-full intf-ip vpn-tun-up vpn-tun-down ha-switch ha-hb-failure ips-signature ips-anomaly av-virus av-oversize av-pattern av-fragmented fm-if-change bgp-established bgp-backward-transition ha-member-up ha-member-down ent-conf-change av-conserve av-bypass av-oversize-passed av-oversize-blocked ips-pkg-update ips-fail-open faz-disconnect wc-ap-up wc-ap-down
    next
end

2.2 Allow access for SNMP on Fortigate interface.

You will need to set allowaccess for SNMP on the fortigate’s interface.

config system interface
    edit "wan1"
        set vdom "root"
        set ip 192.168.1.150 255.255.255.0
        set allowaccess ping https ssh snmp

2.3 Add Observium IP address to trusted host of the Fortigate

config system admin
    edit "admin"
        set trusthost4 91.203.x.x 255.255.255.255

3. Add SNMP string and SNMP agent (Fortigate IP) to Observium

Under devices click new device. Add the end-point IP address of the Fortigate and the community string.

If all is well you should see confirmation that the device has been added successfully.

4. Configure the syslog server on Fortigate

config log syslogd setting
    set status enable
    set server "91.203.x.x"
    set port 514
   

5. Test

6. Troubleshoot

6.1 Make sure all settings match as per above IP addresses and community strings.

6.2 Ensure traffic is being sent and reaching it’s destination.

Fortigate Sniffer

diagnose sniffer packet any "port 514"
diagnose sniffer packet any "port 161"
diagnose sniffer packet any "host 91.203.x.x"

Syslog Server

root@Syslog:~# tcpdump -i eth0 -port 514
root@Syslog:~# tcpdump -i eth0 -port 161

You can specify a different port if your server is listening on a different port.

If you are new to the world of Linux, an avid Linux enthusiast or a student why not try our 0.99p per month Linux VPS.

Simply click on the screen shot below to find out more or navigate to https://piggybank.cloud

Thank you for reading and please feel free to leave any feedback.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s