How Fortigate 100D send log to Splunk

Question

I have a Fortigate 100D with FortiOS 5.06 , this is my setting

config log syslogd setting
set status enable
set server “192.168.7.4″
set reliable disable
set port 515
set csv disable
set facility alert
set source-ip 192.168.9.2
end

I have a Splunk server 192.168.7.4 listening on port 515 TCP, my switches can forward their logs to Splunk normally, but I cannot get Fortigate to work. Splunk server doesn’t receive any logs from Fortigate.

score 2 · Answer 1 · edited Jun 13 '14 at 07:30

2

Set reliable disable = UDP, you need to set reliable enable = tcp

From fortinet CLI handbook:

reliable {disable | enable} Enable reliable delivery of syslog messages to the syslog server. When enabled, the FortiGate unit implements the RAW profile of RFC 3195, sending log messages using TCP protocol.

edited Jun 13 '14 at 07:30

Felix Frank

3,093
1
16
22

answered Jun 13 '14 at 06:09

dsghi

131
4

Hi, welcome do SF. It is not at at all clear what you are asking. Please reword your question and perhaps supply more context. – Felix Frank Jun 13 '14 at 06:28

score 0 · Answer 2 · answered Apr 08 '14 at 08:15

0

Syslog is usually UDP 514, and Splunk certain works fine when set to use this.

answered Apr 08 '14 at 08:15

Chopper3

101,299
9
108
239

Hi Chopper3, I configure Splunk to open and listen on port 515 TCP, other my Cisco Switchs work ok with that. – Jack Chuong Apr 08 '14 at 08:50

How Fortigate 100D send log to Splunk

2 Answers2