Fortigate to Sumo Logic How-To

I received a question via Twitter today:

And wouldn’t you know, there wasn’t anything on my site for this.

There are 2 places that need configuration options set up for this work, with correct timestamp parsing (very important!), between the Fortigate and Sumo Logic.

Let’s start first with Sumo Logic.

By now you should have a collector deployed but we need to set up a new ingestion point for the Fortigate device to send its version of syslog data, mostly because of the timestamp format used by the firewall. In my example I will be port 4514/UDP. Use whatever port suits your network and set your naming as needed.

  1. Add a new source and configure it as a syslog source.
  2. Give it a name: fgt_udp_4514
  3. Set the protocol to UDP
  4. Set the port to 4514
  5. Set your Category appropriately: fw_security
  6. Enable timestamp parsing (check the box if not already checked)
  7. Select ‘use time zone from logfile’ and set your local timezone
  8. In ‘Timestamp Format’ select ‘Specify a format’
    1. in the Format box, enter exactly:

then save this new collector input.

If you are doing your configuration via a deployed JSON file then you would just need to add the following JSON stanza to your configuration.

  {
    "name": "fgt_udp_4514",
    "automaticDateParsing": true,
    "multilineProcessingEnabled": false,
    "useAutolineMatching": false,
    "forceTimeZone": false,
    "timeZone": "America/Chicago",
    "defaultDateFormat": "'date='yyyy-MM-dd 'time='HH:mm:ss",
    "encoding": "UTF-8",
    "protocol": "UDP",
    "port": 4514,
    "category": "fw_security",
    "sourceType": "Syslog"
  },

Now to configure the Fortigate, which has far fewer steps involved. As far as I know this can only be configured via the CLI.

Log in on the CLI and type the following to look at the current configuration (double-check to see what might be already configured).

show log syslogd setting

If there isn’t a configuration in the firewall then you’ll have no output displayed, but if it’s already configured then you should see something like the following:

config log syslogd setting
    set status enable
    set server "10.10.245.79"
    set port 4514
end

If you have nothing configured then it is easy to get started.

config log syslogd setting
set server IP_ADDRESS
set port PORT_NUMBER
set status enable
end

If you already have a syslog destination configured, and you don’t want to change that, then you can configure up to 2 more destinations.

Just replace

config log syslogd setting

with

config log syslogd2 setting

then add in your 3 configuration lines and ‘end’.