Configuring Fortinet firewall to send Syslog data to RocketCyber Firewall Analyzer

RocketCyber’s Firewall Analyzer provides real-time threat detection and compliance monitoring by analyzing firewall logs. To enable this, Fortinet FortiGate firewalls must be configured to forward syslog data to RocketCyber. This article provides step-by-step instructions for FortiOS 7 and higher, ensuring compatibility with RocketCyber.

Why this matters

RocketCyber uses syslog data from Fortinet firewalls to:

  • Detect suspicious network traffic and brute-force attempts.

  • Identify privilege escalation and unauthorized configuration changes.

  • Provide 24/7 SOC monitoring for compliance (PCI, HIPAA, SOC 2, CMMC).

Without syslog forwarding, RocketCyber cannot monitor firewall events effectively.

Overview

  • FortiOS supports up to 4 syslog servers:

    • syslogd 

    • syslogd2

    • syslogd3

    • syslogd4

  • Before configuring one of the available syslog servers, find the first one that is not already in use by the following command:

    config log {syslogd | syslogd2 | syslogd3 | syslogd4} setting
    show
    end

  • RocketCyber requires syslog data in default format (not CSV).

  • Syslog is typically sent over UDP port 514 (TCP optional for reliability).

Steps

To configure Syslog on FortiGate, follow these steps:

1. Log in to the FortiGate.

2. Select Log & Report to expand the menu.

3. Select Log Settings.

4. Toggle Send Logs to Syslog to Enabled.

5. Enter RocketCyber's Syslog collector IP address.

6. Select Apply.

If it is necessary to customize the port or protocol or set the Syslog from the CLI, run the commands shown below. In a multi-VDOM environment, execute them in a global VDOM.

To establish the connection to the Syslog Server using a specific Source IP Address, use the following CLI configuration:

 

The source '192.168.1.1' can be any IP address of the FortiGate's interface that can reach the syslog server IP of '192.168.1.19' in the above example, and the same info can be found in the routing table.

NOTE  If the Syslog Server is connected over an IPSec Tunnel Syslog Server Interface needs to be configured using the Tunnel Interface using the following commands, and make sure the Syslog server IP is a part of the Phase-2 selectors.

The ping and ping-options command from the CLI can be used to check basic connectivity to the Syslog server from a specific source IP.

NOTE  From v7.6.0, it is possible to set the source interface for syslog. This enhancement allows syslog to utilize the IP address of the specified interface as a source when sending the messages out.