Fortinet syslog on worker
24 views
Skip to first unread message
Julián Lliteras
Dec 1, 2025, 1:02:18 PM (yesterday) Dec 1
to Wazuh | Mailing List
I setup my worker node with rsyslog to receive syslog data from FGT. File is receiving data ok, but data is not seeing in dashboard. I dont know if data is not forwarding from worker to master or data ingestion is not raisin any alert...How can I check out this config?
Greetings
Julian
Olamilekan Abdullateef Ajani
Dec 1, 2025, 1:51:48 PM (yesterday) Dec 1
to Wazuh | Mailing List
Hello Yartax,
To clarify your statement, are you saying that you installed rsyslog directly on the worker node? If that is the case, remember that option provides more like a central repository for log collection, which still involves you installing the Wazuh agent to monitor log paths and send them to the wazuh manager for decoding. Because the wazuh manager also has that agent monitoring capability, did you configure it to monitor the Fortigate log path being captured by rsyslog? Something like the configuration below inside the ossec.conf file?
<localfile>
<log_format>syslog</log_format>
<location>/var/log/syslog</location>
</localfile>
<log_format>syslog</log_format>
<location>/var/log/syslog</location>
</localfile>
If you have already done the above, we can also enable archive for testing purposes and check for the logs if they match. Edit the Wazuh manager configuration file /var/ossec/etc/ossec.conf and set the value below:
<ossec_config>
<global>
<logall>yes</logall>
<logall_json>yes</logall_json>
</ossec_config>
systemctl restart wazuh-manager to apply changes. then find the logs with: cat /var/ossec/logs/archives/archives.json | grep "part of your log"
<ossec_config>
<global>
<logall>yes</logall>
<logall_json>yes</logall_json>
</ossec_config>
systemctl restart wazuh-manager to apply changes. then find the logs with: cat /var/ossec/logs/archives/archives.json | grep "part of your log"
A better approach to this would be to have a dedicated server for rsyslog, where you would install the Wazuh agent and allow it to forward the logs to the Wazuh manager cluster, which would serve as another log source for you. This is better managed and can scale properly.
Please let me know what you find.
Regards,
https://documentation.wazuh.com/current/user-manual/manager/event-logging.html
https://documentation.wazuh.com/current/user-manual/wazuh-server-cluster/cluster-nodes-configuration.html
https://documentation.wazuh.com/current/user-manual/wazuh-server-cluster/cluster-nodes-configuration.html
Julián Lliteras
3:45 AM (13 hours ago) 3:45 AM
to Wazuh | Mailing List
Hi
Olamilekan
I need to deploy distributed workers and logs collector because not all infrastructure is visible, this is way I'm deploying workers on subnets or distant geolocations
My conf in worker node is as follow:
<localfile>
<location>/var/log/fortigate.log</location>
<log_format>syslog</log_format>
</localfile>
<location>/var/log/fortigate.log</location>
<log_format>syslog</log_format>
</localfile>
<remote>
<connection>syslog</connection>
<port>7005</port>
<protocol>tcp</protocol>
<allowed-ips>10.50.0.253/32</allowed-ips>
</remote>
<connection>syslog</connection>
<port>7005</port>
<protocol>tcp</protocol>
<allowed-ips>10.50.0.253/32</allowed-ips>
</remote>
Also setup rsyslog to write logs entries on fortigate.log file. Is rsyslog setup nedeed or <remote> config must be especified too? A simple record in alert.json is as
{"timestamp":"2025-12-02T02:49:30.040+0100","rule":{"level":6,"description":"Fortigate: Blocked URL belongs to a denied category in policy.","id":"81644","firedtimes":2773,"mail":false,"groups":["fortigate","syslog"]},"agent":{"id":"000","name":"debian13-Trixie"},"manager":{"name":"debian13-Trixie"},"id":"1764640170.38373798","cluster":{"name":"wazuh","node":"nodeHRC"},"full_log":"2025-12-02T02:49:28.561381+01:00 10.5.0.253 date=2025-12-01 time=20:49:28 devname=\"XXX-FW\" devid=\"FG100ETK\" eventtime=1764640167994287978 tz=\"-0500\" logid=\"0316013056\" type=\"utm\" subtype=\"webfilter\" eventtype=\"ftgd_blk\" level=\"warning\" vd=\"root\" policyid=33 poluuid=\"24dac426-9c1c-51ed-0368-ef6571186f00\" policytype=\"policy\" sessionid=71583697 srcip=10.60.2.85 srcport=57804 srccountry=\"Reserved\" srcintf=\"port1\" srcintfrole=\"lan\" srcuuid=\"0d2dc6e6-8ef3-51e9-cf51-866bb8df0219\" dstip=20.190.155.130 dstport=443 dstcountry=\"United States\" dstintf=\"port4\" dstintfrole=\"wan\" dstuuid=\"8c1145be-b2ad-51e8-4591-ea981bd4ad00\" proto=6 service=\"HTTPS\" hostname=\"login.live.com\" profile=\"WF-Restrictable\" action=\"blocked\" reqtype=\"direct\" url=\"https://login.live.com/\" sentbyte=229 rcvdbyte=0 direction=\"outgoing\" msg=\"URL belongs to a denied category in policy\" method=\"domain\" cat=41 catdesc=\"Máquinas de búsqueda y Portales\"","predecoder":{"timestamp":"2025-12-02T02:49:28.561381+01:00"},"decoder":{"name":"fortigate-firewall-v5"},"data":{"action":"blocked","srcip":"10.60.2.85","srcport":"57804","dstip":"20.190.155.130","dstport":"443","url":"https://login.live.com/","devid":"FG100ETK","devname":"XXX-FW","direction":"outgoing","dstcountry":"United States","dstintf":"port4","dstintfrole":"wan","eventtime":"1764640167994287978","eventtype":"ftgd_blk","hostname":"login.live.com","level":"warning","logid":"0316013056","msg":"URL belongs to a denied category in policy","policyid":"33","poluuid":"24dac426-9c1c-51ed-0368-ef6571186f00","profile":"WF-Restrictable Bares y Rest","proto":"6","rcvdbyte":"0","reqtype":"direct","sentbyte":"229","service":"HTTPS","sessionid":"71583697","srccountry":"Reserved","srcintf":"port1","srcintfrole":"lan","subtype":"webfilter","time":"20:49:28","type":"utm","vd":"root"},"location":"/var/log/fortigate.log"}
I'm a bit confused rigth now, in manager dashboard there aren't any alert from worker. Seems to be trouble in redirecting alerts, but new agents is rolling up from that worker.
Thanks in advance.
Julian
Olamilekan Abdullateef Ajani
8:11 AM (8 hours ago) 8:11 AM
to Wazuh | Mailing List
Hello Yartax,
I think we need to address this one step at a time based on the information you have shared with me.
The configuration you have:
<localfile>
<location>/var/log/fortigate.log</location>
<log_format>syslog</log_format>
</localfile>
<location>/var/log/fortigate.log</location>
<log_format>syslog</log_format>
</localfile>
<remote>
<connection>syslog</connection>
<port>7005</port>
<protocol>tcp</protocol>
<allowed-ips>10.50.0.253/32</allowed-ips>
</remote>
<connection>syslog</connection>
<port>7005</port>
<protocol>tcp</protocol>
<allowed-ips>10.50.0.253/32</allowed-ips>
</remote>
means different things and works different ways. For locafile, this is used to collect logs via the Wazuh agent. You can also make use of this medium on the Wazuh manager too if you have a path you need monitored.
While for the remote option, this sets up the Wazuh manager as a syslog server to remotely collect logs from devices.
That being said, depending on what you are trying to do, you do not need both for your use case, you only need one. But my advice would be to set up rsyslog on a separate server, install the Wazuh agent on it, and let it handle log collection by forwarding to the Wazuh manager and not install the rsyslog on the Wazuh manager itself. That way you are able to properly manage your logs, make any modifications to them, or even connect other event sources. Instead of pointing it directly to the Wazuh manager.
Please review the above and choose the one that works for you.
The second thing I noticed is the log you shared, did you get that from the /var/ossec/logs/alerts/alerts.json? Because this shows the logs are being ingested. Please confirm that you are unable to see the logs on the Discover dashboard.
Please let me know.
Reply all
Reply to author
Forward
0 new messages