Fortigate Syslog Not Showing in Wazuh Dashboard (Packets Seen via Tcpdump)

79 views
Skip to first unread message

Dex Perry

unread,
Aug 25, 2025, 12:11:03 AMAug 25
to Wazuh | Mailing List

Hi Wazuh community,

I’m trying to integrate Fortigate firewall logs into Wazuh (v4.12.0) but I am facing an issue where the logs are not visible in the Wazuh dashboard (Discover).

Environment:

  • Wazuh Manager: 4.12.0 (Ubuntu)

  • Wazuh Dashboard connected and working

  • Firewall: Fortigate, sending syslog via UDP/514

Configuration in ossec.conf:
<remote> <connection>syslog</connection> <port>514</port> <protocol>udp</protocol> <allowed-ips>10.1.1.2</allowed-ips> <!-- firewall IP --> <local_ip>10.1.6.67</local_ip> <!-- wazuh manager IP --> </remote>
What I’ve verified:

  • From the Wazuh server, I can ping the firewall successfully (ping 10.1.1.2).

  • Using tcpdump I can confirm syslog packets are arriving on port 514:

    sudo tcpdump -ni any udp port 514 -A | grep -i fortigate

    → Packets are captured.

  • sudo ss -ulnp | grep 514 shows that wazuh-remoted is bound to 10.1.6.67:514.

  • wazuh-logtest successfully decodes Fortigate log lines when pasted manually.

The issue:

  • No Fortigate logs appear in ossec.log or archives.log.

  • Wazuh Dashboard (Discover) does not show any Fortigate events.

  • /var/ossec/logs/firewall/firewall.log is empty.

Question:

Since packets are arriving and decoders exist, but nothing is written to archives or firewall.log, what could be blocking Wazuh from ingesting the logs?

  • Is there anything else needed in the <remote> config (e.g. facility, format, or additional tags)?

  • Could the problem be related to Fortigate syslog format or Wazuh’s handling of local7.info?

  • Any way to debug why wazuh-remoted is discarding syslog packets?

Thanks in advance for your guidance!

Best Regards!!!

Bony V John

unread,
Aug 25, 2025, 1:36:38 AMAug 25
to Wazuh | Mailing List

Hi,

Based on your input, you mentioned that you are able to ping the firewall from the Wazuh manager, which confirms proper network connectivity. You are also receiving output when running the tcpdump command.

To further ensure that logs are being ingested by the Wazuh manager from the FortiGate firewall, run the following filtered tcpdump command on the Wazuh manager:

tcpdump -i any src host <firewall-IP> and dst port 514

Replace <firewall-IP> with the IP address of your FortiGate firewall. This will confirm whether logs are being received from the firewall.  

Update your Wazuh manager ossec.conf file with the following configuration:  
<remote>
  <connection>syslog</connection>
  <port>514</port>
  <protocol>udp</protocol>
  <allowed-ips>10.1.1.2/24</allowed-ips>
  <local_ip>10.1.6.67</local_ip>
</remote>

  • 10.1.1.2 - Firewall IP address (the one you see in tcpdump output). Adding /24 allows the whole subnet (256 addresses).

  • 10.1.6.67 - Wazuh manager server IP address.

  • Ensure that your firewall is configured to forward logs via UDP/514.

You can refer to the Wazuh syslog configuration documentation for more details.

  • The file /var/ossec/logs/firewall/firewall.log is not used for storing firewall logs forwarded via syslog. It is primarily for firewall-related activity on the Wazuh manager itself.
  • The ossec.log file will not display forwarded firewall logs. Instead, it only contains logs from the Wazuh manager processes. You can check for errors related to the remoted service with:
cat /var/ossec/logs/ossec.log | grep -iE "error|warn|crit|fatal|remoted"

  • The correct files to use for troubleshooting forwarded logs are:

    • /var/ossec/logs/archives/archives.log

    • /var/ossec/logs/archives/archives.json

If firewall logs do not match any default Wazuh decoders/rules, they will still appear in archives.log/archives.json when logging is enabled. From there, you can create custom decoders and rules as needed.

Make sure logall is enabled in the Wazuh manager to log forwarded raw logs. Once enabled, you can check whether logs are being ingested with:  
cat /var/ossec/logs/archives/archives.log | grep -iE "<related string>"

Replace <related string> with a relevant keyword from the expected log.

If logs are visible in archives.log but not in the dashboard, you may need to create custom decoders and rules. Please share sample logs if you’d like further assistance with creating them.

If the problem continues, enable debug logging for the remoted service:

Edit the internal configuration file:

vi /var/ossec/etc/internal_options.conf

Change to the following value:  
remoted.debug=2

Restart the Wazuh manager:  
systemctl restart wazuh-manager

After that, check ossec.log again for detailed debug output.  

If you still face issues, please share the following for further analysis:

  • The output of the commands listed above.

  • The ossec.log file and ossec.conf from your Wazuh manager.

This information will help us assist you more effectively.

Dex Perry

unread,
Sep 6, 2025, 1:24:54 AM (3 days ago) Sep 6
to Wazuh | Mailing List

Hi Bony,

Thanks for your earlier guidance — it helped a lot. I’ve confirmed that FortiGate logs are now being ingested properly into Wazuh. In the dashboard I can filter and see different data.subtype values such as:

  • vpn 

  • app-ctrl 

  • forward

  • local 

  • system 

So ingestion looks good, but now I’d like some help with fine-tuning rules and alerts. For example-Raising alerts for VPN login failures or tunnel negotiation failures,Getting visibility into successful VPN logins (currently they appear as informational),Highlighting suspicious or blocked apps from app-ctrl,Monitoring admin logins/config changes from local,Filtering useful system/device events.

  Could you please share your ideas or best practices on how to do fine-tuning FortiGate logs in Wazuh?  

Thanks again for your support!

Best regards,
Dex

Reply all
Reply to author
Forward
0 new messages