■Fortigate-80CのログをDebian Wheezyのrsyslogに転送してみる。
本来はFortiAnalyzerにログ転送した方が色々出来て楽。
ただ、自宅NGFWにそこまで出来ないのでrsyslogdにログ転送で代用する。
■Debian WheezyのrsyslogのUDP待ち受けを有効にする。
$ dpkg -l rsyslog | grep ^ii > /dev/null 2>&1 && \
dpkg -L rsyslog | grep /etc/.*conf
/etc/rsyslog.conf
$ grep -i udp /etc/rsyslog.conf
$ModLoad imudp
$UDPServerRun 514
$ sudo /etc/init.d/rsyslog restart && netstat -an | grep :514
[ ok ] Stopping enhanced syslogd: rsyslogd.
[ ok ] Starting enhanced syslogd: rsyslogd.
udp 0 0 0.0.0.0:514 0.0.0.0:*
udp6 0 0 :::514 :::*
■余談ながら、IPv4に制限する。
$ man rsyslogd | grep v4 | sed s/"\. "/"&\n\t"/g
-4 Causes rsyslogd to listen to IPv4 addresses only.
If neither -4 nor -6 is given, rsyslogd listens to all configured
$ grep -v "^\$\|^#" /etc/default/rsyslog
RSYSLOGD_OPTIONS="-c5 -4"
$ sudo /etc/init.d/rsyslog restart && netstat -an | grep :514
[ ok ] Stopping enhanced syslogd: rsyslogd.
[ ok ] Starting enhanced syslogd: rsyslogd.
udp 0 0 0.0.0.0:514 0.0.0.0:*
■syslogを有効にする出力する。
syslogサーバのIPと送信元IPを入力すれば必要なコンフィグを出すという簡易仕様。
$ w3m -dump \
"https://raw.githubusercontent.com/labunix/fortigate-80c-settings/master/FGT_enable_syslog.sh" \
> FGT_enable_syslog.sh; \
chmod +x FGT_enable_syslog.sh
$ ./FGT_enable_syslog.sh
input syslog server IP, default IP is [172.31.31.254]
input source IP address, default IP is [172.31.31.251
show full-configuration log syslogd setting
show log syslogd setting
get log syslogd setting
config log syslogd setting
set status enable
set server 172.31.31.254
set facility syslog
set source-ip 172.31.31.251
end
show full-configuration log syslogd setting
show log syslogd setting
get log syslogd setting
■syslogを無効にするconfigを出力する。
これは単に1つ目のsyslogサーバの設定を無効にしているだけ。
実行時のログは残しておきましょう。
$ w3m -dump \
"https://raw.githubusercontent.com/labunix/fortigate-80c-settings/master/FGT_disable_syslog.sh" \
> FGT_disable_syslog.sh; \
chmod +x FGT_disable_syslog.sh
■デフォルト無効から、syslogを有効に設定した時の出力
$ echo 'show full-configuration log syslogd setting
show log syslogd setting
get log syslogd setting
config log syslogd setting
set status enable
set server 172.31.31.254
set facility syslog
set source-ip 172.31.31.251
end
show full-configuration log syslogd setting
show log syslogd setting
get log syslogd setting
' | ssh -T admin@172.31.31.251 | sed s/".* # "//g | grep -v "^\$"
admin@172.31.31.251s password:
config log syslogd setting
set status disable
end
config log syslogd setting
end
status : disable
config log syslogd setting
set status enable
set server "172.31.31.254"
set reliable disable
set port 514
set csv disable
set facility syslog
set source-ip 172.31.31.251
end
config log syslogd setting
set status enable
set server "172.31.31.254"
set facility syslog
set source-ip 172.31.31.251
end
status : enable
server : 172.31.31.254
reliable : disable
port : 514
csv : disable
facility : syslog
source-ip : 172.31.31.251
■有効にしたsyslog設定を無効に戻した時の出力
$ echo 'show full-configuration log syslogd setting
show log syslogd setting
get log syslogd setting
config log syslogd setting
set status disable
end
show full-configuration log syslogd setting
show log syslogd setting
get log syslogd setting
' | ssh -T admin@172.31.31.251 | sed s/".* # "//g | grep -v "^\$"
admin@172.31.31.251s password:
config log syslogd setting
set status enable
set server "172.31.31.254"
set reliable disable
set port 514
set csv disable
set facility syslog
set source-ip 172.31.31.251
end
config log syslogd setting
set status enable
set server "172.31.31.254"
set facility syslog
set source-ip 172.31.31.251
end
status : enable
server : 172.31.31.254
reliable : disable
port : 514
csv : disable
facility : syslog
source-ip : 172.31.31.251
config log syslogd setting
set status disable
end
config log syslogd setting
end
status : disable
■Debian Wheezy側でsyslog転送ログを確認
SNMPとWeb管理画面のログ
$ sudo grep devname= /var/log/syslog | grep "SNMP\|https" | tail -2 | \
sed s/"devid=[A-Z0-9]* "/"devid=FGT80CXXXXXXXXXXXX\n "/g | sed s/" srcip=\| policyid=\| app=\| action="/"\n&"/g
Feb 26 22:58:17 172.31.31.251 date=2015-02-26 time=22:58:17 devname=FGT-UTM devid=FGT80CXXXXXXXXXXXX
logid=0001000014 type=traffic subtype=local level=notice vd=root
srcip=172.31.31.251 srcport=162 srcintf=unknown-0 dstip=172.31.31.254 dstport=162 dstintf="internal" sessionid=309 status=accept
policyid=0 dstcountry="Reserved" srccountry="Reserved" trandisp=noop service=SNMP proto=17
app=SNMP duration=548 sentbyte=1670 rcvdbyte=0 sentpkt=20 rcvdpkt=0
Feb 26 23:00:40 172.31.31.251 date=2015-02-26 time=23:00:40 devname=FGT-UTM devid=FGT80CXXXXXXXXXXXX
logid=0100032003 type=event subtype=system level=information vd="root" user="admin" ui=https(172.31.31.254)
action=logout status=success duration=301 reason=timeout msg="Administrator admin timed out on https(172.31.31.254)"
■「fromhost-ip」で絞るだけの設定をしたので、rsyslog.confに以下を追加。
$ grep -A 1 Fortigate /etc/rsyslog.conf
:fromhost-ip, isequal, "172.31.31.251" /var/log/Fortigate-80C.log
& ~
$ sudo /etc/init.d/rsyslog restart && netstat -an | grep :514
[ ok ] Stopping enhanced syslogd: rsyslogd.
[ ok ] Starting enhanced syslogd: rsyslogd.
udp 0 0 0.0.0.0:514 0.0.0.0:*
■欲しい場所「/var/log//Fortigate-80C.log」にログを出力。
$ sudo grep devname= /var/log//Fortigate-80C.log | grep "SNMP\|https" | tail -2 | \
sed s/"devid=[A-Z0-9]* "/"devid=FGT80CXXXXXXXXXXXX\n "/g | sed s/" srcip=\| policyid=\| app=\| action="/"\n&"/g
Feb 26 23:05:14 172.31.31.251 date=2015-02-26 time=23:05:14 devname=FGT-UTM devid=FGT80CXXXXXXXXXXXX
logid=0100032001 type=event subtype=system level=information vd="root" user="admin" ui=https(172.31.31.254)
action=login status=success reason=none profile="super_admin" msg="Administrator admin logged in successfully from https(172.31.31.254)"
Feb 26 23:10:16 172.31.31.251 date=2015-02-26 time=23:10:16 devname=FGT-UTM devid=FGT80CXXXXXXXXXXXX
logid=0100032003 type=event subtype=system level=information vd="root" user="admin" ui=https(172.31.31.254)
action=logout status=success duration=302 reason=timeout msg="Administrator admin timed out on https(172.31.31.254)"
■以下のコマンドで「/var/log/syslog」には出力されず、
「/var/log/Fortigate-80C.log」には出力されることを確認。
Web管理画面にログインすればすぐにログに出ます。
$ watch -d -n 1 '\
echo "#syslog";sudo tail -1 /var/log/syslog ; \
echo "#fortilog";sudo tail -1 /var/log/Fortigate-80C.log '