読者です 読者をやめる 読者になる 読者になる

labunix's blog

labunixのラボUnix

Fortigate-60C(Transparent mode)のSyslog,SNMPを設定する。

■Fortigate-60C(Transparent mode)のSyslog,SNMPを設定する。

# config log syslogd setting
    set status enable
    set server 172.31.31.254
    set source-ip 172.31.31.249
    end

■上位のNAT modeのFortigate-60Cのログを通す設定は以下。

# show firewall address UTM-Seg
config firewall address
    edit "UTM-Seg"
        set subnet 172.31.31.0 255.255.255.0
    next
end

# show firewall policy 2
config firewall policy
    edit 2
        set srcintf "wan1"
        set dstintf "internal"
        set srcaddr "UTM-Seg"
        set dstaddr "UTM-Seg"
        set action accept
        set schedule "always"
        set service "SYSLOG"
    next
end

■Debian側のrsyslog.confの設定。

$ grep -A 1 "udp\|172.31.31..*Fortigate" /etc/rsyslog.conf
$ModLoad imudp
$UDPServerRun 514
--
:fromhost-ip, isequal, "172.31.31.252" /var/log/Fortigate-60C-NAT.log
& ~
:fromhost-ip, isequal, "172.31.31.249" /var/log/Fortigate-60C-Tranparent.log
& ~

$ sudo /etc/init.d/rsyslog restart

■Syslog転送ログの確認。

$ sudo tail -n 1 /var/log/Fortigate-60C-* | \
    sed -e 's/[A-z0-9]*=[A-z0-9]* /\n\t&/g' | \
    sed -e 's/FGT60C.*/FGT60CXXXXXXXXXX/g'
==> /var/log/Fortigate-60C-NAT.log <==
Sep  2 22:15:01 172.31.31.252 date=2015-09-02 time=22:15:01 devname=home-utm1 
	devid=FGT60CXXXXXXXXXX
	logid=0001000014 
	type=traffic 
	subtype=local 
	level=notice 
	vd=root srcip=172.31.31.254 
	srcport=33089 srcintf="internal" dstip=172.31.31.252 
	dstport=80 dstintf="root" 
	sessionid=168 
	proto=6 
	action=close 
	policyid=0 dstcountry="Reserved" srccountry="Reserved" 
	trandisp=noop service="HTTP" app="Web Management" 
	duration=1 
	sentbyte=582 
	rcvdbyte=3203 
	sentpkt=6 
	rcvdpkt=6 devtype="Linux PC" osname="Linux" osversion="2.x" mastersrcmac=00:02:2a:f1:08:45 srcmac=00:02:2a:f1:08:45

==> /var/log/Fortigate-60C-Tranparent.log <==
Sep  2 22:14:57 172.31.31.249 date=2015-09-02 time=22:14:52 devname=home-utm2 
	devid=FGT60CXXXXXXXXXX
	logid=0100040704 
	type=event 
	subtype=system 
	level=notice vd="root" logdesc="System performance statistics" action="perf-stats" 
	cpu=0 
	mem=44 
	totalsession=5 
	disk=3 bandwidth=5/1 
	setuprate=0 
	disklograte=0 
	fazlograte=0 msg="Performance statistics: average CPU: 0, memory:  44, concurrent sessions:  5, setup-rate: 0"

■ついでにSNMPも設定する。

 Fortigateの性能情報をSNMPで取得する。
 http://labunix.hateblo.jp/entry/20150817/1439818369

# show system snmp community | grep -v events
config system snmp community
    edit 1
        set name "public"
            config hosts
                edit 1
                    set source-ip 172.31.31.249
                    set ip 172.31.31.254 255.255.255.255
                    set interface "internal"
                    set host-type query
                next
            end
        set query-v2c-status disable
        set trap-v1-status disable
        set trap-v2c-status disable
    next
end

# show system interface internal
config system interface
    edit "internal"
        set vdom "root"
        set allowaccess ping ssh snmp http telnet
        set type physical
        set snmp-index 8
    next
end

■情報採取スクリプトを若干変更

$ cat /etc/cron.d/fgtperf 
#
SHELL=/bin/sh
PATH=/bin:/usr/bin
FGTPERF=/var/local/fortigate-perf.sh

*/5 * * * *   labunix	test -x $FGTPERF && /bin/bash $FGTPERF

$ cat /var/local/fortigate-perf.sh
#!/bin/bash

TARGETIP1="172.31.31.252"
TARGETIP2="172.31.31.249"
TARGETOID=".1.3.6.1.4.1.12356.101.4.1"
FGTPERFLOG=/var/log/fgt/fortigate-perf-`date '+%Y%m%d'`

for TARGETLIST in  ${TARGETIP1} ${TARGETIP2}; do \
  snmpwalk -v 1 -c public ${TARGETLIST} ${TARGETOID} 2>/dev/null | \
      awk 'BEGIN{"date +%Y/%m/%d,%H:%M:%S," | getline;printf $0}; \
                 /fgSys[CM][pe][mu]Usage/ || /1.[34].0 =/{printf "%s,",$NF}' | \
      sed -e 's/,$/\n/' >> ${FGTPERFLOG}_${TARGETLIST}.csv
done

$ chmod +x /var/local/fortigate-perf.sh
$ sudo mkdir /var/log/fgt
$ sudo chown labunix:labunix /var/log/fgt
$ /bin/bash /var/local/fortigate-perf.sh 
$ grep . /var/log/fgt/fortigate-perf-20150902_172.31.31.2*
/var/log/fgt/fortigate-perf-20150902_172.31.31.249.csv:2015/09/02,23:02:57,0,46
/var/log/fgt/fortigate-perf-20150902_172.31.31.249.csv:2015/09/02,23:05:02,0,46
/var/log/fgt/fortigate-perf-20150902_172.31.31.249.csv:2015/09/02,23:10:02,0,46
/var/log/fgt/fortigate-perf-20150902_172.31.31.249.csv:2015/09/02,23:15:01,0,46
/var/log/fgt/fortigate-perf-20150902_172.31.31.249.csv:2015/09/02,23:20:02,0,46
/var/log/fgt/fortigate-perf-20150902_172.31.31.249.csv:2015/09/02,23:25:02,0,46
/var/log/fgt/fortigate-perf-20150902_172.31.31.249.csv:2015/09/02,23:30:01,0,46
/var/log/fgt/fortigate-perf-20150902_172.31.31.249.csv:2015/09/02,23:35:04,0,46
/var/log/fgt/fortigate-perf-20150902_172.31.31.249.csv:2015/09/02,23:40:02,0,46
/var/log/fgt/fortigate-perf-20150902_172.31.31.249.csv:2015/09/02,23:45:01,0,46
/var/log/fgt/fortigate-perf-20150902_172.31.31.249.csv:2015/09/02,23:50:01,0,46
/var/log/fgt/fortigate-perf-20150902_172.31.31.249.csv:2015/09/02,23:55:02,0,46
/var/log/fgt/fortigate-perf-20150902_172.31.31.252.csv:2015/09/02,23:02:57,0,69
/var/log/fgt/fortigate-perf-20150902_172.31.31.252.csv:2015/09/02,23:05:01,0,69
/var/log/fgt/fortigate-perf-20150902_172.31.31.252.csv:2015/09/02,23:10:01,0,70
/var/log/fgt/fortigate-perf-20150902_172.31.31.252.csv:2015/09/02,23:15:01,0,70
/var/log/fgt/fortigate-perf-20150902_172.31.31.252.csv:2015/09/02,23:20:01,0,70
/var/log/fgt/fortigate-perf-20150902_172.31.31.252.csv:2015/09/02,23:25:01,0,70
/var/log/fgt/fortigate-perf-20150902_172.31.31.252.csv:2015/09/02,23:30:01,0,70
/var/log/fgt/fortigate-perf-20150902_172.31.31.252.csv:2015/09/02,23:35:01,0,70
/var/log/fgt/fortigate-perf-20150902_172.31.31.252.csv:2015/09/02,23:40:01,0,70
/var/log/fgt/fortigate-perf-20150902_172.31.31.252.csv:2015/09/02,23:45:01,0,70
/var/log/fgt/fortigate-perf-20150902_172.31.31.252.csv:2015/09/02,23:50:01,0,70
/var/log/fgt/fortigate-perf-20150902_172.31.31.252.csv:2015/09/02,23:55:01,0,70