Send Logs to a Syslog Server

When you have an existing log collector (rsyslog, Splunk, Graylog, ELK, Datadog), point FortiGate at it for ingestion. Logs forwarded in standard syslog format.

Before You Start

• Syslog server reachable from FortiGate (UDP/514 default; TCP available).
• Decide which categories to forward.

Steps

1. Log & Report → Log Settings.
2. Syslog Server → Add.
3. Fill in:
   • Status — Enable.
   • IP/FQDN — syslog server.
   • Port — 514 (default).
   • Mode — UDP (default) or Reliable (TCP) or TLS.
   • Facility — Local7 (typical) — your syslog server's facility convention.
   • Source IP — leave blank (FortiGate picks egress IP) or set to a specific interface IP.
   • Format — Default / CSV / CEF (for SIEM integration).
4. Apply.

📸 Screenshot needed

Syslog Server add dialog with IP, port, mode, facility filled.

CLI Equivalent

config log syslogd setting
    set status enable
    set server "10.0.0.50"
    set port 514
    set facility local7
    set format default          # or: csv, cef
    set mode udp                 # or: reliable, legacy-reliable
end

config log syslogd filter
    set severity information
    set forward-traffic enable
    set local-traffic disable
end

For a second/third syslog: use syslogd2, syslogd3, syslogd4 blocks.

Verify

On the syslog server (Linux example):

tail -f /var/log/syslog | grep <fortigate-hostname>

Or in Splunk / Graylog: search by source IP = FortiGate's IP.

Common Issues

• No logs arriving. Firewall path issue — TCP/UDP 514 blocked. Test from FortiGate side: execute ping <syslog-server>.
• Logs arrive but unparseable. Format wrong for collector. Try CEF for SIEMs, CSV for spreadsheets, Default for raw rsyslog.
• TLS handshake fails. Cert mismatch. Use set certificate <cert-name> to specify client cert.
• High log volume drops some. UDP unreliable. Switch to reliable mode (TCP).

Related Pages

• Configure Log Storage
• Send Logs to FortiAnalyzer