Configure multiple FortiAnalyzers on a multi-VDOM FortiGate
This topic shows a sample configuration of multiple FortiAnalyzers on a multi-VDOM FortiGate.
In this example:
- The FortiGate has three VDOMs: l Root (management VDOM) l VDOM1 l VDOM2 l There are four FortiAnalyzers.
These IP addresses are used as examples in the instructions below.
- FAZ1: 16.200.55 l FAZ2: 172.18.60.25 l FAZ3: 192.168.1.253 l FAZ4: 192.168.1.254
- Set up FAZ1 and FAZ2 under global.
- These two collect logs from the root VDOM and VDOM2.
- FAZ1 and FAZ2 must be accessible from management VDOM root. l Set up FAZ3 and FAZ4 under VDOM1. l These two collect logs from VDOM1. l FAZ3 and FAZ4 must be accessible from VDOM1.
To set up FAZ1 as global FortiAnalyzer 1 from the GUI:
Prerequisite: FAZ1 must be reachable from the management root VDOM.
- Go to Global > Log & Report > Log Settings.
- Enable Send logs to FortiAnalyzer/FortiManager.
- Enter the FortiAnalyzer IP.
In this example: 172.16.200.55.
- For Upload option, select Real Time.
- Select Apply.
To set up FAZ2 as global FortiAnalyzer 2 from the CLI:
Prerequisite: FAZ2 must be reachable from the management root VDOM.
config log fortianalyzer2 setting set status enable set server “172.18.60.25” set upload-option realtime end
To set up FAZ3 and FAZ4 as VDOM1 FortiAnalyzer 1 and FortiAnalyzer 2:
Prerequisite: FAZ3 and FAZ4 must be reachable from VDOM1.
config log setting set faz-override enable
end
config log fortianalyzer override-setting set status enable set server “192.168.1.253” set upload-option realtime
end
config log fortianalyzer2 override-setting set status enable set server “192.168.1.254” set upload-option realtime
end
Diagnose command to check FortiAnalyzer connectivity
To use the diagnose command to check FortiAnalyzer connectivity:
- Check global FortiAnalyzer status:
FGTA(global) # diagnose test application miglogd 1 faz: global , enabled server=172.16.200.55, realtime=3, ssl=1, state=connected, src=, mgmt_name=FGh_Log_ root_172.16.200.55, reliable=1 status: ver=6, used_disk=0, total_disk=0, global=0, vfid=0 conn_verified=N SNs: last sn update:1369 seconds ago. Sn list:
queue: qlen=0.
filter: severity=6, sz_exclude_list=0 voip dns ssh ssl
subcategory:
traffic: forward local multicast sniffer anomaly: anomaly
server: global, id=0, fd=90, ready=1, ipv6=0, 172.16.200.55/514 oftp-state=5
faz2: global , enabled server=172.18.60.25, realtime=1, ssl=1, state=connected, src=, mgmt_name=FGh_Log_ root_172.18.60.25, reliable=0 status: ver=6, used_disk=0, total_disk=0, global=0, vfid=0 conn_verified=N SNs: last sn update:1369 seconds ago. Sn list:
queue: qlen=0.
filter: severity=6, sz_exclude_list=0 voip dns ssh ssl
subcategory:
traffic: forward local multicast sniffer
anomaly: anomaly
server: global, id=1, fd=95, ready=1, ipv6=0, 172.18.60.25/514 oftp-state=5
- Check VDOM1 override FortiAnalyzer status:
FGTA(global) # diagnose test application miglogd 3101 faz: vdom, enabled, override server=192.168.1.253, realtime=1, ssl=1, state=connected, src=, mgmt_name=FGh_Log_ root_192.168.1.253, reliable=1 status: ver=6, used_disk=0, total_disk=0, global=0, vfid=0 conn_verified=N SNs: last sn update:1369 seconds ago.
Sn list:
(FAZ-VM0000000001,age=17s) queue: qlen=0.
filter: severity=6, sz_exclude_list=0 voip dns ssh ssl
subcategory:
traffic: forward local multicast sniffer anomaly: anomaly
server: vdom, id=0, fd=72, ready=1, ipv6=0, 192.168.1.253/514 oftp-state=5
faz2: vdom, enabled, override server=192.168.1.254, realtime=1, ssl=1, state=connected, src=, mgmt_name=FGh_Log_ root_192.168.1.254, reliable=0 status: ver=6, used_disk=0, total_disk=0, global=0, vfid=0 conn_verified=N SNs: last sn update:1369 seconds ago.
Sn list:
(FL-1KET318000008,age=17s) queue: qlen=0.
filter: severity=6, sz_exclude_list=0 voip dns ssh ssl
subcategory:
traffic: forward local multicast sniffer anomaly: anomaly
server: vdom, id=1, fd=97, ready=1, ipv6=0, 192.168.1.254/514 oftp-state=5
faz3: vdom, disabled, override