Syslog
The FortiAuthenticator can parse username and IP address information from a syslog feed from a third party device, and inject this information into FSSO so it can be used in FortiGate and FortiCache identity based policies.
Syslog objects include sources and matching rules. Sources identify the entities sending the syslog messages, and matching rules extract the events from the syslog messages. Messages coming from non-configured sources will be dropped.
Injection of IPv6 addresses using Syslog-to-FSSO and API-to-FSSO is supported. IPv6 addresses will be accepted by the backend parsing engine. |
To configure syslog objects, go to Fortinet SSO Methods > SSO > Syslog.
Syslog SSO must be enabled for this menu option to be available. Go to Fortinet SSO Methods > SSO > General to enable Syslog SSO. See General settings. |
The following options and information are available:
Create New | Create a new syslog source or matching rule. |
Delete | Select to delete the selected object or objects. |
Edit | Select to edit the selected object. |
Syslog SSO Items | Select Syslog Sources or Matching Rules from the drop-down list. |
Name | The name of the source or rule. |
Client name/IP | The IP address or the client. |
Matching rules
A matching rule is a query, or policy, that is applied to a syslog message in order to determine required information, such as the username and IP address. Rules are required for every syslog source.
Predefined rules are available for Cisco and Aruba wireless controllers (see Syslog). For other systems, custom policies can be created to parse message files in various formats.
Predefined rules
Predefined matching rules are included for Cisco and Aruba wireless controllers.
Aruba
Trigger | None; any logs are accepted. |
Auth Type Indicators | User Authentication Successful (Login) (exact match required; no delimiter or value) |
Username field | username={{user}},
|
Client IP field | Framed-IP-Address={{ip}},
|
Group field | profile={{group}},
|
Cisco
Accounting Start Log
Trigger | CISE_RADIUS_Accounting
|
Auth Type Indicators | Acct-Status-Type=Start (Login) |
Username field | User-Name={{user}},
|
Client IP field | Framed-IP-Address={{ip}},
|
Accounting Stop Log
Trigger | CISE_RADIUS_Accounting
|
Auth Type Indicators | Acct-Status-Type=Stop (Logout) |
Username field | User-Name={{user}},
|
Client IP field | Framed-IP-Address={{ip}},
|
To create a new matching rule:
- In the syslog list, select Matching Rules from the View drop-down menu.
- Select Create New. The Create New Matching Rule page ones.
- Enter the following information:
- Select OK to add the new matching rule.
Name | Enter a name for the source. | |
Description | Optionally, enter a description of the rule. | |
Fields to Extract | Configure the fields that are to be extracted from the message. | |
Trigger | Optionally, enter a string that must be present in all syslog messages. This will act as a pre-filter. | |
Auth Type Indicators | Enter strings to differentiate between the types of user activities: Logon, Update (optional), and Logoff (optional). | |
Username field | Define the semantics of the username field. For example: User-Name={{user}}, Where {{user}} indicates where the username is extracted from. |
|
Client IP field | Define the semantics of the client IP address. | |
Group field |
Optionally, define the semantics of the group. The group may not always be included in the syslog message, and may need to be retrieved from a remote LDAP server. SSO syslog feed can parse multiple groups if the names are separated by a plus (+) symbol or a comma (,). Use the Group list separator to specify the separator. |
|
Test Rule | Paste a sample log message into the text box, then select Test to test that the desired fields are correctly extracted. |
Syslog sources
Each syslog source must be defined for traffic to be accepted by the syslog daemon. Each source must also be configured with a matching rule that can be either pre-defined or custom built.
To add a new syslog source:
- In the syslog list, select Syslog Sources from the Syslog SSO Items drop-down menu.
- Select Create New. The Create New Syslog Source page ones.
- Enter the following information:
- External: Users are not defined on the FortiAuthenticator and user groups come from the source.
- Local users: Users are defined on the FortiAuthenticator as local users, and user groups are retrieved from the local groups. Any group from the syslog messages will be ignored.
- Remote users: Users are defined on a remote LDAP server and user groups are retrieved from the LDAP server. Any group from the syslog messages will be ignored.
- Select OK to add the source.
Name | Enter a name for the source. |
IP address | Enter the IP address of the source. |
Matching rule | Select the requisite matching rule from the drop-down list. A matching must already be created for the source. |
SSO user type | Select the SSO user type: |