If you're encountering a data import issue, here is a troubleshooting checklist:
- Double-check FortiGate Syslog is configured correctly:
Configure FortiGate to send Forward, Local and Anomaly traffic via Syslog to the Fastvue Reporter machine. Please see our Getting Started Page for information on how to do this.
- Ensure FortiGate Web Filtering and Application Control is active and logging:
Ensure your main outgoing Internet access policies have Web Filtering and Application Filtering applied.
To do this, go to Policies and Objects | IPv4 Policy and edit the Policies responsible for outbound Internet access. Scroll down to the Security Profiles section and ensure Web Filtering and Application Control are toggled on.
Scroll down to the Logging Options section and ensure Log Allowed Traffic is toggled on, and All Sessions is selected. Generally speaking, you do not need to select Generate Logs when Session Starts, as the information Fastvue Reporter needs is recorded at session end.
Go to Log and Report | Web Filter as well as Log and Report | Application Control to ensure your FortiGate is generating log data.
- Double-check the Syslog Server IP Address
Double-check the Fastvue server's IP address by running ipconfig at the command line on the Fastvue Server. Ensure this is the IP used as the syslog server in your FortiGate settings. You can do this using the FortiGate CLI, with the following command:
get log syslogd setting
Note: Replace syslogd with syslogd2, sylsogd3 or syslogd4 if you configured the Fastvue Reporter syslog server on one of the other using one of the other syslog server objects.
Make sure the Server returned is the IP address of the Fastvue Reporter server.
- Double-check the Syslog Port:
In your FortiGate's syslog settings, ensure you're using the syslog port 514, or another unused port (see check for port conflicts below). Again, you can do this using the command:
get log syslogd setting
In the results, ensure the port mentioned is the one used in your Fastvue Reporter source in Settings | Sources.
- Check for Port Conflicts
Ensure you do not have any other application or service using port 514 or the port you have specified as your syslog port (see above). To verify, enter the following in a command prompt on the Fastvue Server:
netstat -ano | find "514"
If there is more than one process ID (PID) listed in the results using the port, change the port number to something else (such as port 50514) in both FortiGate and Fastvue Reporter's source.
For more information, see our article on Troubleshooting Port Conflicts.
- Ensure Fastvue Reporter is using the correct FortiGate interface IP:
Sometimes FortiGate may be sending Syslog data from a different interface than the one you expect.
In Fastvue Reporter, go to Settings | Sources and click Add Source. Click the dropdown list and wait a few seconds. This list will populate with any device sending syslog data on port 514, or other ports specified in your existing list of Sources. If your device is shown here, select it and click Add Source.
You should soon start to see log records flowing into your source.
- Ensure there are no firewall or antivirus issues:
Ensure there is nothing blocking the syslog communication on the Fastvue Reporter machine such as a third-party firewall or anti-virus program. While troubleshooting, try disabling any third party firewall/av programs and/or add exceptions for the syslog port in use.
Note: You should not have to disable Windows Firewall, as rules are added to Windows Firewall to allow the Fastvue Reporter service to receive data on all ports on both UDP and TCP during installation.
- Investigate routing issues between FortiGate and the Fastvue Server:
If the Fastvue Server and the FortiGate are not in the same network, you may need extra configuration on the intermediate routing devices to allow the syslog traffic through.
If there is a router between the two servers, careful attention needs to be paid to how that router handles the traffic, whether there's a NAT involved, whether that router is the default gateway for both machines etc.
If the Fastvue server and the FortiGate are separated by the public Internet, configure a Site-to-Site VPN between the networks so that syslog traffic can traverse to between networks reliably and securely.
If all of the above checks out but no data is being received by Fastvue Reporter, you can enable full diagnostic logging to log all syslog messages received to Fastvue Reporter's Diagnostics log files, regardless of whether they are processed by Fastvue Reporter.
You can then send these logs to us and we can investigate if the log messages are present and/or being parsed correctly.
To do this:
- Go to Settings | Diagnostic | Log and increase the logging level to Full.
- Let the software run for five minutes, and then zip and upload the latest Diagnostic log (location also shown in Settings | Diagnostic | Log) to http://www.fastvue.co/upload. The log should contain some diagnostic information to help us troubleshoot this for you.
- As this logging level will grow the Diagnostic logs significantly over time, set the logging level back to Normal.