Task 07: Configure Network Device Logging
DOCUMENT CATEGORY: Runbook
SCOPE: Network device logging infrastructure
PURPOSE: Configure syslog and SNMP from switches/firewalls to syslog server
MASTER REFERENCE: FortiGate Logging
Status: Draft
This step configures network devices (switches, firewalls) to forward syslog messages and SNMP traps to a dedicated syslog Linux server. This provides centralized logging for network infrastructure monitoring and troubleshooting.
Syslog Server Requirements
A dedicated syslog/NDM server must exist before configuring network devices to forward to it.
Syslog Server Can Live Anywhere
The syslog server is deployment-agnostic. Set syslog_deployment_target in your variables to azure, azurelocal, or onprem.
Syslog server requirements:
| Requirement | Value |
|---|---|
| OS | Linux (Ubuntu 22.04 LTS or later recommended) |
| Inbound UDP 514 | Syslog receive from network devices |
| Inbound UDP 161 | SNMP polling |
| Inbound UDP 162 | SNMP trap receive |
| Outbound to Azure Monitor | Required for AMA forwarding |
| Azure Monitor Agent (AMA) | Installed and configured |
| Deployment target | azure | azurelocal | onprem |
Capture syslog server details in config/variables.yml:
compute:
vms:
management:
syslog:
syslog_hostname: "syslog01"
syslog_ip: "10.20.1.50"
syslog_fqdn: "syslog01.corp.example.com"
syslog_deployment_target: "azure" # azure | azurelocal | onprem
Overview
| Component | Protocol | Port | Purpose |
|---|---|---|---|
| Syslog | UDP/TCP | 514 | System logs, security events, configuration changes |
| SNMP Traps | UDP | 162 | Critical alerts, interface status, hardware failures |
| SNMP Polling | UDP | 161 | Performance metrics, device discovery |
Architecture
┌─────────────────┐ ┌─────────────────┐ ┌─────────────────┐
│ FortiGate │────▶│ NDM Server │────▶│ Log Analytics │
│ Firewall │ │ (rsyslog) │ │ (via AMA) │
└─────────────────┘ └─────────────────┘ └─────────────────┘
▲
┌─────────────────┐ │
│ Dell/Cisco │────────────┘
│ Switches │
└─────────────────┘
Prerequisites
- Syslog Linux server deployed and accessible (see Server Requirements above;
compute.vms.management.syslog.syslog_ip) - Network connectivity between network devices and syslog server
- Firewall rules allowing syslog (UDP 514) and SNMP (UDP 161/162)
- Administrative access to network devices
Part 1: NDM Server Syslog Configuration
Configure rsyslog to Receive Remote Logs
Connect to the NDM server and configure rsyslog:
# SSH to NDM server
ssh adminuser@ndm-server-ip
# Enable UDP syslog reception in rsyslog
sudo vi /etc/rsyslog.conf
# Uncomment or add these lines:
# module(load="imudp")
# input(type="imudp" port="514")
# For TCP syslog (more reliable):
# module(load="imtcp")
# input(type="imtcp" port="514")
Create Separate Log Files by Source
# Create rsyslog configuration for network devices
sudo vi /etc/rsyslog.d/10-network-devices.conf
Add the following configuration:
# Template for network device logs
template(name="NetworkDeviceLogs" type="string"
string="/var/log/network/%HOSTNAME%/%$YEAR%-%$MONTH%-%$DAY%.log")
# FortiGate logs
if $fromhost-ip startswith '10.x.x.' then {
action(type="omfile" dynaFile="NetworkDeviceLogs")
stop
}
# Dell/Cisco switch logs
if $programname == 'switch' or $syslogtag contains 'SWITCH' then {
action(type="omfile" dynaFile="NetworkDeviceLogs")
stop
}
Create Log Directory and Restart rsyslog
# Create log directory
sudo mkdir -p /var/log/network
sudo chmod 755 /var/log/network
# Restart rsyslog
sudo systemctl restart rsyslog
# Verify rsyslog is listening
sudo ss -ulnp | grep 514
Part 2: Configure FortiGate Syslog
- FortiGate GUI
- FortiGate CLI
- Navigate to Log Settings
- Log in to FortiGate GUI
- Go to Log & Report → Log Settings
- Configure Remote Syslog
- Click Create New under Remote Logging
- Name:
ndm-syslog - Server IP/FQDN:
<NDM-Server-IP> - Port:
514 - Level:
Information(or Warning for reduced volume) - Facility:
local7 - Source IP: Interface IP facing NDM server
- Select Log Types
- Enable: Traffic, Event, Security
- Configure severity levels as needed
- Apply and Test
- Click OK to save
- Generate test traffic and verify logs appear on NDM server
# Configure syslog server
config log syslogd setting
set status enable
set server "<NDM-Server-IP>"
set port 514
set facility local7
set source-ip "<FortiGate-Interface-IP>"
set format default
end
# Configure log filters
config log syslogd filter
set severity information
set forward-traffic enable
set local-traffic enable
set multicast-traffic enable
set sniffer-traffic disable
set anomaly enable
set voip enable
end
# Verify configuration
get log syslogd setting
Part 3: Configure Dell Switch Syslog
- Dell OS10
- Dell OS9
# Configure syslog server
logging server <NDM-Server-IP>
# Set logging severity (0=emergency to 7=debug)
logging server <NDM-Server-IP> severity info
# Set source interface
logging source-interface vlan 100
# Enable logging
logging enable
# Verify configuration
show logging
# Configure syslog host
logging <NDM-Server-IP>
# Set severity level
logging trap informational
# Set facility
logging facility local7
# Verify
show logging
Part 4: Configure SNMP Traps
NDM Server - SNMP Trap Receiver
# Install snmptrapd
sudo apt install snmptrapd -y # Ubuntu/Debian
sudo yum install net-snmp -y # RHEL/CentOS
# Configure trap receiver
sudo vi /etc/snmp/snmptrapd.conf
# Add:
disableAuthorization yes
traphandle default /usr/bin/logger -t snmptrap
FortiGate SNMP Configuration
# Enable SNMP
config system snmp sysinfo
set status enable
set description "FortiGate Firewall"
set contact-info "{{noc_email}}"
set location "<Site-Location>"
end
# Configure SNMP community for traps
config system snmp community
edit 1
set name "Azure Local Cloud-snmp"
config hosts
edit 1
set ip <NDM-Server-IP> 255.255.255.255
next
end
set trap-v2c-status enable
set trap-v2c-rport 162
next
end
Dell Switch SNMP Configuration
# Configure SNMP community
snmp-server community Azure Local Cloud-snmp ro
# Configure trap receiver
snmp-server host <NDM-Server-IP> traps Azure Local Cloud-snmp
# Enable specific traps
snmp-server enable traps snmp linkdown linkup
snmp-server enable traps entity
snmp-server enable traps envmon
Validation
Verify Syslog Reception
# On NDM server, watch for incoming logs
sudo tail -f /var/log/syslog | grep -E "FortiGate|switch"
# Check network device log directory
ls -la /var/log/network/
# Test with logger from NDM server (local test)
logger -p local7.info "Test syslog message"
Verify SNMP Traps
# Watch for SNMP traps
sudo tail -f /var/log/syslog | grep snmptrap
# Test by triggering a trap (e.g., interface down/up on switch)
Expected Results
| Check | Expected Result |
|---|---|
| rsyslog listening | UDP 514 bound |
| FortiGate logs appearing | Messages in /var/log/network/<hostname>/ |
| Switch logs appearing | Messages in /var/log/network/<hostname>/ |
| SNMP traps received | Entries in /var/log/syslog with snmptrap tag |
Log Retention
Configure logrotate for network device logs:
sudo vi /etc/logrotate.d/network-devices
/var/log/network/*/*.log {
daily
rotate 30
compress
delaycompress
missingok
notifempty
create 644 syslog adm
}
Integration with Azure Monitor (Optional)
To forward network device logs to Azure Log Analytics:
- Ensure Azure Monitor Agent (AMA) is installed on NDM server
- Create a DCR that collects from
/var/log/network/ - Configure custom log table in Log Analytics
{
"dataSources": {
"logFiles": [
{
"name": "NetworkDeviceLogs",
"streams": ["Custom-NetworkDevices_CL"],
"filePatterns": ["/var/log/network/*/*.log"],
"format": "text"
}
]
}
}
Troubleshooting
| Issue | Cause | Solution |
|---|---|---|
| No logs received | Firewall blocking | Verify NSG/firewall rules for UDP 514 |
| Logs not separated | rsyslog config | Check rsyslog template and filters |
| SNMP traps missing | Community mismatch | Verify community string matches |
| High log volume | Severity too low | Increase severity to warning/error |
Next Steps
This completes the network device logging configuration. Proceed to the next stage or return to the Phase 17 Overview.
Stage Complete
You have completed Phase 17: Monitoring & Observability.
Summary of Configured Components
| Step | Component | Status |
|---|---|---|
| 1 | Azure Monitor | ✅ Configured |
| 2 | HCI Insights | ✅ Enabled |
| 3 | OMIMSWAC Monitoring | ✅ Deployed |
| 4 | Log Analytics | ✅ Configured |
| 5 | Alerting | ✅ Setup |
| 6 | Network Device Logging | ✅ Configured |
Next Stage: Phase 19: Backup & DR
Toolkit Reference
Scripts for this task are located in the azurelocal-toolkit repository under scripts/deploy/ in the appropriate task folder.
Alternatives
The procedures in this task use the scripted methods shown in the tabs above. Additional deployment methods including Azure CLI and Bash scripts are available in the azurelocal-toolkit repository under scripts/deploy/.
| Method | Description |
|---|---|
| Azure CLI | PowerShell-based Azure CLI scripts for Azure resource operations |
| Bash | Linux/macOS compatible shell scripts for pipeline environments |
Navigation
| Previous | Up |
|---|---|
| ← Task 06: Deploy OMIMSWAC Monitoring | Phase 02: Monitoring & Observability |
Variables from variables.yml
| Variable | Config Path | Example |
|---|---|---|
| Syslog Server | operational.monitoring.syslog_server | 10.0.0.20 |
| Syslog Port | operational.monitoring.syslog_port | 514 |
| Log Level | operational.monitoring.network_log_level | Informational |
Version Control
| Version | Date | Author | Changes |
|---|---|---|---|
| 1.0.0 | 2025-03-25 | Azure Local Cloud | Initial release |