Task 06: Configure Network Device Logging
DOCUMENT CATEGORY: Runbook SCOPE: Network device logging infrastructure PURPOSE: Configure syslog and SNMP from switches/firewalls to NDM server MASTER REFERENCE: FortiGate Logging
Status: Draft
This step configures network devices (switches, firewalls) to forward syslog messages and SNMP traps to the NDM Linux server deployed in Stage 06. This provides centralized logging for network infrastructure monitoring and troubleshooting.
Overview
| Component | Protocol | Port | Purpose |
|---|---|---|---|
| Syslog | UDP/TCP | 514 | System logs, security events, configuration changes |
| SNMP Traps | UDP | 162 | Critical alerts, interface status, hardware failures |
| SNMP Polling | UDP | 161 | Performance metrics, device discovery |
Architecture
┌─────────────────┐ ┌─────────────────┐ ┌─────────────────┐
│ FortiGate │────▶│ NDM Server │────▶│ Log Analytics │
│ Firewall │ │ (rsyslog) │ │ (via AMA) │
└─────────────────┘ └─────────────────┘ └─────────────────┘
▲
┌─────────────────┐ │
│ Dell/Cisco │────────────┘
│ Switches │
└─────────────────┘
Prerequisites
- NDM Linux server deployed (Stage 06, Step 11)
- Network connectivity between devices and NDM server
- Firewall rules allowing syslog (UDP 514) and SNMP (UDP 161/162)
- Administrative access to network devices
Part 1: NDM Server Syslog Configuration
Configure rsyslog to Receive Remote Logs
Connect to the NDM server and configure rsyslog:
# SSH to NDM server
ssh adminuser@ndm-server-ip
# Enable UDP syslog reception in rsyslog
sudo vi /etc/rsyslog.conf
# Uncomment or add these lines:
# module(load="imudp")
# input(type="imudp" port="514")
# For TCP syslog (more reliable):
# module(load="imtcp")
# input(type="imtcp" port="514")
Create Separate Log Files by Source
# Create rsyslog configuration for network devices
sudo vi /etc/rsyslog.d/10-network-devices.conf
Add the following configuration:
# Template for network device logs
template(name="NetworkDeviceLogs" type="string"
string="/var/log/network/%HOSTNAME%/%$YEAR%-%$MONTH%-%$DAY%.log")
# FortiGate logs
if $fromhost-ip startswith '10.x.x.' then {
action(type="omfile" dynaFile="NetworkDeviceLogs")
stop
}
# Dell/Cisco switch logs
if $programname == 'switch' or $syslogtag contains 'SWITCH' then {
action(type="omfile" dynaFile="NetworkDeviceLogs")
stop
}
Create Log Directory and Restart rsyslog
# Create log directory
sudo mkdir -p /var/log/network
sudo chmod 755 /var/log/network
# Restart rsyslog
sudo systemctl restart rsyslog
# Verify rsyslog is listening
sudo ss -ulnp | grep 514
Part 2: Configure FortiGate Syslog
- FortiGate GUI
- FortiGate CLI
- Navigate to Log Settings
- Log in to FortiGate GUI
- Go to Log & Report → Log Settings
- Configure Remote Syslog
- Click Create New under Remote Logging
- Name:
ndm-syslog - Server IP/FQDN:
<NDM-Server-IP> - Port:
514 - Level:
Information(or Warning for reduced volume) - Facility:
local7 - Source IP: Interface IP facing NDM server
- Select Log Types
- Enable: Traffic, Event, Security
- Configure severity levels as needed
- Apply and Test
- Click OK to save
- Generate test traffic and verify logs appear on NDM server
# Configure syslog server
config log syslogd setting
set status enable
set server "<NDM-Server-IP>"
set port 514
set facility local7
set source-ip "<FortiGate-Interface-IP>"
set format default
end
# Configure log filters
config log syslogd filter
set severity information
set forward-traffic enable
set local-traffic enable
set multicast-traffic enable
set sniffer-traffic disable
set anomaly enable
set voip enable
end
# Verify configuration
get log syslogd setting
Part 3: Configure Dell Switch Syslog
- Dell OS10
- Dell OS9
# Configure syslog server
logging server <NDM-Server-IP>
# Set logging severity (0=emergency to 7=debug)
logging server <NDM-Server-IP> severity info
# Set source interface
logging source-interface vlan 100
# Enable logging
logging enable
# Verify configuration
show logging
# Configure syslog host
logging <NDM-Server-IP>
# Set severity level
logging trap informational
# Set facility
logging facility local7
# Verify
show logging
Part 4: Configure SNMP Traps
NDM Server - SNMP Trap Receiver
# Install snmptrapd
sudo apt install snmptrapd -y # Ubuntu/Debian
sudo yum install net-snmp -y # RHEL/CentOS
# Configure trap receiver
sudo vi /etc/snmp/snmptrapd.conf
# Add:
disableAuthorization yes
traphandle default /usr/bin/logger -t snmptrap
FortiGate SNMP Configuration
# Enable SNMP
config system snmp sysinfo
set status enable
set description "FortiGate Firewall"
set contact-info "{{noc_email}}"
set location "<Site-Location>"
end
# Configure SNMP community for traps
config system snmp community
edit 1
set name "Azure Local Cloud-snmp"
config hosts
edit 1
set ip <NDM-Server-IP> 255.255.255.255
next
end
set trap-v2c-status enable
set trap-v2c-rport 162
next
end
Dell Switch SNMP Configuration
# Configure SNMP community
snmp-server community Azure Local Cloud-snmp ro
# Configure trap receiver
snmp-server host <NDM-Server-IP> traps Azure Local Cloud-snmp
# Enable specific traps
snmp-server enable traps snmp linkdown linkup
snmp-server enable traps entity
snmp-server enable traps envmon
Validation
Verify Syslog Reception
# On NDM server, watch for incoming logs
sudo tail -f /var/log/syslog | grep -E "FortiGate|switch"
# Check network device log directory
ls -la /var/log/network/
# Test with logger from NDM server (local test)
logger -p local7.info "Test syslog message"
Verify SNMP Traps
# Watch for SNMP traps
sudo tail -f /var/log/syslog | grep snmptrap
# Test by triggering a trap (e.g., interface down/up on switch)
Expected Results
| Check | Expected Result |
|---|---|
| rsyslog listening | UDP 514 bound |
| FortiGate logs appearing | Messages in /var/log/network/<hostname>/ |
| Switch logs appearing | Messages in /var/log/network/<hostname>/ |
| SNMP traps received | Entries in /var/log/syslog with snmptrap tag |
Log Retention
Configure logrotate for network device logs:
sudo vi /etc/logrotate.d/network-devices
/var/log/network/*/*.log {
daily
rotate 30
compress
delaycompress
missingok
notifempty
create 644 syslog adm
}
Integration with Azure Monitor (Optional)
To forward network device logs to Azure Log Analytics:
- Ensure Azure Monitor Agent (AMA) is installed on NDM server
- Create a DCR that collects from
/var/log/network/ - Configure custom log table in Log Analytics
{
"dataSources": {
"logFiles": [
{
"name": "NetworkDeviceLogs",
"streams": ["Custom-NetworkDevices_CL"],
"filePatterns": ["/var/log/network/*/*.log"],
"format": "text"
}
]
}
}
Troubleshooting
| Issue | Cause | Solution |
|---|---|---|
| No logs received | Firewall blocking | Verify NSG/firewall rules for UDP 514 |
| Logs not separated | rsyslog config | Check rsyslog template and filters |
| SNMP traps missing | Community mismatch | Verify community string matches |
| High log volume | Severity too low | Increase severity to warning/error |
Next Steps
This completes the network device logging configuration. Proceed to the next stage or return to the Phase 17 Overview.
Stage Complete
You have completed Phase 17: Monitoring & Observability.
Summary of Configured Components
| Step | Component | Status |
|---|---|---|
| 1 | Azure Monitor | ✅ Configured |
| 2 | HCI Insights | ✅ Enabled |
| 3 | OMIMSWAC Monitoring | ✅ Deployed |
| 4 | Log Analytics | ✅ Configured |
| 5 | Alerting | ✅ Setup |
| 6 | Network Device Logging | ✅ Configured |
Next Stage: Phase 19: Backup & DR