Collector Syslog Guide
How to trigger ConfigSentry collection from FortiGate configuration-change syslog events
1. Confirm the Collector Listener
On the collector machine, confirm the collector status shows the syslog listener as running and note the configured IP and UDP port. By default this is:
0.0.0.0:2216If your collector is configured to listen on a specific address or port, use that value instead.
2. Configure FortiGate Syslog Destination
Point the FortiGate syslog configuration at the collector host and UDP port. The exact command set depends on your existing FortiGate logging configuration, but the target should be the collector listener IP and UDP port.
3. Configure the Required Free-Style Filter
FortiGate should send only the configuration-change events needed by the collector. Use the free-style filter below:
config log syslogd filter
config free-style
edit 99
set category event
set filter "(logid 0100044546 0100044547)"
set filter-type include
next
end
end4. Relevant FortiGate Log IDs
The collector listens for these FortiGate configuration-change event log IDs:
0100044547–LOGID_EVENT_CONFIG_OBJATTR– object created / modified / deleted0100044546–LOGID_EVENT_CONFIG_ATTR– global / system attribute changed
5. Example Event Payloads
Example object-change event:
date=2025-04-10 time=05:01:53 eventtime=1744286513150014241 tz="-0700" logid="0100044547" type="event" subtype="system" level="information" vd="root" logdesc="Object attribute configured" user="admin" ui="GUI(10.32.22.115)" action="Add" cfgtid=126746708 uuid="961e8b5a-1603-51f0-e0c5-204b0b600edc" cfgcomment="test" cfgpath="firewall.policy" cfgobj="8" cfgattr="name[testconfig]srcintf[port5]dstintf[port1]action[accept]srcaddr[all]dstaddr[all] schedule[always]service[ALL]nat[enable]" msg="Add firewall.policy 8"Example system/global attribute-change event:
date=2025-04-10 time=05:23:12 eventtime=1744287792378243085 tz="-0700" logid="0100044546" type="event" subtype="system" level="information" vd="root" logdesc="Attribute configured" user="admin" ui="jsconsole(10.32.22.115)" action="Edit" cfgtid=821297153 cfgpath="system.global" cfgattr="admintimeout[5->120]" msg="Edit system.global "6. What the Collector Does
When the collector receives one of these syslog events, it triggers a targeted collection for the source IP of the FortiGate event. The collector also applies a short cooldown per source IP to avoid repeated collections during a burst of configuration-change messages.
