1

Dear colleagues,

I`m trying to setup a local syslog collector to gather the logs from Fortinet NG firewall. Following the instructions in Azure I installed the syslog agent on Ubuntu, and when I start the diagnostics, it says that is receiving logs on port 514. And then the error is:

“Error: agent is not listening to incoming port 25266 please check that the process is up and running and the port is configured correctly.”

I tried to use nestat -an | grep 25266 , but nothing is returned as result.

Checked the firewall of the machine with sudo ufw status, but it says status:inactive

Tried on Ubuntu desktop and Ubuntu server 22.03 with no luck.

There is nothing in MS documentation how to solve this issue.

Did someone faced such configuration issue?

6 Spice ups
2

if you are using a hardware firewall you should open up that port to that ip adress

notice that syslog is UDP not TCP !!! but you should rather redirect it to TCP 6514 (encrypted)

3

We had the exact same issue and nothing we tried would help, so I’m posting this here in case someone else with the same issue stumbles upon this post like I did.

The Sentinel Fortinet connector page only has instructions for installing the CEF collector agent, but not the OMS agent. Due to this, not only was the agent not working properly, we would have never even figured out that it was missing on our own.

For OMS agent installation instructions go to: Log Analytics Workspace > Agents Management > Linux Servers, or just

eg:
wget https://raw.githubusercontent.com/Microsoft/OMS-Agent-for-Linux/master/installer/scripts/onboard_agent.sh && sh onboard_agent.sh -w -s -d opinsights.azure.com

This is the thread I posted, which includes the answer that helped us: Connecting Fortinet to Sentinel - Microsoft Q&A

4

I also managed to get it working - just tried it on Debian and it works like a charm. I believe that certain folder paths and names in Ubuntu are changed and the script is unable to install all required info.