Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiAnalyzer 7.6.3 Administration Guide
    7.6.3
    7.6.3
    7.6.2
    7.6.1
    7.6.0
    7.4.7
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.2.13
    6.2.12
    6.2.11
    6.2.10
    6.2.9
    6.2.8
    6.2.7
    6.2.6
    6.2.5
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.0.12
    6.0.11
    6.0.10
    6.0.9
    6.0.8
    6.0.7
    6.0.6
    6.0.5
    6.0.4
    6.0.3
    6.0.2
    6.0.1
    6.0.0
    5.6.11
    5.6.10
    5.6.10
    5.6.9
    5.6.8
    5.6.7
    5.6.6
    5.6.5
    5.6.4
    5.6.3
    5.6.2
    5.6.1
    5.6.0
    5.4.7
    5.4.6
    5.4.5
    5.4.4
    5.4.3
    5.4.2
    5.4.1
    5.4.0
    5.2.10
    5.2.9
    5.2.7
    5.2.6
    5.2.5
    5.2.4
    5.2.3
    5.2.2
    5.2.1
    5.2.0
    5.0.13
    5.0.11
    5.0.10
    5.0.9
    5.0.8
    5.0.7
    5.0.6
    5.0.5
    5.0.4
    5.0.3
    5.0.2
    4.3.0
    4.2.0
    4.1.0
    4.0.0

    SIEM log parsers

    SIEM log parsers

    FortiAnalyzer's SIEM capabilities parse, normalize, and correlate logs from Fortinet products as well as third-party applications. For example, there are built-in log parsers for Apache and Nginx web servers, and the security event logs of Windows and Linux hosts (with Fabric Agent integration). Additionally, more log parsers for other third-party applications can also be added from FortiGuard when FortiAnalyzer has a valid license for the Security Automation Service.

    The SIEM logs parsed by these log parsers are displayed in Log View > Logs > All and can be used when generating reports or creating event handlers.

    Parsing from the built-in log parsers and FortiGuard log parsers is predefined by FortiAnalyzer and does not require manual configuration by administrators. The predefined SIEM log parsers can be managed in Incidents & Events > Log Parsers. This pane includes predefined log parsers, log parsers from FortiGuard, and any custom log parsers that you have imported.

    The Incidents & Events > Log Parsers pane is only available in Fabric ADOMs.

    This topic includes information about:

    For more information about normalized fabric logs, including the normalized log fields, see the Fabric Normalization Reference on the Fortinet Document Library.

    Log Parsers

    Go to Incidents & Events > Log Parsers > Log Parsers to view all available log parsers in the table view.

    The table view includes the following columns:

    Column Description

    Name

    The name of the SIEM log parser.

    Application

    The application of the log parser.

    Category

    The category of the log parser.

    Origin

    The origin of the log parser.

    Predefined log parsers indicate the origin is Built-in. Log parsers delivered in content packages will indicate the origin is FortiGuard. For more information, see Finding Security Automation Service objects.

    Status

    The status of the log parser: Enabled or Disabled.

    Priority

    The priority of the log parser. To change the priority of a log parser, click More > Reorder.

    Double-click a log parser in the table view to display the Log View for Log Parser pane. This pane displays all related SIEM logs for the log parser in a table view.

    Tooltip

    You can also view the SIEM logs from Log View > Logs > All. Filter the log view by Data Parser Name = name of the log parser to display the related logs. For example, filter by Data Parser Name = FortiGate Log Parser to display logs related to the FortiGate Log Parser.

    You can perform the following actions from Incidents & Events > Log Parsers > Log Parsers:

    Action Description

    Import

    Import a custom log parser. The log parser must be in JSON format.

    For more information, see Custom Log Parsers on the Fortinet Document Library.

    Export

    Export a log parser in the JSON format.

    View Logs

    Open the Log View for Log Parser pane to display all related SIEM logs in a table view.

    Delete

    Delete a custom log parser. You cannot delete a predefined log parser.

    Enable

    Enable a log parser.

    Disable

    Disable a log parser. You cannot disable a log parser if it is assigned and in use.

    Validate

    Validate a raw log with the selected log parser. You cannot perform the Validate action with more than one log parser at a time.

    Reorder

    Change the priority of a log parser. In the Change Parser Priority pane, you can drag and drop the log parsers in the table view to the desired priority.
    To import a custom log parser:

    1. In Incidents & Events > Log Parsers > Log Parsers, click Import.

      The Import Log Parser dialog displays.

    2. Drag and drop or select the log parser.

      The log parser must be in the correct format as a JSON file to meet the requirements checked during the import.

    3. Click OK.

    To export a log parser:

    1. In Incidents & Events > Log Parsers > Log Parsers, select the checkbox for log parser(s).

    2. Click Export.

      The log parser(s) are exported in JSON format. You can export predefined log parsers to use them as a template for custom log parsers.

    To enable or disable a log parser:

    1. In Incidents & Events > Log Parsers > Log Parsers, select the checkbox for log parser(s).

    2. Click Enable or Disable.

      The Enable action is only available when the selected log parsers are disabled.

      The Disable action is only available when the selected log parsers are enabled. The action can only be performed when the log parser is not assigned to any devices.

    To validate if the original logs can be parsed:

    1. In Incidents & Events > Log Parsers > Log Parsers, select the checkbox for a log parser.

    2. Click Validate.

      The Validate Log Parser pane opens.

    3. Enter a log to validate and click Validate.

      A Parse Result displays in the Validate Log Parser pane.

    Note

    Third party logs can be parsed in JSON format.

    Assigned Parsers

    Go to Incidents & Events > Log Parsers > Assigned Parsers to view the devices/applications and their current log parser assignments in a table view.

    In some cases, a SYSLOG-XXXXXXXX device is autoamtically created for third-party application log parsers, such as those from FortiGuard. These devices are automatically assigned according to the matched patterns on the raw logs. For example, see Microsoft management activity API connector.

    If the raw logs are not matched to any log parser, the Generic SYSLOG parser will be automatically assigned to the device.

    To assign a log parser to a device/application:

    1. In Incidents & Events > Log Parsers > Assigned Parsers, click Create New.

      The Assign Parser pane displays.

    2. From the Device ID dropdown, select a device for the log parser assignment.

    3. From the Application dropdown, select an application for the log parser assignment.

    4. From the Current Parser dropdown, select the log parser.

      The log parser must use the selected Application. See Incidents & Events > Log Parsers > Log Parsers to determine which application is used by the log parser.

    5. Click OK.

    To edit a log parser assignment:

    1. In Incidents & Events > Log Parsers > Assigned Parsers, click Create New.

      The Change Parser pane displays.

    2. From the Current Parser dropdown, select the log parser.

      The log parser must use the selected Application. See Incidents & Events > Log Parsers > Log Parsers to determine which application is used by the log parser.

    3. Click OK.

    Previous
    Next

    SIEM log parsers

    SIEM log parsers

    FortiAnalyzer's SIEM capabilities parse, normalize, and correlate logs from Fortinet products as well as third-party applications. For example, there are built-in log parsers for Apache and Nginx web servers, and the security event logs of Windows and Linux hosts (with Fabric Agent integration). Additionally, more log parsers for other third-party applications can also be added from FortiGuard when FortiAnalyzer has a valid license for the Security Automation Service.

    The SIEM logs parsed by these log parsers are displayed in Log View > Logs > All and can be used when generating reports or creating event handlers.

    Parsing from the built-in log parsers and FortiGuard log parsers is predefined by FortiAnalyzer and does not require manual configuration by administrators. The predefined SIEM log parsers can be managed in Incidents & Events > Log Parsers. This pane includes predefined log parsers, log parsers from FortiGuard, and any custom log parsers that you have imported.

    The Incidents & Events > Log Parsers pane is only available in Fabric ADOMs.

    This topic includes information about:

    For more information about normalized fabric logs, including the normalized log fields, see the Fabric Normalization Reference on the Fortinet Document Library.

    Log Parsers

    Go to Incidents & Events > Log Parsers > Log Parsers to view all available log parsers in the table view.

    The table view includes the following columns:

    Column Description

    Name

    The name of the SIEM log parser.

    Application

    The application of the log parser.

    Category

    The category of the log parser.

    Origin

    The origin of the log parser.

    Predefined log parsers indicate the origin is Built-in. Log parsers delivered in content packages will indicate the origin is FortiGuard. For more information, see Finding Security Automation Service objects.

    Status

    The status of the log parser: Enabled or Disabled.

    Priority

    The priority of the log parser. To change the priority of a log parser, click More > Reorder.

    Double-click a log parser in the table view to display the Log View for Log Parser pane. This pane displays all related SIEM logs for the log parser in a table view.

    Tooltip

    You can also view the SIEM logs from Log View > Logs > All. Filter the log view by Data Parser Name = name of the log parser to display the related logs. For example, filter by Data Parser Name = FortiGate Log Parser to display logs related to the FortiGate Log Parser.

    You can perform the following actions from Incidents & Events > Log Parsers > Log Parsers:

    Action Description

    Import

    Import a custom log parser. The log parser must be in JSON format.

    For more information, see Custom Log Parsers on the Fortinet Document Library.

    Export

    Export a log parser in the JSON format.

    View Logs

    Open the Log View for Log Parser pane to display all related SIEM logs in a table view.

    Delete

    Delete a custom log parser. You cannot delete a predefined log parser.

    Enable

    Enable a log parser.

    Disable

    Disable a log parser. You cannot disable a log parser if it is assigned and in use.

    Validate

    Validate a raw log with the selected log parser. You cannot perform the Validate action with more than one log parser at a time.

    Reorder

    Change the priority of a log parser. In the Change Parser Priority pane, you can drag and drop the log parsers in the table view to the desired priority.
    To import a custom log parser:

    1. In Incidents & Events > Log Parsers > Log Parsers, click Import.

      The Import Log Parser dialog displays.

    2. Drag and drop or select the log parser.

      The log parser must be in the correct format as a JSON file to meet the requirements checked during the import.

    3. Click OK.

    To export a log parser:

    1. In Incidents & Events > Log Parsers > Log Parsers, select the checkbox for log parser(s).

    2. Click Export.

      The log parser(s) are exported in JSON format. You can export predefined log parsers to use them as a template for custom log parsers.

    To enable or disable a log parser:

    1. In Incidents & Events > Log Parsers > Log Parsers, select the checkbox for log parser(s).

    2. Click Enable or Disable.

      The Enable action is only available when the selected log parsers are disabled.

      The Disable action is only available when the selected log parsers are enabled. The action can only be performed when the log parser is not assigned to any devices.

    To validate if the original logs can be parsed:

    1. In Incidents & Events > Log Parsers > Log Parsers, select the checkbox for a log parser.

    2. Click Validate.

      The Validate Log Parser pane opens.

    3. Enter a log to validate and click Validate.

      A Parse Result displays in the Validate Log Parser pane.

    Note

    Third party logs can be parsed in JSON format.

    Assigned Parsers

    Go to Incidents & Events > Log Parsers > Assigned Parsers to view the devices/applications and their current log parser assignments in a table view.

    In some cases, a SYSLOG-XXXXXXXX device is autoamtically created for third-party application log parsers, such as those from FortiGuard. These devices are automatically assigned according to the matched patterns on the raw logs. For example, see Microsoft management activity API connector.

    If the raw logs are not matched to any log parser, the Generic SYSLOG parser will be automatically assigned to the device.

    To assign a log parser to a device/application:

    1. In Incidents & Events > Log Parsers > Assigned Parsers, click Create New.

      The Assign Parser pane displays.

    2. From the Device ID dropdown, select a device for the log parser assignment.

    3. From the Application dropdown, select an application for the log parser assignment.

    4. From the Current Parser dropdown, select the log parser.

      The log parser must use the selected Application. See Incidents & Events > Log Parsers > Log Parsers to determine which application is used by the log parser.

    5. Click OK.

    To edit a log parser assignment:

    1. In Incidents & Events > Log Parsers > Assigned Parsers, click Create New.

      The Change Parser pane displays.

    2. From the Current Parser dropdown, select the log parser.

      The log parser must use the selected Application. See Incidents & Events > Log Parsers > Log Parsers to determine which application is used by the log parser.

    3. Click OK.

    Previous
    Next