Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    Administration Guide

    Home FortiAnalyzer 7.6.6 Administration Guide
    7.6.6
    7.6.6
    7.6.5
    7.6.4
    7.6.3
    7.6.2
    7.6.1
    7.6.0
    7.4.10
    7.4.9
    7.4.8
    7.4.7
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.12
    7.2.11
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.2.13
    6.2.12
    6.2.11
    6.2.10
    6.2.9
    6.2.8
    6.2.7
    6.2.6
    6.2.5
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.0.12
    6.0.11
    6.0.10
    6.0.9
    6.0.8
    6.0.7
    6.0.6
    6.0.5
    6.0.4
    6.0.3
    6.0.2
    6.0.1
    6.0.0
    5.6.11
    5.6.10
    5.6.10
    5.6.9
    5.6.8
    5.6.7
    5.6.6
    5.6.5
    5.6.4
    5.6.3
    5.6.2
    5.6.1
    5.6.0
    5.4.7
    5.4.6
    5.4.5
    5.4.4
    5.4.3
    5.4.2
    5.4.1
    5.4.0
    5.2.10
    5.2.9
    5.2.7
    5.2.6
    5.2.5
    5.2.4
    5.2.3
    5.2.2
    5.2.1
    5.2.0
    5.0.13
    5.0.11
    5.0.10
    5.0.9
    5.0.8
    5.0.7
    5.0.6
    5.0.5
    5.0.4
    5.0.3
    5.0.2
    4.3.0
    4.2.0
    4.1.0
    4.0.0

    Syslog logs

    Syslog logs

    Syslog logs are standardized generic logs that can be sent from third-party or Fortinet devices to FortiAnalyzer. These logs can be used to collect information about system events, warnings, and other messages from the logging devices.

    When syslog logs are sent to FortiAnalyzer, they can be viewed in Log View > Logs > Fortinet Logs > Syslog. The content of the syslog log is included unparsed in the Message field of Log View.

    You can use wildcards (*) to filter Log View for information in the syslog logs. For example, if hostname=<endpoint> is included in the syslog log messages from a device, you can filter Log View by Message=*hostname=example* to return all logs from a specific endpoint. You must have knowledge of the syslog log format to filter effectively using this method.

    Syslog logs are also supported in reports and event handlers, but the use case is limited because the information is not parsed into normalized fields, such as source IP, timestamp, event type, and so on. Instead, these objects would have to be configured using the limited fields populated for the logs in Log View > Logs > Fortinet Logs > Syslog.

    With an appropriate log parser for the logging device in FortiAnalyzer, however, these syslog logs can be parsed, normalized, and inserted into the SIEM database (siemdb) as fabric logs. The table below briefly demonstrates the difference.

    Log parser available?

    Description

    No

    The syslog logs can be viewed in Log View > Logs > Fortinet Logs > Syslog. These logs have limited use in reports and event handlers because the information is not parsed into normalized fields, such as source IP, timestamp, event type, and so on. Instead, the information from the syslog log is included unparsed in the Message field.

    Yes

    The syslog logs will be parsed, normalized, and inserted into the SIEM database (siemdb) as fabric logs. These logs can be viewed in Log View > Logs > All. You can use the normalized fields to effectively create reports and event handlers for correlation and analysis. You can also leverage predefined dashboards, reports, and event handlers when they are available for the fabric logs.

    For more information, see Fabric logs.

    Configuring a device to send syslog logs

    You can configure third-party devices and Fortinet devices to send syslog logs to FortiAnalyzer. To do so, you must add FortiAnalyzer as a syslog server for the device and configure it to send logs to FortiAnalyzer. The device will then appear in Device Manager, where it can be authorized and added to a Fabric ADOM.

    This topic provides a brief overview for configuring a device to send syslog logs to FortiAnalyzer. You must review the device's documentation to complete configuration properly on that device.

    To configure the device to send syslog logs to FortiAnalyzer:

    1. In the logging device, add FortiAnalyzer as a syslog server and configure the device to send logs to FortiAnalyzer.

      On FortiAnalyzer, the device will appear in Device Manager with the unauthorized devices.

    2. In FortiAnalyzer, go to Device Manager and authorize the logging device.

      If you are using ADOMs, add the syslog device to a Fabric ADOM.

    If FortiAnalyzer does not have a log parser for this device, the logs will be available in Log View > Logs > Fortinet Logs > Syslog.

    If FortiAnalyzer does have a log parser for this device, it will be automatically assigned to the device based on the log format and the logs will be available in Log View > Logs > All. For more information about fabric logs and log parsers, see Fabric logs.

    For more information about log parsers, see Log parsers.

    Sending syslog logs over TLS

    You can configure FortiAnalyzer to use an externally signed local (custom) certificate for OFTP connection between the syslog device and FortiAnalyzer for logging over TLS. Make sure to complete the config and check connection according to the syslog device you are using.

    To generate a certificate signing request from FortiAnalyzer:

    1. Go to System Settings > Certificates > Local Certificates.

    2. Click Create New/Import > Generate CSR.

    3. Enter the relevant information in the certificate signing request, and then click OK.

    4. Select the newly created CSR and click Download.

    5. To generate the certificate, sign the CSR with either a public CA or private CA.

      For example, you can use a FortiAuthenticator to sign the CSR. For more information, see the FortiAuthenticator Administration Guide.

    6. After signing the CSR, export and download the certificate.

    7. In FortiAnalyzer, import the signed certificate:

      1. Go to System Settings > Certificates > Local Certificates.

      2. Click Create New/Import > Certificate.

      3. In the Type field, select Local Certificate.

      4. In the Certificate File field, drag and drop or select the signed certificate.

      5. Click OK.

    8. The certificate status will change from PENDING to OK once the certificate is uploaded correctly.

    To configure the use of the local certificate and restart the OFTP daemon:

    1. Once the certificate has been imported, enter the following command in the FortiAnalyzer CLI to use the local certificate:

      config system certificate oftp

      set mode local

      set local "<name of the certificate>"

      end

    2. In the FortiAnalyzer CLI, enter the following command to restart the OFTP daemon:

      diagnose test application oftpd 99

    3. If a private CA was used, you must import the signed CA certificate in the logging device as well.

    4. Validate the connection status to FortiAnalyzer in the logging device.

      This step will vary according to the logging device. For generic steps to establish connection, see Configuring a device to send syslog logs above.

    To set the TCP port for receiving syslog over TLS:

    Enter the following command in the FortiAnalyzer CLI:

    config system log settings

    set syslog-over-tls-port {514 | 6514}

    end

    Variable

    Description

    syslog-over-tls-port {514 | 6514}

    Set the TCP port for receiving syslog over TLS:

    • 514: Default port for syslog over TLS receiving (default).

    • 6514: Port 6514 recommended by RFC 5425.
    Previous
    Next

    Syslog logs

    Syslog logs

    Syslog logs are standardized generic logs that can be sent from third-party or Fortinet devices to FortiAnalyzer. These logs can be used to collect information about system events, warnings, and other messages from the logging devices.

    When syslog logs are sent to FortiAnalyzer, they can be viewed in Log View > Logs > Fortinet Logs > Syslog. The content of the syslog log is included unparsed in the Message field of Log View.

    You can use wildcards (*) to filter Log View for information in the syslog logs. For example, if hostname=<endpoint> is included in the syslog log messages from a device, you can filter Log View by Message=*hostname=example* to return all logs from a specific endpoint. You must have knowledge of the syslog log format to filter effectively using this method.

    Syslog logs are also supported in reports and event handlers, but the use case is limited because the information is not parsed into normalized fields, such as source IP, timestamp, event type, and so on. Instead, these objects would have to be configured using the limited fields populated for the logs in Log View > Logs > Fortinet Logs > Syslog.

    With an appropriate log parser for the logging device in FortiAnalyzer, however, these syslog logs can be parsed, normalized, and inserted into the SIEM database (siemdb) as fabric logs. The table below briefly demonstrates the difference.

    Log parser available?

    Description

    No

    The syslog logs can be viewed in Log View > Logs > Fortinet Logs > Syslog. These logs have limited use in reports and event handlers because the information is not parsed into normalized fields, such as source IP, timestamp, event type, and so on. Instead, the information from the syslog log is included unparsed in the Message field.

    Yes

    The syslog logs will be parsed, normalized, and inserted into the SIEM database (siemdb) as fabric logs. These logs can be viewed in Log View > Logs > All. You can use the normalized fields to effectively create reports and event handlers for correlation and analysis. You can also leverage predefined dashboards, reports, and event handlers when they are available for the fabric logs.

    For more information, see Fabric logs.

    Configuring a device to send syslog logs

    You can configure third-party devices and Fortinet devices to send syslog logs to FortiAnalyzer. To do so, you must add FortiAnalyzer as a syslog server for the device and configure it to send logs to FortiAnalyzer. The device will then appear in Device Manager, where it can be authorized and added to a Fabric ADOM.

    This topic provides a brief overview for configuring a device to send syslog logs to FortiAnalyzer. You must review the device's documentation to complete configuration properly on that device.

    To configure the device to send syslog logs to FortiAnalyzer:

    1. In the logging device, add FortiAnalyzer as a syslog server and configure the device to send logs to FortiAnalyzer.

      On FortiAnalyzer, the device will appear in Device Manager with the unauthorized devices.

    2. In FortiAnalyzer, go to Device Manager and authorize the logging device.

      If you are using ADOMs, add the syslog device to a Fabric ADOM.

    If FortiAnalyzer does not have a log parser for this device, the logs will be available in Log View > Logs > Fortinet Logs > Syslog.

    If FortiAnalyzer does have a log parser for this device, it will be automatically assigned to the device based on the log format and the logs will be available in Log View > Logs > All. For more information about fabric logs and log parsers, see Fabric logs.

    For more information about log parsers, see Log parsers.

    Sending syslog logs over TLS

    You can configure FortiAnalyzer to use an externally signed local (custom) certificate for OFTP connection between the syslog device and FortiAnalyzer for logging over TLS. Make sure to complete the config and check connection according to the syslog device you are using.

    To generate a certificate signing request from FortiAnalyzer:

    1. Go to System Settings > Certificates > Local Certificates.

    2. Click Create New/Import > Generate CSR.

    3. Enter the relevant information in the certificate signing request, and then click OK.

    4. Select the newly created CSR and click Download.

    5. To generate the certificate, sign the CSR with either a public CA or private CA.

      For example, you can use a FortiAuthenticator to sign the CSR. For more information, see the FortiAuthenticator Administration Guide.

    6. After signing the CSR, export and download the certificate.

    7. In FortiAnalyzer, import the signed certificate:

      1. Go to System Settings > Certificates > Local Certificates.

      2. Click Create New/Import > Certificate.

      3. In the Type field, select Local Certificate.

      4. In the Certificate File field, drag and drop or select the signed certificate.

      5. Click OK.

    8. The certificate status will change from PENDING to OK once the certificate is uploaded correctly.

    To configure the use of the local certificate and restart the OFTP daemon:

    1. Once the certificate has been imported, enter the following command in the FortiAnalyzer CLI to use the local certificate:

      config system certificate oftp

      set mode local

      set local "<name of the certificate>"

      end

    2. In the FortiAnalyzer CLI, enter the following command to restart the OFTP daemon:

      diagnose test application oftpd 99

    3. If a private CA was used, you must import the signed CA certificate in the logging device as well.

    4. Validate the connection status to FortiAnalyzer in the logging device.

      This step will vary according to the logging device. For generic steps to establish connection, see Configuring a device to send syslog logs above.

    To set the TCP port for receiving syslog over TLS:

    Enter the following command in the FortiAnalyzer CLI:

    config system log settings

    set syslog-over-tls-port {514 | 6514}

    end

    Variable

    Description

    syslog-over-tls-port {514 | 6514}

    Set the TCP port for receiving syslog over TLS:

    • 514: Default port for syslog over TLS receiving (default).

    • 6514: Port 6514 recommended by RFC 5425.
    Previous
    Next