Types of logs collected for each device
FortiAnalyzer can collect logs from the following device types: FortiAnalyzer, FortiNDR (formerly FortiAI), FortiAuthenticator, FortiCache, FortiCarrier, FortiClient, FortiDDoS, FortiDeceptor, FortiGate, FortiMail, FortiManager, FortiNAC, FortiProxy, FortiSandbox, FortiSOAR, FortiWeb, and Syslog servers. Following is a description of the types of logs FortiAnalyzer collects from each type of device:
Device Type |
Log Type |
||||
---|---|---|---|---|---|
Fabric |
All |
||||
FortiAnalyzer |
Event, Application |
||||
FortiNDR |
Event Attack: Attack Chain, Malware |
||||
FortiAuthenticator |
Event |
||||
FortiGate |
Traffic Security: Antivirus, Intrusion Prevention, Application Control, Web Filter, File Filter, DNS, Data Leak Prevention, Email Filter, Web Application Firewall, Vulnerability Scan, VoIP, FortiClient Event: Endpoint, HA, Compliance, System, Router, VPN, User, WAN Opt. & Cache, WiFi
|
||||
FortiCarrier |
Traffic, Event, GTP |
||||
FortiCache |
Traffic, Event, Antivirus, Web Filter |
||||
FortiClient |
Traffic, Event, Vulnerability Scan |
||||
FortiDDoS |
Event, Intrusion Prevention |
||||
FortiDeceptor |
Event |
||||
FortiMail |
History, Event, Antivirus, Email Filter.
|
||||
FortiManager |
Event |
||||
FortiNAC |
Event |
||||
FortiProxy |
Traffic, Event, Antivirus, Web Filter |
||||
FortiSandbox |
Malware, Network Alerts |
||||
FortiSOAR |
Event |
||||
FortiWeb |
Event, Intrusion Prevention, Traffic
|
||||
Syslog |
Generic |
The logs displayed on your FortiAnalyzer depends on the device type logging to it and the enabled features. ADOMs must be enabled to support non-FortiGate logging. In a Security Fabric ADOM, all device logs are displayed. |
Traffic logs
Traffic logs record the traffic flowing through your FortiGate unit. Since traffic needs firewall policies to properly flow through FortiGate, this type of logging is also called firewall policy logging. Firewall policies control all traffic attempting to pass through the FortiGate unit, between FortiGate interfaces, zones, and VLAN sub-interfaces.
ZTNA logs: FortiAnalyzer syncs unified ZTNA logs with FortiGate. ZTNA logs are a sub-type of FortiGate traffic logs, and can be viewed in Log View > FortiGate > Traffic. You can filter for ZTNA logs using the sub-type filter and optionally create a custom view for ZTNA logs. See Custom views.
Security logs
Security logs (FortiGate) record all antivirus, web filtering, file filtering, application control, intrusion prevention, email filtering, data leak prevention, vulnerability scan, and VoIP activity on your managed devices.
DNS logs
DNS logs (FortiGate) record the DNS activity on your managed devices.
Event logs
Event logs record administration management and Fortinet device system activity, such as when a configuration changes, or admin login or HA events occur. Event logs are important because they record Fortinet device system activity which provides valuable information about how your Fortinet unit is performing. FortiGate event logs includes System, Router, VPN, User, and WiFi menu objects to provide you with more granularity when viewing and searching log data.
Application Logs
Application logs record playbook and incident activity on FortiAnalyzer. Logs are generated and stored separately for each ADOM. Application logs can only be viewed on the local FortiAnalyzer.
Fabric (SIEM) Logs
Fabric logs are a licensed feature that enables FortiAnalyzer's SIEM capabilities to parse, normalize, and correlate logs from Fortinet products as well as security event logs of Windows and Linux hosts (with Fabric Agent integration). When licensed, parsing is predefined by FortiAnalyzer and does not require manual configuration by administrators.
A SIEM database is automatically created for Fabric ADOMs once a SIEM license has been applied to FortiAnalyzer and Fabric devices begin logging. Past logs and imported log files are not included in the SIEM database. |