FortiAnalyzer supports FortiCare Elite Service
FortiAnalyzer and FortiAnalyzer Cloud now supports FortiCare Elite Service.
To use this service, cloud management must be enabled on the FortiAnalyzer and the FortiGate Cloud portal.
Log forwarding configuration to the Elite Service can be viewed in the FortiAnalyzer GUI. This log forwarding configuration cannot be edited or deleted.
The log forward configuration to Elite Service is also visible in the FortiAnalyzer CLI. For example:
config system log-forward
edit 40000
set mode forwarding
set fwd-max-delay realtime
set server-name "elite"
set server-addr "172.16.94.93"
set fwd-server-type elite-service
set fwd-reliable enable
set fwd-compression enable
set fwd-archives disable
set proxy-service disable
config device-filter
edit 1
set action include-like
set device "*"
next
end
set log-filter-status enable
config log-filter
edit 1
set field level
set oper >=
set value "critical"
next
edit 2
set field logid
set value "0110052000"
next
end
set signature 1449934396
next
You can disable the Elite Service in the FortiAnalyzer CLI, if needed. It can also be re-enabled using the same command. In the FortiAnalyzer CLI, enter:
config system central-management
set elite-service {enable | disable}
end
If elite-service
is disabled, the log forwarding to Elite Service will automatically be removed. FGC will push the configuration back if the elite-service
is later set to enable
.
FAZVM64 # config system central-management
(central-management)# get
type : cloud-management
elite-service : enable
Logs that meet the filter within the log forward configuration will be forwarded to Elite log server. See a sample log in the FortiAnalyzer GUI below:
Sample logs from Elite log server:
2023-04-14 13:50:42,136 DEBUG Processing /dev/shm/fams/log_upload/proc/FAZ-VMTM22090591.1264692.nrt.e.1681505055.562204.34406
2023-04-14 13:50:42,137 DEBUG Create new raw log file: elog_20230414_135042 for (*****, elog)
2023-04-14 13:50:47,083 DEBUG ---sending elite kafka msg---, elitelogserver.remoteaccessmgr.faz.fsbp, {"action":"downloadFsbpFile","data":{"fazSn":"FAZ-VMTM22090591","fgtSn":"FGVMSLTM22002986","auditId":*****,"accountId":*****,"auditTime":1681490426}}
Note that this log forward configuration does NOT impact other types of log forwarding.
The Elite log server can call API to get the Fortinet Security Best Practices (FSBP) reports.
API:
{
"apiver": 3,
"url": "/fazsys/auditrpt/fgt-orig-rpt",
"data":
{
"devid": "FGVMSLTM22002986",
"auditID": "1681505424727"
}
}
The reports are updated in FortiAnalyzer:
This log forward config does not impact other types of log forward in FortiAnalyzer. |