Fortinet black logo

New Features

Home FortiAnalyzer 7.4.0 New Features
7.4.0
7.4.0
7.2.0
7.0.0
6.4.0
6.2.3
6.2.2
6.2.1
6.2.0

FortiAnalyzer supports FortiCare Elite Service

FortiAnalyzer supports FortiCare Elite Service

FortiAnalyzer and FortiAnalyzer Cloud now supports FortiCare Elite Service.

To use this service, cloud management must be enabled on the FortiAnalyzer and the FortiGate Cloud portal.

Log forwarding configuration to the Elite Service can be viewed in the FortiAnalyzer GUI. This log forwarding configuration cannot be edited or deleted.

The log forward configuration to Elite Service is also visible in the FortiAnalyzer CLI. For example:

config system log-forward

edit 40000

set mode forwarding

set fwd-max-delay realtime

set server-name "elite"

set server-addr "172.16.94.93"

set fwd-server-type elite-service

set fwd-reliable enable

set fwd-compression enable

set fwd-archives disable

set proxy-service disable

config device-filter

edit 1

set action include-like

set device "*"

next

end

set log-filter-status enable

config log-filter

edit 1

set field level

set oper >=

set value "critical"

next

edit 2

set field logid

set value "0110052000"

next

end

set signature 1449934396

next

You can disable the Elite Service in the FortiAnalyzer CLI, if needed. It can also be re-enabled using the same command. In the FortiAnalyzer CLI, enter:

config system central-management

set elite-service {enable | disable}

end

If elite-service is disabled, the log forwarding to Elite Service will automatically be removed. FGC will push the configuration back if the elite-service is later set to enable.

FAZVM64 # config system central-management

(central-management)# get

type : cloud-management

elite-service : enable

Logs that meet the filter within the log forward configuration will be forwarded to Elite log server. See a sample log in the FortiAnalyzer GUI below:

Sample logs from Elite log server:

2023-04-14 13:50:42,136 DEBUG Processing /dev/shm/fams/log_upload/proc/FAZ-VMTM22090591.1264692.nrt.e.1681505055.562204.34406

2023-04-14 13:50:42,137 DEBUG Create new raw log file: elog_20230414_135042 for (*****, elog)

2023-04-14 13:50:47,083 DEBUG ---sending elite kafka msg---, elitelogserver.remoteaccessmgr.faz.fsbp, {"action":"downloadFsbpFile","data":{"fazSn":"FAZ-VMTM22090591","fgtSn":"FGVMSLTM22002986","auditId":*****,"accountId":*****,"auditTime":1681490426}}

Note that this log forward configuration does NOT impact other types of log forwarding.

The Elite log server can call API to get the Fortinet Security Best Practices (FSBP) reports.

API:

{

"apiver": 3,

"url": "/fazsys/auditrpt/fgt-orig-rpt",

"data":

{

"devid": "FGVMSLTM22002986",

"auditID": "1681505424727"

}

}

The reports are updated in FortiAnalyzer:

Note

This log forward config does not impact other types of log forward in FortiAnalyzer.
Previous
Next

FortiAnalyzer supports FortiCare Elite Service

FortiAnalyzer and FortiAnalyzer Cloud now supports FortiCare Elite Service.

To use this service, cloud management must be enabled on the FortiAnalyzer and the FortiGate Cloud portal.

Log forwarding configuration to the Elite Service can be viewed in the FortiAnalyzer GUI. This log forwarding configuration cannot be edited or deleted.

The log forward configuration to Elite Service is also visible in the FortiAnalyzer CLI. For example:

config system log-forward

edit 40000

set mode forwarding

set fwd-max-delay realtime

set server-name "elite"

set server-addr "172.16.94.93"

set fwd-server-type elite-service

set fwd-reliable enable

set fwd-compression enable

set fwd-archives disable

set proxy-service disable

config device-filter

edit 1

set action include-like

set device "*"

next

end

set log-filter-status enable

config log-filter

edit 1

set field level

set oper >=

set value "critical"

next

edit 2

set field logid

set value "0110052000"

next

end

set signature 1449934396

next

You can disable the Elite Service in the FortiAnalyzer CLI, if needed. It can also be re-enabled using the same command. In the FortiAnalyzer CLI, enter:

config system central-management

set elite-service {enable | disable}

end

If elite-service is disabled, the log forwarding to Elite Service will automatically be removed. FGC will push the configuration back if the elite-service is later set to enable.

FAZVM64 # config system central-management

(central-management)# get

type : cloud-management

elite-service : enable

Logs that meet the filter within the log forward configuration will be forwarded to Elite log server. See a sample log in the FortiAnalyzer GUI below:

Sample logs from Elite log server:

2023-04-14 13:50:42,136 DEBUG Processing /dev/shm/fams/log_upload/proc/FAZ-VMTM22090591.1264692.nrt.e.1681505055.562204.34406

2023-04-14 13:50:42,137 DEBUG Create new raw log file: elog_20230414_135042 for (*****, elog)

2023-04-14 13:50:47,083 DEBUG ---sending elite kafka msg---, elitelogserver.remoteaccessmgr.faz.fsbp, {"action":"downloadFsbpFile","data":{"fazSn":"FAZ-VMTM22090591","fgtSn":"FGVMSLTM22002986","auditId":*****,"accountId":*****,"auditTime":1681490426}}

Note that this log forward configuration does NOT impact other types of log forwarding.

The Elite log server can call API to get the Fortinet Security Best Practices (FSBP) reports.

API:

{

"apiver": 3,

"url": "/fazsys/auditrpt/fgt-orig-rpt",

"data":

{

"devid": "FGVMSLTM22002986",

"auditID": "1681505424727"

}

}

The reports are updated in FortiAnalyzer:

Note

This log forward config does not impact other types of log forward in FortiAnalyzer.
Previous
Next