Support parsing and addition of third-party application logs to the SIEM DB
This information is also available in the FortiAnalyzer 7.4 Administration Guide: |
FortiAnalyzer supports parsing and addition of third-party application logs to the SIEM DB.
There are two types of log parsers:
-
Predefined parsers
-
Custom parsers
You can find predefined SIEM log parsers in Incidents & Events > Log Parser > Log Parsers. There are predefined parsers for all fabric related Fortinet products. Predefined Apache and Nginx web server log parsers have also been added to this list of predefined SIEM log parsers.
The configuration of each SIEM log parser (predefined and custom) is specific to the ADOM that you are in. Any changes to an existing parser or any newly added parsers will only affect the ADOM that the action was completed in. Ensure you are in the correct ADOM when working with log parsers.
The following information is provided in this topic:
To view the log parsers:
- In Incidents & Events > Log Parser > Log Parsers, select Show Predefined and/or Show Custom to show the available log parsers in the table view.
Each predefined log parser is assigned a default Application and Category. Custom log parsers are assigned a default Application and Category when they are imported.
The # column is the priority of each Siem Log_Parser from highest (
1
) to lowest. By default, newly imported custom log parsers are assigned the lowest priority. To change the priority, click the left edge of the row and drag and drop it to the desired area in the table. See below. - Double-click a log parser in the table view to display all related SIEM logs. Alternatively, you can select the checkbox for the log parser and click View Logs.
- Select the checkbox for one or more log parsers in the table to perform an action from the toolbar.
For example, you can Export in JSON format, Enable, Disable, Delete, or Validate the log parsers.
Some actions will be unavailable if they cannot be performed on the selected log parser(s).
You cannot Disable a log parser if it is assigned and in use.
You cannot Delete predefined log parsers. They can only be disabled.
You cannot perform the Validate action on more than one parser at a time.
The Apache web server log parser:
Go to Incidents & Events > Log Parser > Log Parsers to find the Apache Log Parser in the predefined SIEM log parsers. Double-click the parser to view the related logs.
The Apache logs are also parsed in Log View > Fabric > All. You can filter by Data Parser Name = Apache Log Parser
.
The Nginx web server log parser:
Go to Incidents & Events > Log Parser > Log Parsers to find the Nginx Log Parser in the predefined SIEM log parsers. Double-click the parser to view the related logs.
The Nginx logs are also parsed in Log View > Fabric > All. You can filter by Data Parser Name = Nginx Log Parser
.
To import a custom log parser:
- In Incidents & Events > Log Parser > Log Parsers, click Import.
The Import Log Parser dialog displays.
- Drag and drop or select the log parser.
The log parser must be in the correct format as a JSON file to meet the requirements checked during the import.
- Click OK.
Once added, the custom log parser will be included in the table view when Show Custom is selected.
To validate if the original logs can be parsed:
- In Incidents & Events > Log Parser > Log Parsers, select the checkbox for a log parser.
- Click Validate.
The Validate Log Parser pane opens.
- Enter a log to validate and click Validate.
A Parse Result will display in the same pane.
To assign devices to a log parser:
- Go to Incidents & Events > Log Parser > Assigned Parsers.
The existing log parser assignments display in a table view.
- Select the checkbox for an existing log parser assignment and click Edit.
Alternatively, you can click Create New to create a new log parser assignment.
The Change Parser pane displays.
- From the Current Parser dropdown, select the log parser to assign the device/application to.
- Click OK.