Collecting and sending macOS host events to FortiAnalyzer 6.4.1
To support lite SIEM functionality for the Fabric environment, as the Fabric Agent, FortiClient (macOS) collects and sends endpoint host logs (/var/log/system.log
) to FortiAnalyzer for analysis.
In this configuration, a FortiClient (macOS) endpoint is registered to EMS. FortiAnalyzer has authorized this EMS for log submission. FortiClient (macOS) uploads logs to the FortiAnalyzer as the EMS profile specifies.
To configure this feature in EMS:
- In EMS, go to Endpoint Profiles > Manage Profiles.
- Select the desired profile.
- On the System Settings tab, enable Upload Logs to FortiAnalyzer/FortiManager.
- Enable Send OS Events.
- In the IP Address/Hostname field, enter the FortiAnalyzer IP address.
- Click Save.
The following shows how these logs display in FortiAnalyzer.