Fortinet black logo

Handbook

Using FortiSIEM to collect DDoS attack and event logs

Copy Link
Copy Doc ID 369dfb00-033f-11ed-bb32-fa163e15d75b:722880
Download PDF
Using FortiSIEM to collect DDoS attack and event logs

FortiSIEM provides an all-in-one, seamlessly integrated and service-oriented IT infrastructure monitoring solution that covers performance, availability, change, and security monitoring aspects of network devices, servers, and applications.

FortiSIEM now supports FortiDDoS attack and event logs. FortiSIEM processes FortiDDoS events via syslog. You can configure FortiDDoS to send syslog to FortiSIEM.

Refer to FortiSIEM User Guide for version support details and detailed procedures on how to use FortiSIEM. This section describes the workflow for collecting DDoS attack logs.

To set up log collection:
  1. On FortiDDoS, use DDoS Attack Log Remote configuration to send logs to the FortiSIEM IP address.
  2. Refer to section Configuring remote log server settings for DDoS attack logs and follow the procedure for configuration. Once the configuration is saved, FortiDDoS begins sending logs to FortiSIEM.

  3. Use Event Log Remote configuration to send logs to the FortiSIEM IP address.
  4. Refer to section Configuring remote log server settings for event logs and follow the procedure for configuration. Once the configuration is saved, FortiDDoS begins sending event logs to FortiSIEM.

  5. Go to System > SNMP and follow the steps under Configuring SNMP for system event reporting.
  6. Log in to FortiSIEM and go to Admin > Setup Wizard > Credentials tab.
  7. Click Add under Step 1: Enter Credentials and enter the details of the device in the Access Method Definition dialog box.

  8. Click Add under Step 2: Enter IP Range to Credential Association and enter the IP/IP Range and Credentials of the device in the Device Credential Mapping Definition dialog box.

  9. Go to Admin> Setup Wizard > Discovery tab and add the Range Definition details.

  10. Select the added range and run discovery by clicking Discover.
  11. Go to Admin > Discovery Results and verify the discovered FortiDDoS devices from the list.

  12. Go to CMDB > Devices. Select the added device from the list and click Approve.

  13. Go to Analytics > Reports and click New to configure a new report.

  14. Enter the new report details in the Add New Report window and click Save.

  15. Go to Dashboard > Dashboard by Function. Select the group and click Add Reports to Dashboard.

  16. Select the required reports from the list and click Add.
  17. Go to Dashboard > Executive Summary to see the selected reports. The following figures show the sample dashboard reports.

Using FortiSIEM to collect DDoS attack and event logs

FortiSIEM provides an all-in-one, seamlessly integrated and service-oriented IT infrastructure monitoring solution that covers performance, availability, change, and security monitoring aspects of network devices, servers, and applications.

FortiSIEM now supports FortiDDoS attack and event logs. FortiSIEM processes FortiDDoS events via syslog. You can configure FortiDDoS to send syslog to FortiSIEM.

Refer to FortiSIEM User Guide for version support details and detailed procedures on how to use FortiSIEM. This section describes the workflow for collecting DDoS attack logs.

To set up log collection:
  1. On FortiDDoS, use DDoS Attack Log Remote configuration to send logs to the FortiSIEM IP address.
  2. Refer to section Configuring remote log server settings for DDoS attack logs and follow the procedure for configuration. Once the configuration is saved, FortiDDoS begins sending logs to FortiSIEM.

  3. Use Event Log Remote configuration to send logs to the FortiSIEM IP address.
  4. Refer to section Configuring remote log server settings for event logs and follow the procedure for configuration. Once the configuration is saved, FortiDDoS begins sending event logs to FortiSIEM.

  5. Go to System > SNMP and follow the steps under Configuring SNMP for system event reporting.
  6. Log in to FortiSIEM and go to Admin > Setup Wizard > Credentials tab.
  7. Click Add under Step 1: Enter Credentials and enter the details of the device in the Access Method Definition dialog box.

  8. Click Add under Step 2: Enter IP Range to Credential Association and enter the IP/IP Range and Credentials of the device in the Device Credential Mapping Definition dialog box.

  9. Go to Admin> Setup Wizard > Discovery tab and add the Range Definition details.

  10. Select the added range and run discovery by clicking Discover.
  11. Go to Admin > Discovery Results and verify the discovered FortiDDoS devices from the list.

  12. Go to CMDB > Devices. Select the added device from the list and click Approve.

  13. Go to Analytics > Reports and click New to configure a new report.

  14. Enter the new report details in the Add New Report window and click Save.

  15. Go to Dashboard > Dashboard by Function. Select the group and click Add Reports to Dashboard.

  16. Select the required reports from the list and click Add.
  17. Go to Dashboard > Executive Summary to see the selected reports. The following figures show the sample dashboard reports.