Using FortiAnalyzer to collect DDoS attack logs
FortiAnalyzer platforms integrate network logging, analysis, and reporting into a single system, delivering increased knowledge of security events throughout your network.
FortiAnalyzer now supports the FortiDDoS attack log. FortiAnalyzer includes the following predefined reports for FortiDDoS:
- Attacks by time period
- Attackers by time period
- Top 20 Attacks
- To 20 Attack Types
FortiAnalyzer reports can also be fully customized by the user.
Refer to FortiAnalyzer documentation for version support details and detailed procedures on how to use FortiAnalyzer. This section describes the workflow for collecting DDoS attack logs.
To set up log collection:
- Log in to FortiAnalyzer as root. The following screen is displayed.
- Click System Settings widget and enable Administrative Domain.
- On FortiDDoS, use the DDoS Attack Log Remote configuration to send logs to the FortiAnalyzer IP address.
FortiDDoS starts sending logs to FortiAnalyzer. Once FortiAnalyzer begins receiving logs from FortiDDoS, FortiDDoS appears in the Administrative Domains (ADOM). - On FortiAnalyzer, select Device Managerfrom the top-left drop-down.
The Devices Unregistered count will change to 1.
If you need to add a device manually:
a) Click ADOM: root on the top menu and switch to 'FDDoS'.
b) Select the Device Manager widget.
c) Click Add Device to enter the device details in the Add Device wizard. - Click ADOM: root on the top menu to switch from 'root' to 'FortiDDoS'.
- Go to the Device Manager and verify that the FortiDDoS device has been added.
- Click Log View from the top-left drop-down to see the log information under various tabs on the left panel.
- Click FortiView from the top-left drop-down to see the attack logs. Navigate to the Top Sources, Top Destinations and Top Type on the left panel to view more details.
- Go to the Reports from the top-left drop-down. You can generate the reports in HTML, PDF, XML or CSV format.
See the sample report below.