Appendix H: FortiManager / FortiAnalyzer syslog integration

FortiDDoS can send Event and Attack syslogs to FortiManager and/or FotiAnalyzer as well as other syslog managers like Splunk and SolarWinds (see also Appendix B - Remote Syslog Reference). This section provides FortiDDoS, FortiManager and FortiAnalyzer configuration information for syslog integration.

Note 1: FortiDDoS-F-series supports standard FMG/FAZ UDP unencrypted syslogs (RFC 3164). It does not support RFC 5424 or 5425 and does not support Fortinet encrypted syslogs (OFTP).

Note 2: FortiDDoS is not managed and has no API between itself and FortiManager or FortiAnalyzer. Thus, functions other than the collection of Event and Attack logs are not supported.

Note 3: UDP syslog is a "fire-and-forget" protocol. FortiDDoS is unaware if the syslog server is present, accepting syslogs, or has a absorbed a particular syslog. Be sure to set up the syslog server before setting up for FortiDDoS sending.

FortiManager setup

Both Event and Attack Logs can be absorbed by FortiManager.

Before you start:

• Copy the Serial Number of the FortiDDoS system you are using.
• Ensure you have read/write access on FortiManager

Enabling FortiManager FAZ option for the first time

From CLI:

config system global

set adom-status enable

set faz-status enable

end

From GUI:

1. Go to Device Manager
2. Select Add Device
3. Add Model Device
4. Add information as follows:

   Field/Selection	Description
   Name	User entry
   Link Device By	Must be Serial Number
   Serial Number	FortiDDoS Serial Number
   Use Device Blueprint	Disabled
   All other fields	Leave as default or ignore

5. Save the configuration
6. FortiDDoS will appear on the device list:

   Note: HA status is not reported, although an event syslog will be sent when HA status changes. FGSP is always disabled.

7. Proceed to FortiDDoS setup below.

8. Once FortiDDoS has been set up, return to FortiManager and view logs in Log View > Log Browse.

9. Confirm elog and alog files are present depending on your FortiDDoS Settings:

   Double click on the Event or Attack Log row

   Event log view

   Event log detail view

   Attack log view

   Attack log detail view

FortiAnalyzer setup

From GUI

1. Go to Device Manager
2. Select Add Device
3. Add information as follows:

   Field/Selection	Description
   Name	User entry
   Link Device By	Must be Serial Number
   Serial Number	FortiDDoS Serial Number
   Device Model	No entry – will auto-populate after Serial Number is entered.
   Description	User entry

4. Click Next
5. GUI should display this:

   If this does not appear, contact Fortinet Support. If this display is correct, click Finish.

6. FortiDDoS will appear on the device list:

   Note: HA status is not reported, although a syslog will be sent when HA status changes.

7. Proceed to FortiDDoS setup below
8. Once FortiDDoS is set up, return to FortiAnalyzer and view logs in Log View > Log Browse.
9. Confirm elog and alog files are present depending on your FortiDDoS Settings.

   Double click on the Event or Attack Log row

   Event log view

   Event log detail view

FortiDDoS Event Log Remote setup

1. Go to Log & Report > Event Log Remote
2. Click Create New
3. Enter information as follows:

   Note: Configure up to three Event syslog servers

   Field/Selection	Description
   Status	Enable/Disable Note: On the Event Log GUI page, enabled syslog server profiles show a green checkbox when the server profile is enabled. This does not imply registration to FortiManager, FortiAnalyzer not any other syslog server.
   Address	IP address of the syslog server
   Port	Default: 514 Can be changed. Note: FortiDDoS-F only supports RFC 3164 UDP syslogs which are supported by FortiAnalyzer and FortiManager. FortiDDoS-F does not support RFC 5424, 5425 or FAZ/FMG encrypted syslogs.
   Log Level	Default: Information (recommended). The log level selected is the maximum level sent. All categories above the selected level in the list are sent. For example, if Information is selected, Notification, Warning, Error, Critical, Alert and Emergency are also sent, but not Debug.
   CSV	Default: Enabled Must be disabled to work with FMG/FAZ
   Facility	Facility is not sent in FortiDDoS syslogs. Instead, more detail is provided in the logs for User, Level, Type, Subtype, Action, Reason and Status. All this information can be displayed in the Log Views.
   Log to Local Disk	Default: Enabled (recommended)
   Event Category	Default: Off Enable as many as desired but more is better. Enabling categories that are unused is OK, because you might use them later and forget to enable them.

FortiDDoS Attack Log Remote setup

1. Go to Log & Report > Attack Log Remote
2. Click Create New
3. Slide the Status bar to enable the log profile
4. Complete as follows:

   Note 1: Attack Log Remote profiles must be configured for each SPP that is reporting.

   Note 2: A maximum of two attack syslog servers are allowed per SPP

   Field/Selection	Description
   Name	Name of attack log server/ SPP reporting
   Status	Enable/ Disable. If disabled, no logs are sent
   Global ACL	Report Global ACL logs. If Global is selected, the SPP field is hidden
   SPP	A drop-down list of active SPPs
   Address	IP Address of the server
   Port	Default 514 for UDP syslog. Can be changed. Note: FortiDDoS-F only supports RFC 3164 UDP syslogs which are supported by FortiAnalyzer and FortiManager. FortiDDoS-F does not support RFC 5424, 5425 or FAZ/FMG encrypted syslogs.

5. Save the configuration
6. Once saved, FortiDDoS will start forwarding syslogs. FortiDDoS reports at 1 or 5 minute intervals and takes an additional 2 minutes to aggregate reporting. For example, expect the logs reported for the 5-minute mark to show on the syslog server at the 7-minute mark.
7. Repeat as needed for additional SPPs or syslog servers.