Syslog
The SYSLOG option enables you to configure FortiEDR to automatically send FortiEDR events to one or more standard Security Information and Event Management (SIEM) solutions via Syslog.
The FortiEDR Central Manager server sends the raw data for security event aggregations. Each entry contains a raw data ID and an event ID. Raw data items belonging to the same security event aggregation share the same event ID, which enables the SIEM to combine them into one security event on the SIEM side, in order to remain aligned with the FortiEDR system.
Use the button to define a new Syslog destination. The Syslog Name is a free-text field that identifies this destination in the FortiEDR.
Note – Syslog messages are only sent for security events that occur on devices that are part of Collector Groups that are assigned to a Playbook policy in which the Send Syslog Notification option is checked.
All other fields are standard Syslog parameters that the FortiEDR Central Manager is able to send. Check the checkbox of the fields that you want to be sent to your Syslog.
Select a syslog destination row and then use the sliders in the NOTIFICATIONS pane on the right to enable or disable the destination per event type (system events, security events or audit trail).
Warning: If syslog is configured for both Hoster view and an organization, two syslog events will be sent. |
Syslog Notifications
Syslog includes the following types of notifications:
Notification Type |
Fields |
---|---|
Security Event |
|
System Events |
|
Audit Trail |
|
Syslog Message
The order of the fields in the Syslog message is as follows:
- Organization
- Organization ID
- Event ID
- Raw Data ID
- Device Name
- Device State
- Operating System
- Process Name
- Process Path
- Process Type
- Severity
- Classification
- Destination
- First Seen
- Last Seen
- Action
- Count
- Certificate
- Rules List
- Users
- MAC Address
- Script
- Script Path
- Autonomous System
- Country
- Process Hash
- Source IP
Syslog Message Format
The Syslog message contains the following sections:
- Facility Code: All messages have the value 16 (Custom App).
- Severity: All messages have the value 5 (Notice).
- MessageType: Enables you to differentiate between syslog message categories – Security Event, System Event or Audit.
- Message Text: Contains the name and value of all the selected fields.
For example, Device name: Laptop123. Each field is separated by a semi-colon (;).