Fortinet black logo

Administration Guide

Home FortiEDR/XDR 5.1.0 Administration Guide
5.1.0
6.2.0
6.0.0
5.2.1
5.2.0
5.1.0
5.0.0
4.2.0
4.1.1
4.1.0

Syslog

Syslog

The SYSLOG option enables you to configure FortiEDR to automatically send FortiEDR events to one or more standard Security Information and Event Management (SIEM) solutions via Syslog.

The FortiEDR Central Manager server sends the raw data for security event aggregations. Each entry contains a raw data ID and an event ID. Raw data items belonging to the same security event aggregation share the same event ID, which enables the SIEM to combine them into one security event on the SIEM side, in order to remain aligned with the FortiEDR system.

Use the button to define a new Syslog destination. The Syslog Name is a free-text field that identifies this destination in the FortiEDR.

Note – Syslog messages are only sent for security events that occur on devices that are part of Collector Groups that are assigned to a Playbook policy in which the Send Syslog Notification option is checked.

All other fields are standard Syslog parameters that the FortiEDR Central Manager is able to send. Check the checkbox of the fields that you want to be sent to your Syslog.

Select a syslog destination row and then use the sliders in the NOTIFICATIONS pane on the right to enable or disable the destination per event type (system events, security events or audit trail).

Caution

Warning: If syslog is configured for both Hoster view and an organization, two syslog events will be sent.
Syslog Notifications

Syslog includes the following types of notifications:

Notification Type

Fields
Security Event
  • Event ID
  • Device Name
  • Process Path
  • Certificate
  • Last Seen
  • Severity
  • Count
  • MAC Address
  • Source IP
  • Raw Data ID
  • Process Name
  • Process Type
  • First Seen
  • Destination
  • Action
  • Rules List
  • Classification
  • Organization
  • Organization ID
  • Operating System
  • Script
  • Script Path
  • Country
  • Users
  • Device State
  • Autonomous System
  • Process Hash
  • Threat Name
  • Threat Family
  • Threat Type
System Events
  • Component Type
  • Component Name
  • Description
  • Date
Audit Trail
  • Date
  • Module
  • Username
  • Action Description
Syslog Message
The order of the fields in the Syslog message is as follows:
  1. Organization
  2. Organization ID
  3. Event ID
  4. Raw Data ID
  5. Device Name
  6. Device State
  7. Operating System
  8. Process Name
  9. Process Path
  10. Process Type
  11. Severity
  12. Classification
  13. Destination
  14. First Seen
  15. Last Seen
  16. Action
  17. Count
  18. Certificate
  19. Rules List
  20. Users
  21. MAC Address
  22. Script
  23. Script Path
  24. Autonomous System
  25. Country
  26. Process Hash
  27. Source IP
Syslog Message Format
The Syslog message contains the following sections:
  1. Facility Code: All messages have the value 16 (Custom App).
  2. Severity: All messages have the value 5 (Notice).
  3. MessageType: Enables you to differentiate between syslog message categories – Security Event, System Event or Audit.
  4. Message Text: Contains the name and value of all the selected fields.

    For example, Device name: Laptop123. Each field is separated by a semi-colon (;).

Note

Note – Regarding time values in system events :

  • Syslog events time is expressed in UTC format.
  • For system and audit events, the timestamp is the Central Manager’s time when the event occurred.
  • For security events, the timestamp is the Collector device’s time when the event occurred.
Previous
Next

Syslog

The SYSLOG option enables you to configure FortiEDR to automatically send FortiEDR events to one or more standard Security Information and Event Management (SIEM) solutions via Syslog.

The FortiEDR Central Manager server sends the raw data for security event aggregations. Each entry contains a raw data ID and an event ID. Raw data items belonging to the same security event aggregation share the same event ID, which enables the SIEM to combine them into one security event on the SIEM side, in order to remain aligned with the FortiEDR system.

Use the button to define a new Syslog destination. The Syslog Name is a free-text field that identifies this destination in the FortiEDR.

Note – Syslog messages are only sent for security events that occur on devices that are part of Collector Groups that are assigned to a Playbook policy in which the Send Syslog Notification option is checked.

All other fields are standard Syslog parameters that the FortiEDR Central Manager is able to send. Check the checkbox of the fields that you want to be sent to your Syslog.

Select a syslog destination row and then use the sliders in the NOTIFICATIONS pane on the right to enable or disable the destination per event type (system events, security events or audit trail).

Caution

Warning: If syslog is configured for both Hoster view and an organization, two syslog events will be sent.
Syslog Notifications

Syslog includes the following types of notifications:

Notification Type

Fields
Security Event
  • Event ID
  • Device Name
  • Process Path
  • Certificate
  • Last Seen
  • Severity
  • Count
  • MAC Address
  • Source IP
  • Raw Data ID
  • Process Name
  • Process Type
  • First Seen
  • Destination
  • Action
  • Rules List
  • Classification
  • Organization
  • Organization ID
  • Operating System
  • Script
  • Script Path
  • Country
  • Users
  • Device State
  • Autonomous System
  • Process Hash
  • Threat Name
  • Threat Family
  • Threat Type
System Events
  • Component Type
  • Component Name
  • Description
  • Date
Audit Trail
  • Date
  • Module
  • Username
  • Action Description
Syslog Message
The order of the fields in the Syslog message is as follows:
  1. Organization
  2. Organization ID
  3. Event ID
  4. Raw Data ID
  5. Device Name
  6. Device State
  7. Operating System
  8. Process Name
  9. Process Path
  10. Process Type
  11. Severity
  12. Classification
  13. Destination
  14. First Seen
  15. Last Seen
  16. Action
  17. Count
  18. Certificate
  19. Rules List
  20. Users
  21. MAC Address
  22. Script
  23. Script Path
  24. Autonomous System
  25. Country
  26. Process Hash
  27. Source IP
Syslog Message Format
The Syslog message contains the following sections:
  1. Facility Code: All messages have the value 16 (Custom App).
  2. Severity: All messages have the value 5 (Notice).
  3. MessageType: Enables you to differentiate between syslog message categories – Security Event, System Event or Audit.
  4. Message Text: Contains the name and value of all the selected fields.

    For example, Device name: Laptop123. Each field is separated by a semi-colon (;).

Note

Note – Regarding time values in system events :

  • Syslog events time is expressed in UTC format.
  • For system and audit events, the timestamp is the Central Manager’s time when the event occurred.
  • For security events, the timestamp is the Collector device’s time when the event occurred.
Previous
Next