Syslog
The SYSLOG option enables you to configure FortiEDR to automatically send FortiEDR events to one or more standard Security Information and Event Management (SIEM) solutions (such as FortiAnalyzer) via Syslog.
The FortiEDR Central Manager server sends the raw data for security event aggregations. Each entry contains a raw data ID and an event ID. Raw data items belonging to the same security event aggregation share the same event ID, which enables the SIEM to combine them into one security event on the SIEM side, in order to remain aligned with the FortiEDR system.
Syslog messages are only sent for security events that occur on devices that are part of Collector Groups that are assigned to a Playbook policy in which the Send Syslog Notification option is checked. |
To define a new Syslog destination:
- Click the button.
- Specify the following attributes:
Attribute
Description
Syslog Name Free-text field that identifies this destination in the FortiEDR. Host Host name of the Syslog server. Port Port of the Syslog server. Protocol Protocol of the Syslog server. You can select TCP or UDP. TLS When TCP is selected in Protocol, use this option to specify whether to enable TLS. If the Syslog server requires a client-side certificate, you must enable TLS before you can upload the certificate. Client Certificate If the Syslog server requires a client-side certificate, enable TLS and use this option to upload a certificate. For example, if your FortiAnalyzer server requires a client-side certificate, contact Fortinet Support to obtain appropriate client certificate files and upload them here.
Format Select the type of the syslog server:
Semicolon—Select this option if the syslog server is not one the following three. FortiEDR then uses the default CSV syslog format.
FAZ—The syslog server is FortiAnalyzer. FortiAnalyzer Cloud is not supported.
CEF—The syslog server uses the CEF syslog format.
LEEF—The syslog server uses the LEEF syslog format.
Refer to FortiEDR Syslog Message Reference for more details about syslog message fields for different formats.
- Click the Test button to test the connection to the Syslog destination server.
- Click the button to save the Syslog destination.
To select which syslog messages to send:
- Select a syslog destination row.
- Use the sliders in the NOTIFICATIONS pane on the right to enable or disable the destination per event type (system events, security events or audit trail) as shown below:
To select which fields will be included in the syslog messages:
Click the button on the right of the event type and check the checkbox of the fields that you want to be sent to your Syslog.
You can also define a Syslog destination via REST API, including the upload of a certificate using Rest API during the process. By default, all available syslog fields and all notifications options, including security, system, and audit events, are enabled. For more details, refer to the FortiEDR RESTful API Guide. You must log in to the Fortinet Developer Network to access the guide. |
Warning: If syslog is configured for both Hoster view and an organization, two syslog events will be sent. |
For more information on syslog messages, such as message types and fields, see FortiEDR Syslog Message Reference.