Fortinet white logo
Fortinet white logo

Administration Guide

Syslog

Syslog

The SYSLOG option enables you to configure FortiEDR to automatically send FortiEDR events to one or more standard Security Information and Event Management (SIEM) solutions (such as FortiAnalyzer) via Syslog.

The FortiEDR Central Manager server sends the raw data for security event aggregations. Each entry contains a raw data ID and an event ID. Raw data items belonging to the same security event aggregation share the same event ID, which enables the SIEM to combine them into one security event on the SIEM side, in order to remain aligned with the FortiEDR system.

Note

Syslog messages are only sent for security events that occur on devices that are part of Collector Groups that are assigned to a Playbook policy in which the Send Syslog Notification option is checked.

To define a new Syslog destination:
  1. Click the button.
  2. Specify the following attributes:

    Attribute

    Description

    Syslog NameFree-text field that identifies this destination in the FortiEDR.
    HostHost name of the Syslog server.
    PortPort of the Syslog server.
    ProtocolProtocol of the Syslog server. You can select TCP or UDP.
    TLSWhen TCP is selected in Protocol, use this option to specify whether to enable TLS. If the Syslog server requires a client-side certificate, you must enable TLS before you can upload the certificate.
    Client Certificate

    If the Syslog server requires a client-side certificate, enable TLS and use this option to upload a certificate. For example, if your FortiAnalyzer server requires a client-side certificate, contact Fortinet Support to obtain appropriate client certificate files and upload them here.

    Format

    Select the type of the syslog server:

    • Semicolon—Select this option if the syslog server is not one the following three. FortiEDR then uses the default CSV syslog format.

    • FAZ—The syslog server is FortiAnalyzer. FortiAnalyzer Cloud is not supported.

    • CEF—The syslog server uses the CEF syslog format.

    • LEEF—The syslog server uses the LEEF syslog format.

    Refer to FortiEDR Syslog Message Reference for more details about syslog message fields for different formats.

  3. Click the Test button to test the connection to the Syslog destination server.
  4. Click the button to save the Syslog destination.
To select which syslog messages to send:
  1. Select a syslog destination row.
  2. Use the sliders in the NOTIFICATIONS pane on the right to enable or disable the destination per event type (system events, security events or audit trail) as shown below:

To select which fields will be included in the syslog messages:

Click the button on the right of the event type and check the checkbox of the fields that you want to be sent to your Syslog.

Note

You can also define a Syslog destination via REST API, including the upload of a certificate using Rest API during the process. By default, all available syslog fields and all notifications options, including security, system, and audit events, are enabled. For more details, refer to the FortiEDR RESTful API Guide. You must log in to the Fortinet Developer Network to access the guide.

Caution

Warning: If syslog is configured for both Hoster view and an organization, two syslog events will be sent.

For more information on syslog messages, such as message types and fields, see FortiEDR Syslog Message Reference.

Syslog

Syslog

The SYSLOG option enables you to configure FortiEDR to automatically send FortiEDR events to one or more standard Security Information and Event Management (SIEM) solutions (such as FortiAnalyzer) via Syslog.

The FortiEDR Central Manager server sends the raw data for security event aggregations. Each entry contains a raw data ID and an event ID. Raw data items belonging to the same security event aggregation share the same event ID, which enables the SIEM to combine them into one security event on the SIEM side, in order to remain aligned with the FortiEDR system.

Note

Syslog messages are only sent for security events that occur on devices that are part of Collector Groups that are assigned to a Playbook policy in which the Send Syslog Notification option is checked.

To define a new Syslog destination:
  1. Click the button.
  2. Specify the following attributes:

    Attribute

    Description

    Syslog NameFree-text field that identifies this destination in the FortiEDR.
    HostHost name of the Syslog server.
    PortPort of the Syslog server.
    ProtocolProtocol of the Syslog server. You can select TCP or UDP.
    TLSWhen TCP is selected in Protocol, use this option to specify whether to enable TLS. If the Syslog server requires a client-side certificate, you must enable TLS before you can upload the certificate.
    Client Certificate

    If the Syslog server requires a client-side certificate, enable TLS and use this option to upload a certificate. For example, if your FortiAnalyzer server requires a client-side certificate, contact Fortinet Support to obtain appropriate client certificate files and upload them here.

    Format

    Select the type of the syslog server:

    • Semicolon—Select this option if the syslog server is not one the following three. FortiEDR then uses the default CSV syslog format.

    • FAZ—The syslog server is FortiAnalyzer. FortiAnalyzer Cloud is not supported.

    • CEF—The syslog server uses the CEF syslog format.

    • LEEF—The syslog server uses the LEEF syslog format.

    Refer to FortiEDR Syslog Message Reference for more details about syslog message fields for different formats.

  3. Click the Test button to test the connection to the Syslog destination server.
  4. Click the button to save the Syslog destination.
To select which syslog messages to send:
  1. Select a syslog destination row.
  2. Use the sliders in the NOTIFICATIONS pane on the right to enable or disable the destination per event type (system events, security events or audit trail) as shown below:

To select which fields will be included in the syslog messages:

Click the button on the right of the event type and check the checkbox of the fields that you want to be sent to your Syslog.

Note

You can also define a Syslog destination via REST API, including the upload of a certificate using Rest API during the process. By default, all available syslog fields and all notifications options, including security, system, and audit events, are enabled. For more details, refer to the FortiEDR RESTful API Guide. You must log in to the Fortinet Developer Network to access the guide.

Caution

Warning: If syslog is configured for both Hoster view and an organization, two syslog events will be sent.

For more information on syslog messages, such as message types and fields, see FortiEDR Syslog Message Reference.