FortiAnalyzer Cloud service
FortiGate supports the FortiAnalyzer Cloud service for event logging.
|
Traffic and security logs are not supported in the initial version of FortiAnalyzer Cloud. |
When FortiAnalyzer Cloud is licensed and enabled (see Deploying FortiAnalyzer Cloud for more information), all event logs are sent to FortiAnalyzer Cloud by default. All traffic logs, security logs, and archive files are not sent to FortiAnalyzer Cloud.
FortiAnalyzer Cloud differs from FortiAnalyzer in the following ways:
- You cannot enable FortiAnalyzer Cloud in
vdom override-settingwhen global FortiAnalyzer Cloud is disabled. - You must use the CLI to retrieve and display logs sent to FortiAnalyzer Cloud. The FortiOS GUI is not supported.
- You cannot enable FortiAnalyzer Cloud and FortiGate Cloud at the same time.
Sample settings panes
In the FortiOS Security Fabric > Settings pane under Cloud Logging, FortiAnalyzer Cloud is grayed out when you do not have a FortiAnalyzer Cloud entitlement.
When you have a FortiAnalyzer Cloud entitlement, FortiAnalyzer Cloud is available.
You can also view the FortiAnalyzer Cloud settings in the Log & Report > Log Settings pane.
In FortiAnalyzer Cloud, you can view logs from FortiOS in the Event > All Types pane.
To enable fortianalyzer-cloud using the CLI:
config log fortianalyzer-cloud setting
set status enable
set ips-archive disable
set access-config enable
set enc-algorithm high
set ssl-min-proto-version default
set conn-timeout 10
set monitor-keepalive-period 5
set monitor-failure-retry-period 5
set certificate ''
set source-ip ''
set upload-option realtime
end
config log fortianalyzer-cloud filter
set severity information
set forward-traffic disable
set local-traffic disable
set multicast-traffic disable
set sniffer-traffic disable
set anomaly disable
set voip disable
set dlp-archive disable
set dns disable
set ssh disable
set ssl disable
set cifs disable
set filter ''
set filter-type include
end
To disable fortianalyzer-cloud for a specific VDOM using the CLI:
config log setting
set faz-override enable
end
config log fortianalyzer-cloud override-setting
set status disable
end
To set fortianalyzer-cloud filter for a specific vdom using the CLI:
config log setting
set faz-override enable
end
config log fortianalyzer-cloud override-setting
set status enable
end
config log fortianalyzer-cloud override-filter
set severity information
set forward-traffic disable
set local-traffic disable
set multicast-traffic disable
set sniffer-traffic disable
set anomaly disable
set voip disable
set dlp-archive disable
set dns disable
set ssh disable
set ssl disable
set cifs disable
set filter ''
set filter-type include
end
To display fortianalyzer-cloud log using the CLI:
execute log filter device fortianalyzer-cloud execute log filter category event execute log display
Sample log
date=2019-05-01 time=17:57:45 idseq=60796052214644736 bid=100926 dvid=1027 itime="2019-05-01 17:57:48" euid=3 epid=3 dsteuid=0 dstepid=3 logver=602000890 logid=0100032002 type="event" subtype="system" level="alert" srcip=10.6.30.254 dstip=10.6.30.9 action="login" msg="Administrator ddd login failed from https(10.6.30.254) because of invalid user name" logdesc="Admin login failed" sn="0" user="ddd" ui="https(10.6.30.254)" status="failed" reason="name_invalid" method="https" eventtime=1556758666274548325 devid="FG5H1E5818900076" vd="root" dtime="2019-05-01 17:57:45" itime_t=1556758668 devname="FortiGate-501E"
date=2019-05-01 time=17:57:21 idseq=60796052214644736 bid=100926 dvid=1027 itime="2019-05-01 17:57:23" euid=3 epid=3 dsteuid=0 dstepid=3 logver=602000890 logid=0100044546 type="event" subtype="system" level="information" action="Edit" msg="Edit log.fortianalyzer-cloud.filter " logdesc="Attribute configured" user="admin" ui="ssh(10.6.30.254)" cfgtid=164757536 cfgpath="log.fortianalyzer-cloud.filter" cfgattr="severity[information->critical]" eventtime=1556758642413367644 devid="FG5H1E5818900076" vd="root" dtime="2019-05-01 17:57:21" itime_t=1556758643 devname="FortiGate-501E"