FortiAnalyzer Cloud service
The FortiAnalyzer Cloud service can be used for event logging.
Traffic logs are not currently supported by FortiAnalyzer Cloud without a FortiCloud Premium subscription (AFAC). For information, see Configuring FortiAnalyzer. |
When FortiAnalyzer Cloud is licensed and enabled (see Deploying FortiAnalyzer Cloud for more information), all event logs are sent to FortiAnalyzer Cloud by default. All traffic logs, security logs, and archive files are not sent to FortiAnalyzer Cloud.
FortiAnalyzer Cloud differs from FortiAnalyzer in the following ways:
- You cannot enable FortiAnalyzer Cloud in
vdom override-setting
when global FortiAnalyzer Cloud is disabled. - You must use the CLI to retrieve and display logs sent to FortiAnalyzer Cloud. The FortiOS GUI is not supported.
- You cannot enable FortiAnalyzer Cloud and FortiGate Cloud at the same time.
In the Security Fabric > Fabric Connectors > Cloud Logging card settings, FortiAnalyzer Cloud is grayed out when you do not have a FortiAnalyzer Cloud entitlement. When you have a FortiAnalyzer Cloud entitlement, FortiAnalyzer Cloud is available and you can authenticate by the certificate.
You can also view the FortiAnalyzer Cloud settings in the Log & Report > Log Settings page.
In FortiAnalyzer Cloud, you can view logs from FortiOS in the Event > All Types page.
To configure FortiAnalyzer Cloud logging in the GUI:
- Go to Security Fabric > Fabric Connectors and double-click the Cloud Logging card.
- Set the Type to FortiAnalyzer Cloud.
- Click OK. A prompt appears to verify the FortiAnalyzer Cloud serial number.
- Click Accept.
- The verified FortiAnalyzer Cloud certificate appears in the settings.
To enable FortiAnalyzer Cloud logging in the CLI:
- Configure the FortiAnalyzer Cloud settings:
config log fortianalyzer-cloud setting set status enable set ips-archive disable set certificate-verification enable set serial "FAZVCLTM19000000" set access-config enable set enc-algorithm high set ssl-min-proto-version default set conn-timeout 10 set monitor-keepalive-period 5 set monitor-failure-retry-period 5 set upload-option realtime end
- Configure the FortiAnalyzer Cloud filters:
config log fortianalyzer-cloud filter set severity information set forward-traffic disable set local-traffic disable set multicast-traffic disable set sniffer-traffic disable set anomaly disable set voip disable set dlp-archive disable end
To disable FortiAnalyzer Cloud logging for a specific VDOM in the CLI:
- Enable override FortiAnalyzer in the general log settings:
config log setting set faz-override enable end
- Disable the override FortiAnalyzer Cloud setting:
config log fortianalyzer-cloud override-setting set status disable end
To set FortiAnalyzer Cloud logging to filter for a specific VDOM in the CLI:
- Enable override FortiAnalyzer in the general log settings:
config log setting set faz-override enable end
- Enable the override FortiAnalyzer Cloud setting:
config log fortianalyzer-cloud override-setting set status enable end
- Configure the override filters for FortiAnalyzer Cloud:
config log fortianalyzer-cloud override-filter set severity information set forward-traffic disable set local-traffic disable set multicast-traffic disable set sniffer-traffic disable set anomaly disable set voip disable set dlp-archive disable end
To display FortiAnalyzer Cloud logs in the CLI:
# execute log filter device fortianalyzer-cloud # execute log filter category event # execute log display
Sample log
date=2019-05-01 time=17:57:45 idseq=60796052214644736 bid=100926 dvid=1027 itime="2019-05-01 17:57:48" euid=3 epid=3 dsteuid=0 dstepid=3 logver=602000890 logid=0100032002 type="event" subtype="system" level="alert" srcip=10.6.30.254 dstip=10.6.30.9 action="login" msg="Administrator ddd login failed from https(10.6.30.254) because of invalid user name" logdesc="Admin login failed" sn="0" user="ddd" ui="https(10.6.30.254)" status="failed" reason="name_invalid" method="https" eventtime=1556758666274548325 devid="FG5H1E5818900000" vd="root" dtime="2019-05-01 17:57:45" itime_t=1556758668 devname="FortiGate-501E"
date=2019-05-01 time=17:57:21 idseq=60796052214644736 bid=100926 dvid=1027 itime="2019-05-01 17:57:23" euid=3 epid=3 dsteuid=0 dstepid=3 logver=602000890 logid=0100044546 type="event" subtype="system" level="information" action="Edit" msg="Edit log.fortianalyzer-cloud.filter " logdesc="Attribute configured" user="admin" ui="ssh(10.6.30.254)" cfgtid=164757536 cfgpath="log.fortianalyzer-cloud.filter" cfgattr="severity[information->critical]" eventtime=1556758642413367644 devid="FG5H1E5818900000" vd="root" dtime="2019-05-01 17:57:21" itime_t=1556758643 devname="FortiGate-501E"