Fortinet white logo
Fortinet white logo

Administration Guide

FortiAnalyzer Cloud service

FortiAnalyzer Cloud service

The FortiAnalyzer Cloud service can be used for event logging.

Note

Traffic logs are not currently supported by FortiAnalyzer Cloud without a FortiCloud Premium subscription (AFAC). For information, see Configuring FortiAnalyzer.

When FortiAnalyzer Cloud is licensed and enabled (see Deploying FortiAnalyzer Cloud for more information), all event logs are sent to FortiAnalyzer Cloud by default. All traffic logs, security logs, and archive files are not sent to FortiAnalyzer Cloud.

FortiAnalyzer Cloud differs from FortiAnalyzer in the following ways:

  • You cannot enable FortiAnalyzer Cloud in vdom override-setting when global FortiAnalyzer Cloud is disabled.
  • You must use the CLI to retrieve and display logs sent to FortiAnalyzer Cloud. The FortiOS GUI is not supported.
  • You cannot enable FortiAnalyzer Cloud and FortiGate Cloud at the same time.

In the Security Fabric > Fabric Connectors > Cloud Logging card settings, FortiAnalyzer Cloud is grayed out when you do not have a FortiAnalyzer Cloud entitlement. When you have a FortiAnalyzer Cloud entitlement, FortiAnalyzer Cloud is available and you can authenticate by the certificate.

You can also view the FortiAnalyzer Cloud settings in the Log & Report > Log Settings page.

In FortiAnalyzer Cloud, you can view logs from FortiOS in the Event > All Types page.

To configure FortiAnalyzer Cloud logging in the GUI:
  1. Go to Security Fabric > Fabric Connectors and double-click the Cloud Logging card.
  2. Set the Type to FortiAnalyzer Cloud.
  3. Click OK. A prompt appears to verify the FortiAnalyzer Cloud serial number.

  4. Click Accept.
  5. The verified FortiAnalyzer Cloud certificate appears in the settings.

To enable FortiAnalyzer Cloud logging in the CLI:
  1. Configure the FortiAnalyzer Cloud settings:
    config log fortianalyzer-cloud setting
        set status enable
        set ips-archive disable
        set certificate-verification enable
        set serial "FAZVCLTM19000000"
        set access-config enable
        set enc-algorithm high
        set ssl-min-proto-version default
        set conn-timeout 10
        set monitor-keepalive-period 5
        set monitor-failure-retry-period 5
        set upload-option realtime
    end
  2. Configure the FortiAnalyzer Cloud filters:
    config log fortianalyzer-cloud filter
        set severity information
        set forward-traffic disable
        set local-traffic disable
        set multicast-traffic disable
        set sniffer-traffic disable
        set anomaly disable
        set voip disable
        set dlp-archive disable
    end
To disable FortiAnalyzer Cloud logging for a specific VDOM in the CLI:
  1. Enable override FortiAnalyzer in the general log settings:
    config log setting
        set faz-override enable
    end
  2. Disable the override FortiAnalyzer Cloud setting:
    config log fortianalyzer-cloud override-setting
        set status disable
    end
To set FortiAnalyzer Cloud logging to filter for a specific VDOM in the CLI:
  1. Enable override FortiAnalyzer in the general log settings:
    config log setting
        set faz-override enable
    end
  2. Enable the override FortiAnalyzer Cloud setting:
    config log fortianalyzer-cloud override-setting
        set status enable
    end
  3. Configure the override filters for FortiAnalyzer Cloud:
    config log fortianalyzer-cloud override-filter
        set severity information
        set forward-traffic disable
        set local-traffic disable
        set multicast-traffic disable
        set sniffer-traffic disable
        set anomaly disable
        set voip disable
        set dlp-archive disable
    end
To display FortiAnalyzer Cloud logs in the CLI:
# ​​​​​​​execute log filter device fortianalyzer-cloud
# execute log filter category event
# execute log display​​​​​​​
Sample log
date=2019-05-01 time=17:57:45 idseq=60796052214644736 bid=100926 dvid=1027 itime="2019-05-01 17:57:48" euid=3 epid=3 dsteuid=0 dstepid=3 logver=602000890 logid=0100032002 type="event" subtype="system" level="alert" srcip=10.6.30.254 dstip=10.6.30.9 action="login" msg="Administrator ddd login failed from https(10.6.30.254) because of invalid user name" logdesc="Admin login failed" sn="0" user="ddd" ui="https(10.6.30.254)" status="failed" reason="name_invalid" method="https" eventtime=1556758666274548325 devid="FG5H1E5818900000" vd="root" dtime="2019-05-01 17:57:45" itime_t=1556758668 devname="FortiGate-501E"
date=2019-05-01 time=17:57:21 idseq=60796052214644736 bid=100926 dvid=1027 itime="2019-05-01 17:57:23" euid=3 epid=3 dsteuid=0 dstepid=3 logver=602000890 logid=0100044546 type="event" subtype="system" level="information" action="Edit" msg="Edit log.fortianalyzer-cloud.filter " logdesc="Attribute configured" user="admin" ui="ssh(10.6.30.254)" cfgtid=164757536 cfgpath="log.fortianalyzer-cloud.filter" cfgattr="severity[information->critical]" eventtime=1556758642413367644 devid="FG5H1E5818900000" vd="root" dtime="2019-05-01 17:57:21" itime_t=1556758643 devname="FortiGate-501E"

FortiAnalyzer Cloud service

FortiAnalyzer Cloud service

The FortiAnalyzer Cloud service can be used for event logging.

Note

Traffic logs are not currently supported by FortiAnalyzer Cloud without a FortiCloud Premium subscription (AFAC). For information, see Configuring FortiAnalyzer.

When FortiAnalyzer Cloud is licensed and enabled (see Deploying FortiAnalyzer Cloud for more information), all event logs are sent to FortiAnalyzer Cloud by default. All traffic logs, security logs, and archive files are not sent to FortiAnalyzer Cloud.

FortiAnalyzer Cloud differs from FortiAnalyzer in the following ways:

  • You cannot enable FortiAnalyzer Cloud in vdom override-setting when global FortiAnalyzer Cloud is disabled.
  • You must use the CLI to retrieve and display logs sent to FortiAnalyzer Cloud. The FortiOS GUI is not supported.
  • You cannot enable FortiAnalyzer Cloud and FortiGate Cloud at the same time.

In the Security Fabric > Fabric Connectors > Cloud Logging card settings, FortiAnalyzer Cloud is grayed out when you do not have a FortiAnalyzer Cloud entitlement. When you have a FortiAnalyzer Cloud entitlement, FortiAnalyzer Cloud is available and you can authenticate by the certificate.

You can also view the FortiAnalyzer Cloud settings in the Log & Report > Log Settings page.

In FortiAnalyzer Cloud, you can view logs from FortiOS in the Event > All Types page.

To configure FortiAnalyzer Cloud logging in the GUI:
  1. Go to Security Fabric > Fabric Connectors and double-click the Cloud Logging card.
  2. Set the Type to FortiAnalyzer Cloud.
  3. Click OK. A prompt appears to verify the FortiAnalyzer Cloud serial number.

  4. Click Accept.
  5. The verified FortiAnalyzer Cloud certificate appears in the settings.

To enable FortiAnalyzer Cloud logging in the CLI:
  1. Configure the FortiAnalyzer Cloud settings:
    config log fortianalyzer-cloud setting
        set status enable
        set ips-archive disable
        set certificate-verification enable
        set serial "FAZVCLTM19000000"
        set access-config enable
        set enc-algorithm high
        set ssl-min-proto-version default
        set conn-timeout 10
        set monitor-keepalive-period 5
        set monitor-failure-retry-period 5
        set upload-option realtime
    end
  2. Configure the FortiAnalyzer Cloud filters:
    config log fortianalyzer-cloud filter
        set severity information
        set forward-traffic disable
        set local-traffic disable
        set multicast-traffic disable
        set sniffer-traffic disable
        set anomaly disable
        set voip disable
        set dlp-archive disable
    end
To disable FortiAnalyzer Cloud logging for a specific VDOM in the CLI:
  1. Enable override FortiAnalyzer in the general log settings:
    config log setting
        set faz-override enable
    end
  2. Disable the override FortiAnalyzer Cloud setting:
    config log fortianalyzer-cloud override-setting
        set status disable
    end
To set FortiAnalyzer Cloud logging to filter for a specific VDOM in the CLI:
  1. Enable override FortiAnalyzer in the general log settings:
    config log setting
        set faz-override enable
    end
  2. Enable the override FortiAnalyzer Cloud setting:
    config log fortianalyzer-cloud override-setting
        set status enable
    end
  3. Configure the override filters for FortiAnalyzer Cloud:
    config log fortianalyzer-cloud override-filter
        set severity information
        set forward-traffic disable
        set local-traffic disable
        set multicast-traffic disable
        set sniffer-traffic disable
        set anomaly disable
        set voip disable
        set dlp-archive disable
    end
To display FortiAnalyzer Cloud logs in the CLI:
# ​​​​​​​execute log filter device fortianalyzer-cloud
# execute log filter category event
# execute log display​​​​​​​
Sample log
date=2019-05-01 time=17:57:45 idseq=60796052214644736 bid=100926 dvid=1027 itime="2019-05-01 17:57:48" euid=3 epid=3 dsteuid=0 dstepid=3 logver=602000890 logid=0100032002 type="event" subtype="system" level="alert" srcip=10.6.30.254 dstip=10.6.30.9 action="login" msg="Administrator ddd login failed from https(10.6.30.254) because of invalid user name" logdesc="Admin login failed" sn="0" user="ddd" ui="https(10.6.30.254)" status="failed" reason="name_invalid" method="https" eventtime=1556758666274548325 devid="FG5H1E5818900000" vd="root" dtime="2019-05-01 17:57:45" itime_t=1556758668 devname="FortiGate-501E"
date=2019-05-01 time=17:57:21 idseq=60796052214644736 bid=100926 dvid=1027 itime="2019-05-01 17:57:23" euid=3 epid=3 dsteuid=0 dstepid=3 logver=602000890 logid=0100044546 type="event" subtype="system" level="information" action="Edit" msg="Edit log.fortianalyzer-cloud.filter " logdesc="Attribute configured" user="admin" ui="ssh(10.6.30.254)" cfgtid=164757536 cfgpath="log.fortianalyzer-cloud.filter" cfgattr="severity[information->critical]" eventtime=1556758642413367644 devid="FG5H1E5818900000" vd="root" dtime="2019-05-01 17:57:21" itime_t=1556758643 devname="FortiGate-501E"