Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

External Systems Configuration Guide

Alcide.io KAudit

Integration Points

Protocol Information Collected Used For
Syslog Audit logs Security and Compliance Monitoring

Configuring Alcide.io to Send Logs

Follow the steps listed here to send syslog to FortiSIEM.

  1. In the target section of the ConfigMap, set the following:
    1. Target-type = syslog
    2. Syslog host = <fortisiem.host.com>
    3. Syslog port = 514
    4. Syslog-tcp = false

Configuring FortiSIEM to Receive Logs

No configuration is needed. FortiSIEM can automatically detect and parse Alcide.io logs based on the built in parser.

Alcide.io Event Types

Go to Resources > Event Type and search "AlcideKAudit."

Alcide.io Sample Log

<109>Feb 28 07:09:18 AlcideKAudit: {"category":"anomaly","cluster":"devel","etype":"cluster","reasons":[{"values":{"high":[1]},"doc":"change in count of unique unusual URIs in read access attempts","period":180000,"direction":"read"}],"time":1582873380000,"short-doc":"change in targets of access attempts","project":"alcide-rnd","context":{"unusual-uri":["LHUt"]},"period":180000,"eid":"cluster","confidence":"high","doc":"unusual change in count of unique unusual URIs in access attempts","direction":"read"}

Alcide.io KAudit

Integration Points

Protocol Information Collected Used For
Syslog Audit logs Security and Compliance Monitoring

Configuring Alcide.io to Send Logs

Follow the steps listed here to send syslog to FortiSIEM.

  1. In the target section of the ConfigMap, set the following:
    1. Target-type = syslog
    2. Syslog host = <fortisiem.host.com>
    3. Syslog port = 514
    4. Syslog-tcp = false

Configuring FortiSIEM to Receive Logs

No configuration is needed. FortiSIEM can automatically detect and parse Alcide.io logs based on the built in parser.

Alcide.io Event Types

Go to Resources > Event Type and search "AlcideKAudit."

Alcide.io Sample Log

<109>Feb 28 07:09:18 AlcideKAudit: {"category":"anomaly","cluster":"devel","etype":"cluster","reasons":[{"values":{"high":[1]},"doc":"change in count of unique unusual URIs in read access attempts","period":180000,"direction":"read"}],"time":1582873380000,"short-doc":"change in targets of access attempts","project":"alcide-rnd","context":{"unusual-uri":["LHUt"]},"period":180000,"eid":"cluster","confidence":"high","doc":"unusual change in count of unique unusual URIs in access attempts","direction":"read"}