Fortinet white logo
Fortinet white logo

External Systems Configuration Guide

OneIdentity Safeguard

OneIdentity Safeguard (previously Balabit Privileged Session Management)

Integration points

Protocol Information Discovered Used For
Syslog Privileged session management events Security and Compliance

Configuring OneIdentitySafeguard

Follow OneIdentity Safeguard documentation to send syslog to FortiSIEM.

Configuring FortiSIEM

FortiSIEM automatically recognizes OneIdentity Safeguard syslog as long as it follows the following format in the sample syslog:

<123>2018-10-08T22:59:49+08:00 scbdemo.balabit zorp/scb_rdp[31769]: core.debug(4): (svc/i9CTbTzV2wrRur3quVRzF4/GET_gateway_rdp:498:2): After NAT mapping; nat_type='0', src_addr='AF_INET(10.19.9.245:0)', dst_addr='AF_INET(10.46.26.196:3389)', new_addr='AF_INET(10.11.101.30:0)'

Parsing and Events

Over 50 events are parsed – see event Types in Resources > Event Types and search for 'OneIdentity-Safeguard-'.

OneIdentity Safeguard

OneIdentity Safeguard (previously Balabit Privileged Session Management)

Integration points

Protocol Information Discovered Used For
Syslog Privileged session management events Security and Compliance

Configuring OneIdentitySafeguard

Follow OneIdentity Safeguard documentation to send syslog to FortiSIEM.

Configuring FortiSIEM

FortiSIEM automatically recognizes OneIdentity Safeguard syslog as long as it follows the following format in the sample syslog:

<123>2018-10-08T22:59:49+08:00 scbdemo.balabit zorp/scb_rdp[31769]: core.debug(4): (svc/i9CTbTzV2wrRur3quVRzF4/GET_gateway_rdp:498:2): After NAT mapping; nat_type='0', src_addr='AF_INET(10.19.9.245:0)', dst_addr='AF_INET(10.46.26.196:3389)', new_addr='AF_INET(10.11.101.30:0)'

Parsing and Events

Over 50 events are parsed – see event Types in Resources > Event Types and search for 'OneIdentity-Safeguard-'.