Fortinet FortiAnalyzer
- Overview
- Configuring FortiAnalyzer
- Configuring FortiSIEM Collectors to Receive Logs from FortiAnalyzer
Overview
Customers of both FortiAnalyzer and FortiSIEM may want to take already aggregated event data received on FortiAnalzyer and forward those events to FortiSIEM.
Configuring FortiAnalyzer
Setting Up the Syslog Server
- Login to FortiAnalyzer.
- Go to System Settings > Advanced > Syslog Server.
- Click the Create New button.
- Enter the Name. (It is recommended to use the name of the FortiSIEM server.)
- Fill in the IP address (or FQDN) with the IP or a fully qualified name of the FortiSIEM server.
- Leave the Syslog Server Port to the default value '514'.
- Click OK to save your entries.
Pre-Configuration for Log Forwarding
To configure FortiAnalyzer event forwarding to FortiSIEM, you must first set up the following.
-
1. Install a FortiSIEM collector in the same subnet as FortiAnalyzer that will be forwarding the events.
Note: The same subnet request is required as FortiAnalyzer will later be configured to spoof packets to the collector. RPF (reverse path forwarding checks) on network equipment would have to be disabled if FortiAnalyzer and collector existed on different subnets. -
2. It is recommended that for every 5,000 EPS (events per second) ingested, you add 1 collector that is 8vCPU, 8GB RAM. If you have more than 5,000 EPS forwarding from FortiAnalyzer, please set up a load balancer with multiple collectors behind it, allowing UDP 514 inbound.
Configuring Log Forwarding
Take the following steps to configure log forwarding on FortiAnalyzer.
-
Go to System Settings > Log Forwarding.
-
Click the Create New button in the toolbar. The Create New Log Forwarding pane opens.
-
fill in the information as per the below table, then click OK to create the new log forwarding. The FortiAnalyzer device will start forwarding logs to the server.
Field Input Name FortiSIEM-Forwarding Status On Remote Server Type Syslog Compression OFF Sending Frequency Real-time Log Forwarding Filters
Select all desired Administrative Domains (ADOMs) / device logs you’d like to forward
-
Go to the CLI Console and configure the CLI only log forward option by running the following CLI commands.
Notes:-
Logs received by FortiAnalyzer, and then forwarded to FortiSIEM, have the source IP of the log packet overwritten with the IP address of the FortiAnalyzer appliance. This hides the “true” source of the log packet from FortiSIEM. To override this behavior, FortiAnalyzer can spoof the original log sender's IP address when forwarding to FortiSIEM. This allows FortiSIEM collectors to receive all the original information as if it received the logs directly from the originating device.
-
For FortiAnalyzer versions 6.0 and later, use the following CLI:
Note: Replace <id> with the actual name of the log forward created earlier.config system log-forward edit <id> set mode forwarding set fwd-max-delay realtime set server-name "<FSM_Collector>" set server-ip "a.b.c.d" set fwd-log-source-ip original_ip set fwd-server-type syslog next end
-
For FortiAnalyzer versions 5.6 to 5.9, use the following CLI:
Note: Replace <id> with the actual name of the log forward created earlier.config system log-forward
edit <id>
set mode forwarding
set fwd-max-delay realtime
set server-ip "a.b.c.d"
set fwd-log-source-ip original_ip
set fwd-server-type syslog
next
end
-
For FortiAnalyzer versions earlier than 5.6, use the following CLI:
Note: For <id>, you can choose the number for your FortiSIEM syslog entry.config system aggregation-client
edit <id>
set fwd-log-source-ip original_ip
end
-
Configuring FortiSIEM Collector to Receive Logs from FortiAnalyzer
To configure the FortiSIEM collector to receive logs from FortiAnalyzer, you will need to disable RPF checks that would normally cause the collector virtual machine from dropping the log packet as it is spoofed.
sysctl -w net.ipv4.conf.all.rp_filter=0
To make this change persistent across reboots, add the following code to the /etc/sysctl.conf
file.
net.ipv4.conf.all.rp_filter=0