Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • External Systems Configuration Guide

    Home FortiSIEM 6.3.3 External Systems Configuration Guide
    6.3.3
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.1.7
    7.1.6
    7.1.5
    7.1.4
    7.1.3
    7.1.2
    7.1.1
    7.1.0
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.7.9
    6.7.8
    6.7.7
    6.7.6
    6.7.5
    6.7.4
    6.7.3
    6.7.2
    6.7.1
    6.7.0
    6.6.5
    6.6.4
    6.6.3
    6.6.2
    6.6.1
    6.6.0
    6.5.3
    6.5.2
    6.5.1
    6.5.0
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.3.3
    6.3.2
    6.3.1
    6.3.0
    6.2.1
    6.2.0
    6.1.2
    6.1.1
    6.1.0
    5.4.0
    5.3.3
    5.3.2
    5.3.1
    5.3.0
    5.0.0

    Linux Server

    Linux Server

    What is Discovered and Monitored

    Protocol Information Discovered Metrics collected Used for
    SNMP Host name, generic hardware (cpu, memory, network interface, disk), software (operating system version, installed software, running processes, open TCP/UDP ports) Uptime, CPU/Memory/Network Interface/Disk space utilization, Swap space utilization, Network Interface Errors, Running Process Count, Installed Software change, Running process CPU/memory utilization, Running process start/stop, TCP/UDP port up/down Performance Monitoring
    SSH OS type, Hardware (cpu details, memory) Memory paging rate, Disk I/O utilization Performance Monitoring
    Syslog Vendor, Model General logs including Authentication Success/Failure, Privileged logons, User/Group Modification Security Monitoring and Compliance
    Syslog (via FortiSIEM Linux Agent)

    		File or directory change: User, Type of change, directory or file name Security Monitoring and Compliance

    Event Types

    In ADMIN > Device Support > Event Types, search for "linux" to see the event types associated with this device.

    Rules

    In RESOURCES > Rules, search for "linux" in the main content panel Search... field to see the rules associated with this device.

    Reports

    In RESOURCES > Reports , search for "linux" in the main content panel Search... field to see the reports associated with this device.

    Configuration

    SNMP v1 and v2c
    1. Make sure that snmp libraries are installed. FortiSIEM has been tested to work with net-snmp libraries.
    2. Log in to your server with administrative access.
    3. Make these modifications to the /etc/snmp/snmpd.conf file:
      1. Define the community string for FortiSIEM usage and permit snmp access from FortiSIEM IP.
      2. Allow FortiSIEM read-only access to the mib-2 tree.
      3. Allow Accelops read-only access to the enterprise MIB: UCD-SNMP-MIB.
      4. Open up the entire tree for read-only view.
    4. Reduce the logging level to avoid per connection logging which may cause resource issues (see here for more details):
      1. Edit /etc/sysconfig/snmpd (on RedHat/CentOS) or /etc/defaults/snmpd (on Debian/Ubuntu)
      2. Look for the line that passes the command line options to snmpd. On RedHat Enterprise 6 this looks like:
        # snmpd command line options
OPTIONS="-LS0-6d -Lf /dev/null -p /var/run/snmpd.pid"
      3. Change the range from 0-6 to 0-5:
        # snmpd command line options
OPTIONS="-LS0-5d -Lf /dev/null -p /var/run/snmpd.pid"
    5. Restart the snmpd deamon by issuing /etc/init.d/snmpd restart.
    6. Add the snmpd daemon to start from boot by issuing chkconfig snmpd on.
    7. Make sure that snmpd is running.
    SNMP v3
    Configuring rwcommunity/rocommunity or com2sec
    1. Log in to your Linux server.
    2. Stop SNMP.
      service snmpd stop
    3. Use vi to edit the /etc/snmp/snmpd.conf file.
      Before you edit this file, make sure you have created a backup, as it is very important to have a valid version of this file so the snap daemon has correct credentials. 
      vi /etc/snmp/snmpd.conf
    4. At the end of the file, add this line, substituting your username for snmpv3user and removing the <> tags: rouser <snmpv3user>.
    5. Save the file.
    6. Use vi to edit the /var/lib/snmp/snmpd.conf file.
      Before you edit this file, make sure you have created a backup, as it is very important to have a valid version of this file for the SNMP daemon to function correctly. 
      vi /var/lib/snmp/snmpd.conf
    7. At the end of the file, add this line, entering the username you entered in step 4, and then passwords for that user for MD5 and DES.
      If you want to use SHA or AES, then add those credentials as well.
      createUser <snmpv3user>        MD5 <snmpv3md5password> DES <snmpv3despassword>
    8. Save the file.
    9. Reduce the logging level to avoid per connection logging which may cause resource issues (see here for more details)
      1. Edit /etc/sysconfig/snmpd (on RedHat/CentOS) or /etc/defaults/snmpd (on Debian/Ubuntu)
      2. Look for the line that passes the command line options to snmpd. On RedHat Enterprise 6 this looks like:
        # snmpd command line options
OPTIONS="-LS0-6d -Lf /dev/null -p /var/run/snmpd.pid"


      3. Change the range from 0-6 to 0-5:
        # snmpd command line options
OPTIONS="-LS0-5d -Lf /dev/null -p /var/run/snmpd.pid"
    10. Restart SNMP.
      service snmpd start
chkconfig auditd on
    11. View the contents of the /var/lib/snmp/snmpd.conf file.

      If this works, restarting snmpd will have no errors, also the entry that you created under /var/lib/snmp/snmpd.conf will be removed: 

      cat /var/lib/snmp/snmpd.conf
    12. Run snmpwalk -v 3 -u <snmpv3user> -l authpriv <IP> -a MD5 -A <snmpv3md5password> -x DES -X <snmpv3despassword>
      You will see your snmpwalk if this works. If there are any errors, see net-snmp for further instructions.
    Configuring net-smnp-devel

    If you have net-snmp-devel on your Linux server/client, follow these steps to configure SNMP v3.

    1. Stop SNMP.
      service snmpd stop
    2. Run net-snmp-config --create-snmpv3-user -ro -A <MD5passwordhere> -X <DESpasswordhere> -x DES -a MD5 <SNMPUSERNAME>.
    3. Restart SNMP.
      service snmpd start
    4. Test by following step 10 from above.
    SSH
    1. Make sure that the vmstat and iostat commands are available. If not, install these libraries.
    2. Create a user account that can issue vmstat and iostat commands. FortiSIEM will use that user account to log in to the server.
    Syslog Logging

    Syslog forwarding can be configured on Linux servers to send the logs to FortiSIEM. There are different options regarding syslog configuration, including Syslog over TLS.

    There are typically two commonly-used Syslog demons:

    Basic Syslog-ng Configuration

    Follow these steps to enable basic syslog-ng:

    1. Add the following line to your syslog-ng configuration:

      { udp("Collector IP" port(514));};

    2. Restart the syslog-ng service or reload the configuration.

    Additional Syslog-ng Configuration Information and Example

    Source options are:

    internal() means syslog-ng internal log messages.

    system() means depending on your platform, syslog-ng will automatically collect the common log sources.

    Filter functions:

    facility(xx,xx,xx) allows filtering only the defined log facilities

    Here is an example of configuring just authpriv and auth log facilities.
    Note: Remember to replace italicized text with your content.

    1. Open the /etc/syslog-ng/syslog-ng.conf file.

    2. Add the following configuration.

      source fsiem_source {
                internal();
                system();
};
filter fsiem_filter {
    facility(auth, authpriv);
};
destination fsiem_destination {
    udp("<collector_ip>" port(514));
};
log{
    source(fsiem_source);
    filter(fsiem_filter);
    destination(fsiem_destination);
};

    3. Save the file and restart syslog-ng by running the command:

      service syslog-ng restart

      or

      systemctl restart syslog-ng

    Here is an example of verbose logging, where all log facilities are sent.
    Note: Remember to replace italicized text with your content.

    1. Open the /etc/syslog-ng/syslog-ng.conf file.

    2. Add the following configuration.

      source fsiem_source {
                internal();
                system();
};
destination fsiem_destination {
    udp("<collector_ip>" port(514));
};
log{
    source(fsiem_source);
    destination(fsiem_destination);
};

    3. Save the file and restart syslog-ng by running the command:

      service syslog-ng restart

      or

      systemctl restart syslog-ng

    Basic Rsyslog Configuration

    Follow these steps to enable rsyslog:

    1. Add the following lines to your rsyslog configuration:

      # Send logs to the FortiSIEM Collector

      *.* @Collector IP:514

    2. Restart the rsyslog service or reload the configuration.

    Additional Rsyslog Configuration Information and Example

    Rsyslog has a list of supported facilities, or app subsystems shown here.

    Supported Facility/App Subsystem

    Description
    auth, authpriv authentication and authorization logs
    cron cron scheduling
    daemon affects a daemon without any special classification (DNS, NTP, etc)
    ftp ftp server events
    kern kernel messages
    lpr printing subsystem
    mail email subsystem
    news Usenet subsystem messages, NNTP, etc...

    syslog

    internal syslogd server messages

    user

    user messages (generic)

    uucp

    UUCP server messages

    local0 - local7

    local user

    Each message has a priority level, listed here from the most important to least important priority.

    emerg, alert, crit, error, warn, notice, info, debug

    In the rsyslog conf file, you can reference to log a facility in the format shown here.

    <facility>.<priority> @<server ip or name>:<server_port>

    where @ implies UDP and @@ implies TCP, and the italicized text should be replaced with your information.

    A wildcard for any facility can be specified with an asterisk (*). For example:

    auth.* means any priority of auth messages are sent to target.

    Here is a walk through example to just log authentication messages to FortiSIEM from modifying the rsyslog.conf file (vi /etc/rsyslog.conf)
    Note: Remember to replace italicized text with your content.

    1. Add the following lines to only add audit trails to be sent to the FortiSIEM collector.

      authpriv.* @<Your_FortiSIEM_Collectors_IP_or_Hostname>:514

      auth.* @<Your_FortiSIEM_Collectors_IP_or_Hostname>:514

    2. Save the file and restart rsyslog using the following command.

      service rsyslogd restart

      or

      systemctl restart rsyslog.service

    3. log into this server or run a sudo command to confirm that logs appear in FortiSIEM, and that a CMDB entry is created if it does not already exist.

      For verbose logging for all facilities and priorities, use the following.

      *.* @<server ip or hostname>:514

    Linux File Monitoring

    FortiSIEM has licensed Linux agents that provide additional capabilities, such as custom log forwarding and central management. See the “Linux Agent Installation Guide” for details on this agent.

    Settings for Access Credentials

    SNMP Access Credentials for All Devices

    Set these Access Method Definition values to allow FortiSIEM to communicate with your device over SNMP. Set the Name and Community String.

    Setting Value
    Name <set name>
    Device Type Generic
    Access Protocol SNMP
    Community String <your own>

    SSH Access Credentials for All Devices

    These are the generic settings for providing SSH access to your device from FortiSIEM.

    Setting Value
    Name ssh-generic
    Device Type Generic
    Access Protocol SSH
    Port 22
    User Name A user who has access credentials for your device over SSH
    Password The password for the user
    Previous
    Next

    Linux Server

    Linux Server

    What is Discovered and Monitored

    Protocol Information Discovered Metrics collected Used for
    SNMP Host name, generic hardware (cpu, memory, network interface, disk), software (operating system version, installed software, running processes, open TCP/UDP ports) Uptime, CPU/Memory/Network Interface/Disk space utilization, Swap space utilization, Network Interface Errors, Running Process Count, Installed Software change, Running process CPU/memory utilization, Running process start/stop, TCP/UDP port up/down Performance Monitoring
    SSH OS type, Hardware (cpu details, memory) Memory paging rate, Disk I/O utilization Performance Monitoring
    Syslog Vendor, Model General logs including Authentication Success/Failure, Privileged logons, User/Group Modification Security Monitoring and Compliance
    Syslog (via FortiSIEM Linux Agent)

    		File or directory change: User, Type of change, directory or file name Security Monitoring and Compliance

    Event Types

    In ADMIN > Device Support > Event Types, search for "linux" to see the event types associated with this device.

    Rules

    In RESOURCES > Rules, search for "linux" in the main content panel Search... field to see the rules associated with this device.

    Reports

    In RESOURCES > Reports , search for "linux" in the main content panel Search... field to see the reports associated with this device.

    Configuration

    SNMP v1 and v2c
    1. Make sure that snmp libraries are installed. FortiSIEM has been tested to work with net-snmp libraries.
    2. Log in to your server with administrative access.
    3. Make these modifications to the /etc/snmp/snmpd.conf file:
      1. Define the community string for FortiSIEM usage and permit snmp access from FortiSIEM IP.
      2. Allow FortiSIEM read-only access to the mib-2 tree.
      3. Allow Accelops read-only access to the enterprise MIB: UCD-SNMP-MIB.
      4. Open up the entire tree for read-only view.
    4. Reduce the logging level to avoid per connection logging which may cause resource issues (see here for more details):
      1. Edit /etc/sysconfig/snmpd (on RedHat/CentOS) or /etc/defaults/snmpd (on Debian/Ubuntu)
      2. Look for the line that passes the command line options to snmpd. On RedHat Enterprise 6 this looks like:
        # snmpd command line options
OPTIONS="-LS0-6d -Lf /dev/null -p /var/run/snmpd.pid"
      3. Change the range from 0-6 to 0-5:
        # snmpd command line options
OPTIONS="-LS0-5d -Lf /dev/null -p /var/run/snmpd.pid"
    5. Restart the snmpd deamon by issuing /etc/init.d/snmpd restart.
    6. Add the snmpd daemon to start from boot by issuing chkconfig snmpd on.
    7. Make sure that snmpd is running.
    SNMP v3
    Configuring rwcommunity/rocommunity or com2sec
    1. Log in to your Linux server.
    2. Stop SNMP.
      service snmpd stop
    3. Use vi to edit the /etc/snmp/snmpd.conf file.
      Before you edit this file, make sure you have created a backup, as it is very important to have a valid version of this file so the snap daemon has correct credentials. 
      vi /etc/snmp/snmpd.conf
    4. At the end of the file, add this line, substituting your username for snmpv3user and removing the <> tags: rouser <snmpv3user>.
    5. Save the file.
    6. Use vi to edit the /var/lib/snmp/snmpd.conf file.
      Before you edit this file, make sure you have created a backup, as it is very important to have a valid version of this file for the SNMP daemon to function correctly. 
      vi /var/lib/snmp/snmpd.conf
    7. At the end of the file, add this line, entering the username you entered in step 4, and then passwords for that user for MD5 and DES.
      If you want to use SHA or AES, then add those credentials as well.
      createUser <snmpv3user>        MD5 <snmpv3md5password> DES <snmpv3despassword>
    8. Save the file.
    9. Reduce the logging level to avoid per connection logging which may cause resource issues (see here for more details)
      1. Edit /etc/sysconfig/snmpd (on RedHat/CentOS) or /etc/defaults/snmpd (on Debian/Ubuntu)
      2. Look for the line that passes the command line options to snmpd. On RedHat Enterprise 6 this looks like:
        # snmpd command line options
OPTIONS="-LS0-6d -Lf /dev/null -p /var/run/snmpd.pid"


      3. Change the range from 0-6 to 0-5:
        # snmpd command line options
OPTIONS="-LS0-5d -Lf /dev/null -p /var/run/snmpd.pid"
    10. Restart SNMP.
      service snmpd start
chkconfig auditd on
    11. View the contents of the /var/lib/snmp/snmpd.conf file.

      If this works, restarting snmpd will have no errors, also the entry that you created under /var/lib/snmp/snmpd.conf will be removed: 

      cat /var/lib/snmp/snmpd.conf
    12. Run snmpwalk -v 3 -u <snmpv3user> -l authpriv <IP> -a MD5 -A <snmpv3md5password> -x DES -X <snmpv3despassword>
      You will see your snmpwalk if this works. If there are any errors, see net-snmp for further instructions.
    Configuring net-smnp-devel

    If you have net-snmp-devel on your Linux server/client, follow these steps to configure SNMP v3.

    1. Stop SNMP.
      service snmpd stop
    2. Run net-snmp-config --create-snmpv3-user -ro -A <MD5passwordhere> -X <DESpasswordhere> -x DES -a MD5 <SNMPUSERNAME>.
    3. Restart SNMP.
      service snmpd start
    4. Test by following step 10 from above.
    SSH
    1. Make sure that the vmstat and iostat commands are available. If not, install these libraries.
    2. Create a user account that can issue vmstat and iostat commands. FortiSIEM will use that user account to log in to the server.
    Syslog Logging

    Syslog forwarding can be configured on Linux servers to send the logs to FortiSIEM. There are different options regarding syslog configuration, including Syslog over TLS.

    There are typically two commonly-used Syslog demons:

    Basic Syslog-ng Configuration

    Follow these steps to enable basic syslog-ng:

    1. Add the following line to your syslog-ng configuration:

      { udp("Collector IP" port(514));};

    2. Restart the syslog-ng service or reload the configuration.

    Additional Syslog-ng Configuration Information and Example

    Source options are:

    internal() means syslog-ng internal log messages.

    system() means depending on your platform, syslog-ng will automatically collect the common log sources.

    Filter functions:

    facility(xx,xx,xx) allows filtering only the defined log facilities

    Here is an example of configuring just authpriv and auth log facilities.
    Note: Remember to replace italicized text with your content.

    1. Open the /etc/syslog-ng/syslog-ng.conf file.

    2. Add the following configuration.

      source fsiem_source {
                internal();
                system();
};
filter fsiem_filter {
    facility(auth, authpriv);
};
destination fsiem_destination {
    udp("<collector_ip>" port(514));
};
log{
    source(fsiem_source);
    filter(fsiem_filter);
    destination(fsiem_destination);
};

    3. Save the file and restart syslog-ng by running the command:

      service syslog-ng restart

      or

      systemctl restart syslog-ng

    Here is an example of verbose logging, where all log facilities are sent.
    Note: Remember to replace italicized text with your content.

    1. Open the /etc/syslog-ng/syslog-ng.conf file.

    2. Add the following configuration.

      source fsiem_source {
                internal();
                system();
};
destination fsiem_destination {
    udp("<collector_ip>" port(514));
};
log{
    source(fsiem_source);
    destination(fsiem_destination);
};

    3. Save the file and restart syslog-ng by running the command:

      service syslog-ng restart

      or

      systemctl restart syslog-ng

    Basic Rsyslog Configuration

    Follow these steps to enable rsyslog:

    1. Add the following lines to your rsyslog configuration:

      # Send logs to the FortiSIEM Collector

      *.* @Collector IP:514

    2. Restart the rsyslog service or reload the configuration.

    Additional Rsyslog Configuration Information and Example

    Rsyslog has a list of supported facilities, or app subsystems shown here.

    Supported Facility/App Subsystem

    Description
    auth, authpriv authentication and authorization logs
    cron cron scheduling
    daemon affects a daemon without any special classification (DNS, NTP, etc)
    ftp ftp server events
    kern kernel messages
    lpr printing subsystem
    mail email subsystem
    news Usenet subsystem messages, NNTP, etc...

    syslog

    internal syslogd server messages

    user

    user messages (generic)

    uucp

    UUCP server messages

    local0 - local7

    local user

    Each message has a priority level, listed here from the most important to least important priority.

    emerg, alert, crit, error, warn, notice, info, debug

    In the rsyslog conf file, you can reference to log a facility in the format shown here.

    <facility>.<priority> @<server ip or name>:<server_port>

    where @ implies UDP and @@ implies TCP, and the italicized text should be replaced with your information.

    A wildcard for any facility can be specified with an asterisk (*). For example:

    auth.* means any priority of auth messages are sent to target.

    Here is a walk through example to just log authentication messages to FortiSIEM from modifying the rsyslog.conf file (vi /etc/rsyslog.conf)
    Note: Remember to replace italicized text with your content.

    1. Add the following lines to only add audit trails to be sent to the FortiSIEM collector.

      authpriv.* @<Your_FortiSIEM_Collectors_IP_or_Hostname>:514

      auth.* @<Your_FortiSIEM_Collectors_IP_or_Hostname>:514

    2. Save the file and restart rsyslog using the following command.

      service rsyslogd restart

      or

      systemctl restart rsyslog.service

    3. log into this server or run a sudo command to confirm that logs appear in FortiSIEM, and that a CMDB entry is created if it does not already exist.

      For verbose logging for all facilities and priorities, use the following.

      *.* @<server ip or hostname>:514

    Linux File Monitoring

    FortiSIEM has licensed Linux agents that provide additional capabilities, such as custom log forwarding and central management. See the “Linux Agent Installation Guide” for details on this agent.

    Settings for Access Credentials

    SNMP Access Credentials for All Devices

    Set these Access Method Definition values to allow FortiSIEM to communicate with your device over SNMP. Set the Name and Community String.

    Setting Value
    Name <set name>
    Device Type Generic
    Access Protocol SNMP
    Community String <your own>

    SSH Access Credentials for All Devices

    These are the generic settings for providing SSH access to your device from FortiSIEM.

    Setting Value
    Name ssh-generic
    Device Type Generic
    Access Protocol SSH
    Port 22
    User Name A user who has access credentials for your device over SSH
    Password The password for the user
    Previous
    Next