Fortinet black logo

External Systems Configuration Guide

Fortinet FortiDeceptor

Fortinet FortiDeceptor

Integration Points

Method Information discovered Metrics collected LOGs collected Used for
Syslog Host name, Reporting IP None Authentication logs, Decoy activity Security monitoring

Event Types

In ADMIN > Device Support > Event Types, search for "FortiDeceptor" to see the event types associated with this device.

Rules

No specific rules are written for FortiDeceptor.

Reports

No specific reports are written for FortiDeceptor.

Configuration

Configure FortiDeceptor system to send logs to FortiSIEM in the supported format (see Sample Events).

Refer to the latest FortiDeceptor Administration Guide for the latest configuration steps. Instructions here have been taken from the 3.3.1 FortiDeceptor Administration Guide.

To configure syslog in FortiDeceptor, take the following steps:

  1. From FortiDeceptor, navigate to Log > Log Servers.

  2. Click Create New and enter the following information into the configuration.

    Field

    Input

    Name FortiSIEM
    Server Type syslog
    Server Address Input the IP address or FQDN of your FortiSIEM collector.
    Port Leave as default (UDP 514)

    Status

    Enabled

    Log Level

    Information

  3. If applicable, click OK.

Settings for Access Credentials

None required.

Sample Events

<27>2019-07-29T10:12:44 devhost=FDC-VM0000000262 devid=FDC-VM0000000262 logver=25 tzone=14400 tz=GST date=2019-07-29

time=10:12:44 logid=0106000001 type=event subtype=system level=error user=system ui=GUI action=update status=failure

msg="The authentication to FDN server failed"

<14>2019-07-29T10:40:34 devhost=FDC-VM0000000262 devid=FDC-VM0000000262 logver=25 tzone=14400 tz=GST date=2019-07-29

time=10:40:34 logid=0106000001 type=event subtype=system level=information user=admin ui=GUI action=Login

status=success msg="Administrator admin logged into website successfully from 10.0.0.254"

Fortinet FortiDeceptor

Integration Points

Method Information discovered Metrics collected LOGs collected Used for
Syslog Host name, Reporting IP None Authentication logs, Decoy activity Security monitoring

Event Types

In ADMIN > Device Support > Event Types, search for "FortiDeceptor" to see the event types associated with this device.

Rules

No specific rules are written for FortiDeceptor.

Reports

No specific reports are written for FortiDeceptor.

Configuration

Configure FortiDeceptor system to send logs to FortiSIEM in the supported format (see Sample Events).

Refer to the latest FortiDeceptor Administration Guide for the latest configuration steps. Instructions here have been taken from the 3.3.1 FortiDeceptor Administration Guide.

To configure syslog in FortiDeceptor, take the following steps:

  1. From FortiDeceptor, navigate to Log > Log Servers.

  2. Click Create New and enter the following information into the configuration.

    Field

    Input

    Name FortiSIEM
    Server Type syslog
    Server Address Input the IP address or FQDN of your FortiSIEM collector.
    Port Leave as default (UDP 514)

    Status

    Enabled

    Log Level

    Information

  3. If applicable, click OK.

Settings for Access Credentials

None required.

Sample Events

<27>2019-07-29T10:12:44 devhost=FDC-VM0000000262 devid=FDC-VM0000000262 logver=25 tzone=14400 tz=GST date=2019-07-29

time=10:12:44 logid=0106000001 type=event subtype=system level=error user=system ui=GUI action=update status=failure

msg="The authentication to FDN server failed"

<14>2019-07-29T10:40:34 devhost=FDC-VM0000000262 devid=FDC-VM0000000262 logver=25 tzone=14400 tz=GST date=2019-07-29

time=10:40:34 logid=0106000001 type=event subtype=system level=information user=admin ui=GUI action=Login

status=success msg="Administrator admin logged into website successfully from 10.0.0.254"