Fortinet black logo

External Systems Configuration Guide

Google Cloud Platform - Pub/Sub Integration

Google Cloud Platform (GCP)- Pub/Sub Integration

FortiSIEM Support Added: 6.3.1

FortiSIEM Last Modification: 6.3.1

Vendor Version Tested: Not Provided

Vendor: Google

Product Information: https://cloud.google.com/

What is Discovered and Monitored

Protocol Logs Collected Used For
Google Cloud Pub/Sub SDK Admin Activity audit logs, Data Access Audit logs, System Event audit logs, Policy Denied audit logs. Arbitrary custom log ingestion via Pub/Sub topic. GCP Audit Log ingestion, or Custom Log Ingestion

Event Types

In ADMIN > Device Support > Event Types, search for "GCP_A" in the Search field to see the event types associated with this device.

Rules

In RESOURCES > Rules, search for "GCP:" in the main content panel Search... field to see the rules associated with this application or device.

In 6.3.1 the following rules are available:

  • GCP: Firewall Rule Created

  • GCP: Firewall Rule Deleted

  • GCP: Firewall Rule Patched

  • GCP: IAM Custom Role Created

  • GCP: IAM Custom Role Deleted

  • GCP: IAM Member assigned role of type admin or owner

  • GCP: Logging Sink Deleted, GCP: Logging Sink Updated

  • GCP: Pub/Sub Subscription Created

  • GCP: Pub/Sub Subscription Deleted

  • GCP: Pub/Sub Topic Created

  • GCP: Pub/Sub Topic Deleted

  • GCP: Service Account Access Key Created

  • GCP: Service Account Access Key Deleted

  • GCP: Service Account Created

  • GCP: Service Account Deleted

  • GCP: Service Account Disabled

  • GCP: Storage Bucket IAM Permissions Modified

  • GCP: Storage Bucket Updated

  • GCP: Storage or Logging Bucket Deleted

  • GCP: VPC Network Deleted

  • GCP: VPC Route Added

  • GCP: VPC Route Deleted

Reports

There are many reports defined in RESOURCES > Reports. Search for "GCP:" in the main content panel Search... field.

In 6.3.1, the following reports are available:

  • GCP: Firewall Rule Created, Deleted, or Changed

  • GCP: IAM Custom Roles Created or Deleted

  • GCP: IAM Policy Change Audit Report

  • GCP: Logging Sinks Created, Updated, or Deleted

  • GCP: Pub/Sub Subscriptions Created or Deleted

  • GCP: Pub/Sub Topic Created or Deleted

  • GCP: Service Account Access Keys Created or Deleted

  • GCP: Service Accounts Created, Deleted, or Disabled

  • GCP: Storage Bucket IAM Permissions Modified

  • GCP: Storage Buckets Updated

  • GCP: Storage or Logging Bucket Deleted

  • GCP: Top Admin Activity Events by Principal

  • GCP: Top Admin Activity Events by Source IP

  • GCP: Top Data Access Events by Principal

  • GCP: Top Data Access Events by Source IP

  • GCP: Top Event Types by Count

  • GCP: Top Traffic by Country

  • GCP: VPC Network Created or Deleted

  • GCP: VPC Routes Created or Deleted

Dashboard

A standard GCP Audit Dashboard can be found by navigating to DASHBOARD, and selecting GCP Dashboard from the Dashboard drop-down list.

Configuration

Google Cloud Platform Pub/Sub Setup

Google Cloud Platform (GCP) Log Flow: GCP audit logs sink -> Pub/Sub topic for FortiSIEM -> FortiSIEM ingest with standard log header appended

To set up GCP Pub/Sub:

  1. Create a topic by taking the following steps:

    1. Go to Pub/Sub Service in GCP console.

    2. Select the project where the topic should reside.

    3. In the Create Topic dialog boxes, enter the following options:

      1. In the Topic id field, enter "fortisiem-topic", or a desired name for the topic.

      2. For Leave option, make sure the checkbox next to "Add a default subscription" is checked.

      3. When done, click CREATE TOPIC.

      4. Notate the topic name. Example: projects/fortisiem-integration-1111/topics/fortisiem-topic

      5. Click on Subscriptions and notate the subscription name. Example: projects/fortisiem-integration-1111/subscriptions/fortisiem-topic-sub

  2. Turn on audit logs for all services by taking the following steps:

    Note: Not all auditing is on by default, so this configuration is necessary.

    1. Go to IAM & Admin.

    2. Select Audit Logs on the left hand toolbar.

    3. Click the Default Audit Config button at the top of the screen.

    4. Select all desired log options.

      For the most verbose log information, make sure to select the following 4 boxes: Admin Read, Admin Write, Data Read, and Data Write.

      For minimal logging, only select Admin Read and Admin Write.

      Note: Optionally, VPC flows and Firewall Rule logs can be configured through the VPC network menu by taking the following steps:
      For Firewall rules, you must select each one you would like to enable with logs, edit, and then select the Logs radio button to turn on. Repeat for each desired Firewall rule.

      1. Go to VPC networks.

      2. Select your desired Subnet.

      3. Click the Flow logs drop-down list.

      4. Set sampling interval to 5 seconds, and leave the rest as default.

    5. Click Done.

  3. Create an aggregated sink with the topic in pub/sub as the destination. The destination topic can be created in any Cloud project in any organization if the service account from the log sink has permission to write to the destination.

    The serviceAccount entry is returned from the create sink command that shows which identity must be added to the particular Pub/Sub topic as a role Pub/Sub Publisher.

    This identity represents a Google Cloud service account that has been created for the log export. Until you grant this identity, publisher permissions to the destination topic and log entry exports from this sink will fail. For more information, see step 4 for granting access for a resource.

    Take the following steps:

    1. Select the Gcloud console (>_) button on top right hand of your browser.

    2. Enter the following comand:

      gcloud organizations list

    3. You may be prompted to authorize the command. If so, select yes.

    4. Notate the Organization ID. Example: 87732091111

    5. Format your sink destination as pubsub.googleapis.com/<pubsubtopic>

    6. Run the following command if your project is tied to, or part of an organization; This command creates an organization wide sink called fortisiem_sink for all projects and folders, and sends all logs to the Pub/Sub topic specified.

      gcloud logging sinks create fortisiem_sink \

      pubsub.googleapis.com/projects/fortisiem-integration-1111/topics/fortisiem-topic --include-children \

      --organization=<organization_id>

      If your project is not tied to, or has no organization, use the project id instead. It will create a sink of this project only, meaning only the logs from this project will go into the topic.

      You can repeat this command for each sink you’d like to create per project. You can modify the sink name for each to ensure uniqueness.

      gcloud logging sinks create fortisiem_sink \

      pubsub.googleapis.com/projects/fortisiem-integration-1111/topics/fortisiem-topic --include-children \

      --project=<project_id>

    7. !IMPORTANT! Copy the output, and notate the service account created. It is required to permit the service to write to the pub/sub topic. Must be Pub/Sub Publisher.

      Example:

      Created [https://logging.googleapis.com/v2/organizations/87732091111/sinks/fortisiem_sink].

      Grant serviceAccount:o111110938575-661167@gcp-sa-logging.iam.gserviceaccount.com the Pub/Sub Publisher role on the topic.

      More information about sinks can be found at https://cloud.google.com/logging/docs/export/configure_export

  4. Configure aggregated sink service account for the given organization (from step 3) to publish to the created topic (created in step 1) by taking the following steps:

    1. Go to the Pub/Sub topics service page.

    2. Select the project where the topic was created.

    3. Click on the topic (fortisiem-topic, or the topic name entered) from step 1.

    4. Click Show Info Panel on the right hand toolbar to show the Permissions tab.

    5. Click the Add Member button.

    6. Paste the service account created with the aggregated sink that you created earlier here.

    7. Apply role of Pub/Sub Publisher.

    8. Click Add.
      Pub/Sub is now set up.

FortiSIEM Service Account Setup

A service account for FortiSIEM is required to ingest logs from the Pub/Sub topic. To create this account, take the following steps:

  1. Go to the Service accounts page.

  2. Click Create Service Account.

  3. Select the project in the drop-down list where the Pub/Sub topic exists.

  4. In the Service Account Name field, enter "fortisiem-pubsub", or a desired name for the service account.

  5. Click Create.

  6. Click Continue.

  7. Select Role Pub/Sub Subscriber.

  8. Click Continue.

  9. Click Done.

Now, a service account key is needed. To create a service account key, take the following steps:

  1. Select your new service account.

  2. Click on the Keys tab.

  3. Click the Add key drop-down list, and select Create new key.

  4. Select JSON as the Key type, and click Create.

A file download will be created with service account data. This file is required for FortiSIEM configuration. Store a secure copy.

FortiSIEM Configuration

The following items are required for FortiSIEM integration.

  • The subscription name created under the Pub/Sub topic: e.g. projects/fortisiem-integration-1111/subscriptions/fortisiem-topic-sub

    • Locate the subscription name by going to the topic you created, selecting subscriptions, and clicking on the subscription name.

      Note: The subscription name will need to be entered into the Subscription Path field configuration for FortiSIEM.

  • The Service Account JSON Key file.

Make sure you have completed these instructions if you do not have these items.


To configure FortiSIEM, take the following steps:

  1. Login to the FortiSIEM GUI.

    Note: If this SIEM has multiple organizations, change the scope to the desired organization level for ingesting logs.

  2. Navigate to ADMIN > Setup > Credentials.

  3. In Step 1: Enter Credentials, click New to create a new credential.
    1. Follow the instructions in “Setting Credentials“ in the User's Guide to create a new credential.
    2. Enter these settings in the Access Method Definition dialog box:

      SettingsDescription
      NameEnter a name for the credential.
      Device TypeGoogle Google Cloud Platform
      Access ProtocolGOOGLE_Pub_Sub
      Pull Interval5 minutes (leave at default)
      Subscription PathEnter the subscription name from Google Cloud Platform.

      Example: projects/fortisiem-integration-1111/subscriptions/fortisiem-topic-sub

      Service Account KeyClick Upload and upload the JSON Service Account Key.

      Log Keyword

      Leave the default value of “GCP_AUDIT_LOG”. Changing this will break the parser. This uniquely identifies that every log in this Pub/Sub topic is from Google Cloud Audit logging.

      Description(Optional) Description about the instance.
    3. Click Save.

  4. In Step 2: Enter IP Range to Credential Associations, click New to create a new mapping.

    Note: If your SIEM organization has multiple FortiSIEM collectors, be sure to select which collector will do the polling. A drop-down list will appear to the right of the Test button if you have multiple collectors. If you only have 1 collector, or in Super only environments, no collectors, no drop-down list will appear.

    1. Select the name of your credential from the Credentials drop-down list.

    2. The IP/Host Name field will auto populate with google.com. This is normal, do not change it.

    3. Click Save.

  5. To start polling, select the new mapping, click the Test drop-down list, and select Test Connectivity without Ping. It will take approximately 5 minutes for the initial poll job to kick off.
  6. Once 5 minutes have passed, click ANALYTICS.
  7. Click the Edit Filters and Time Range... field to run a query to see any Google Audit Logs.
    1. Select Event Attribute.
    2. Under Attribute, enter/select Event Type.
    3. Under Operator, select CONTAIN.
    4. Under Value, enter GCP_AUDIT.
    5. Click Apply & Run to execute.
Custom Log Integration

This integration is only needed if you are publishing custom logs to a Google Pub/Sub topic, and would like FortiSIEM to ingest those logs. Note that once the logs are ingested, you will still need to create a FortiSIEM parser for the log to be parsed and analyzed once ingested.

Log Flow: Custom logs from customer applications and systems -> Pub/Sub custom topic -> FortiSIEM ingest with custom log header appended

To integrate custom logs, take the following steps:

Note: In this process, the setup for a Pub/Sub topic is the same as normal integration, but instead of sinking GCP logs to the topic, you instead ingest your custom logs to the topic on your own.

  1. Create a Pub/Sub topic.

  2. Publish your custom logs to your topic. Your team will create a service account for your custom applications to send logs to this topic.

  3. Create a service account with subscriber permissions to the topic for FortiSIEM. See FortiSIEM Service Account Setup.

  4. Configure FortiSIEM with service account credential and subscription name, and enter the custom log header format. This step follows the exact instructions in FortiSIEM Configuration except for the need to change Log Keyword in the Access Method Definition dialog box. See Log Keyword Information for more information.

Log Keyword Information

Log Keyword is a critical component for the parsing of logs. If you are ingesting custom logs, FortiSIEM will prepend the string to the log. This is supposed to be a unique identifier to know what the custom logs are for parsing.

Example:

We publish the log file {“attackName”:”REvil Compromise”,”hostname”:”host1”} into a Pub/Sub topic. This is a log from Custom Application A for our example.

When we set up the FortiSIEM integration, we’ll do something to specify a log keyword to uniquely identify what type of logs these are.

When FortiSIEM ingests the log, it will appear in this format:

1 192.168.1.20 google.com CUSTOM_APP_A {“attackName”:”REvil Compromise”,”hostname”:”host1”}

This is important for log parsing, as we can write a parser that matches this log header, to process these logs. Any log in this Pub/Sub topic gets this header. This helps us write parsing in a simplified manner, as not all logs are cleanly structured and helps identify what or where the logs are from originally.

For custom log parsing, see the NSE training documentation on the topic, or consult FortiCare Professional Services.

Google Cloud Platform (GCP)- Pub/Sub Integration

FortiSIEM Support Added: 6.3.1

FortiSIEM Last Modification: 6.3.1

Vendor Version Tested: Not Provided

Vendor: Google

Product Information: https://cloud.google.com/

What is Discovered and Monitored

Protocol Logs Collected Used For
Google Cloud Pub/Sub SDK Admin Activity audit logs, Data Access Audit logs, System Event audit logs, Policy Denied audit logs. Arbitrary custom log ingestion via Pub/Sub topic. GCP Audit Log ingestion, or Custom Log Ingestion

Event Types

In ADMIN > Device Support > Event Types, search for "GCP_A" in the Search field to see the event types associated with this device.

Rules

In RESOURCES > Rules, search for "GCP:" in the main content panel Search... field to see the rules associated with this application or device.

In 6.3.1 the following rules are available:

  • GCP: Firewall Rule Created

  • GCP: Firewall Rule Deleted

  • GCP: Firewall Rule Patched

  • GCP: IAM Custom Role Created

  • GCP: IAM Custom Role Deleted

  • GCP: IAM Member assigned role of type admin or owner

  • GCP: Logging Sink Deleted, GCP: Logging Sink Updated

  • GCP: Pub/Sub Subscription Created

  • GCP: Pub/Sub Subscription Deleted

  • GCP: Pub/Sub Topic Created

  • GCP: Pub/Sub Topic Deleted

  • GCP: Service Account Access Key Created

  • GCP: Service Account Access Key Deleted

  • GCP: Service Account Created

  • GCP: Service Account Deleted

  • GCP: Service Account Disabled

  • GCP: Storage Bucket IAM Permissions Modified

  • GCP: Storage Bucket Updated

  • GCP: Storage or Logging Bucket Deleted

  • GCP: VPC Network Deleted

  • GCP: VPC Route Added

  • GCP: VPC Route Deleted

Reports

There are many reports defined in RESOURCES > Reports. Search for "GCP:" in the main content panel Search... field.

In 6.3.1, the following reports are available:

  • GCP: Firewall Rule Created, Deleted, or Changed

  • GCP: IAM Custom Roles Created or Deleted

  • GCP: IAM Policy Change Audit Report

  • GCP: Logging Sinks Created, Updated, or Deleted

  • GCP: Pub/Sub Subscriptions Created or Deleted

  • GCP: Pub/Sub Topic Created or Deleted

  • GCP: Service Account Access Keys Created or Deleted

  • GCP: Service Accounts Created, Deleted, or Disabled

  • GCP: Storage Bucket IAM Permissions Modified

  • GCP: Storage Buckets Updated

  • GCP: Storage or Logging Bucket Deleted

  • GCP: Top Admin Activity Events by Principal

  • GCP: Top Admin Activity Events by Source IP

  • GCP: Top Data Access Events by Principal

  • GCP: Top Data Access Events by Source IP

  • GCP: Top Event Types by Count

  • GCP: Top Traffic by Country

  • GCP: VPC Network Created or Deleted

  • GCP: VPC Routes Created or Deleted

Dashboard

A standard GCP Audit Dashboard can be found by navigating to DASHBOARD, and selecting GCP Dashboard from the Dashboard drop-down list.

Configuration

Google Cloud Platform Pub/Sub Setup

Google Cloud Platform (GCP) Log Flow: GCP audit logs sink -> Pub/Sub topic for FortiSIEM -> FortiSIEM ingest with standard log header appended

To set up GCP Pub/Sub:

  1. Create a topic by taking the following steps:

    1. Go to Pub/Sub Service in GCP console.

    2. Select the project where the topic should reside.

    3. In the Create Topic dialog boxes, enter the following options:

      1. In the Topic id field, enter "fortisiem-topic", or a desired name for the topic.

      2. For Leave option, make sure the checkbox next to "Add a default subscription" is checked.

      3. When done, click CREATE TOPIC.

      4. Notate the topic name. Example: projects/fortisiem-integration-1111/topics/fortisiem-topic

      5. Click on Subscriptions and notate the subscription name. Example: projects/fortisiem-integration-1111/subscriptions/fortisiem-topic-sub

  2. Turn on audit logs for all services by taking the following steps:

    Note: Not all auditing is on by default, so this configuration is necessary.

    1. Go to IAM & Admin.

    2. Select Audit Logs on the left hand toolbar.

    3. Click the Default Audit Config button at the top of the screen.

    4. Select all desired log options.

      For the most verbose log information, make sure to select the following 4 boxes: Admin Read, Admin Write, Data Read, and Data Write.

      For minimal logging, only select Admin Read and Admin Write.

      Note: Optionally, VPC flows and Firewall Rule logs can be configured through the VPC network menu by taking the following steps:
      For Firewall rules, you must select each one you would like to enable with logs, edit, and then select the Logs radio button to turn on. Repeat for each desired Firewall rule.

      1. Go to VPC networks.

      2. Select your desired Subnet.

      3. Click the Flow logs drop-down list.

      4. Set sampling interval to 5 seconds, and leave the rest as default.

    5. Click Done.

  3. Create an aggregated sink with the topic in pub/sub as the destination. The destination topic can be created in any Cloud project in any organization if the service account from the log sink has permission to write to the destination.

    The serviceAccount entry is returned from the create sink command that shows which identity must be added to the particular Pub/Sub topic as a role Pub/Sub Publisher.

    This identity represents a Google Cloud service account that has been created for the log export. Until you grant this identity, publisher permissions to the destination topic and log entry exports from this sink will fail. For more information, see step 4 for granting access for a resource.

    Take the following steps:

    1. Select the Gcloud console (>_) button on top right hand of your browser.

    2. Enter the following comand:

      gcloud organizations list

    3. You may be prompted to authorize the command. If so, select yes.

    4. Notate the Organization ID. Example: 87732091111

    5. Format your sink destination as pubsub.googleapis.com/<pubsubtopic>

    6. Run the following command if your project is tied to, or part of an organization; This command creates an organization wide sink called fortisiem_sink for all projects and folders, and sends all logs to the Pub/Sub topic specified.

      gcloud logging sinks create fortisiem_sink \

      pubsub.googleapis.com/projects/fortisiem-integration-1111/topics/fortisiem-topic --include-children \

      --organization=<organization_id>

      If your project is not tied to, or has no organization, use the project id instead. It will create a sink of this project only, meaning only the logs from this project will go into the topic.

      You can repeat this command for each sink you’d like to create per project. You can modify the sink name for each to ensure uniqueness.

      gcloud logging sinks create fortisiem_sink \

      pubsub.googleapis.com/projects/fortisiem-integration-1111/topics/fortisiem-topic --include-children \

      --project=<project_id>

    7. !IMPORTANT! Copy the output, and notate the service account created. It is required to permit the service to write to the pub/sub topic. Must be Pub/Sub Publisher.

      Example:

      Created [https://logging.googleapis.com/v2/organizations/87732091111/sinks/fortisiem_sink].

      Grant serviceAccount:o111110938575-661167@gcp-sa-logging.iam.gserviceaccount.com the Pub/Sub Publisher role on the topic.

      More information about sinks can be found at https://cloud.google.com/logging/docs/export/configure_export

  4. Configure aggregated sink service account for the given organization (from step 3) to publish to the created topic (created in step 1) by taking the following steps:

    1. Go to the Pub/Sub topics service page.

    2. Select the project where the topic was created.

    3. Click on the topic (fortisiem-topic, or the topic name entered) from step 1.

    4. Click Show Info Panel on the right hand toolbar to show the Permissions tab.

    5. Click the Add Member button.

    6. Paste the service account created with the aggregated sink that you created earlier here.

    7. Apply role of Pub/Sub Publisher.

    8. Click Add.
      Pub/Sub is now set up.

FortiSIEM Service Account Setup

A service account for FortiSIEM is required to ingest logs from the Pub/Sub topic. To create this account, take the following steps:

  1. Go to the Service accounts page.

  2. Click Create Service Account.

  3. Select the project in the drop-down list where the Pub/Sub topic exists.

  4. In the Service Account Name field, enter "fortisiem-pubsub", or a desired name for the service account.

  5. Click Create.

  6. Click Continue.

  7. Select Role Pub/Sub Subscriber.

  8. Click Continue.

  9. Click Done.

Now, a service account key is needed. To create a service account key, take the following steps:

  1. Select your new service account.

  2. Click on the Keys tab.

  3. Click the Add key drop-down list, and select Create new key.

  4. Select JSON as the Key type, and click Create.

A file download will be created with service account data. This file is required for FortiSIEM configuration. Store a secure copy.

FortiSIEM Configuration

The following items are required for FortiSIEM integration.

  • The subscription name created under the Pub/Sub topic: e.g. projects/fortisiem-integration-1111/subscriptions/fortisiem-topic-sub

    • Locate the subscription name by going to the topic you created, selecting subscriptions, and clicking on the subscription name.

      Note: The subscription name will need to be entered into the Subscription Path field configuration for FortiSIEM.

  • The Service Account JSON Key file.

Make sure you have completed these instructions if you do not have these items.


To configure FortiSIEM, take the following steps:

  1. Login to the FortiSIEM GUI.

    Note: If this SIEM has multiple organizations, change the scope to the desired organization level for ingesting logs.

  2. Navigate to ADMIN > Setup > Credentials.

  3. In Step 1: Enter Credentials, click New to create a new credential.
    1. Follow the instructions in “Setting Credentials“ in the User's Guide to create a new credential.
    2. Enter these settings in the Access Method Definition dialog box:

      SettingsDescription
      NameEnter a name for the credential.
      Device TypeGoogle Google Cloud Platform
      Access ProtocolGOOGLE_Pub_Sub
      Pull Interval5 minutes (leave at default)
      Subscription PathEnter the subscription name from Google Cloud Platform.

      Example: projects/fortisiem-integration-1111/subscriptions/fortisiem-topic-sub

      Service Account KeyClick Upload and upload the JSON Service Account Key.

      Log Keyword

      Leave the default value of “GCP_AUDIT_LOG”. Changing this will break the parser. This uniquely identifies that every log in this Pub/Sub topic is from Google Cloud Audit logging.

      Description(Optional) Description about the instance.
    3. Click Save.

  4. In Step 2: Enter IP Range to Credential Associations, click New to create a new mapping.

    Note: If your SIEM organization has multiple FortiSIEM collectors, be sure to select which collector will do the polling. A drop-down list will appear to the right of the Test button if you have multiple collectors. If you only have 1 collector, or in Super only environments, no collectors, no drop-down list will appear.

    1. Select the name of your credential from the Credentials drop-down list.

    2. The IP/Host Name field will auto populate with google.com. This is normal, do not change it.

    3. Click Save.

  5. To start polling, select the new mapping, click the Test drop-down list, and select Test Connectivity without Ping. It will take approximately 5 minutes for the initial poll job to kick off.
  6. Once 5 minutes have passed, click ANALYTICS.
  7. Click the Edit Filters and Time Range... field to run a query to see any Google Audit Logs.
    1. Select Event Attribute.
    2. Under Attribute, enter/select Event Type.
    3. Under Operator, select CONTAIN.
    4. Under Value, enter GCP_AUDIT.
    5. Click Apply & Run to execute.
Custom Log Integration

This integration is only needed if you are publishing custom logs to a Google Pub/Sub topic, and would like FortiSIEM to ingest those logs. Note that once the logs are ingested, you will still need to create a FortiSIEM parser for the log to be parsed and analyzed once ingested.

Log Flow: Custom logs from customer applications and systems -> Pub/Sub custom topic -> FortiSIEM ingest with custom log header appended

To integrate custom logs, take the following steps:

Note: In this process, the setup for a Pub/Sub topic is the same as normal integration, but instead of sinking GCP logs to the topic, you instead ingest your custom logs to the topic on your own.

  1. Create a Pub/Sub topic.

  2. Publish your custom logs to your topic. Your team will create a service account for your custom applications to send logs to this topic.

  3. Create a service account with subscriber permissions to the topic for FortiSIEM. See FortiSIEM Service Account Setup.

  4. Configure FortiSIEM with service account credential and subscription name, and enter the custom log header format. This step follows the exact instructions in FortiSIEM Configuration except for the need to change Log Keyword in the Access Method Definition dialog box. See Log Keyword Information for more information.

Log Keyword Information

Log Keyword is a critical component for the parsing of logs. If you are ingesting custom logs, FortiSIEM will prepend the string to the log. This is supposed to be a unique identifier to know what the custom logs are for parsing.

Example:

We publish the log file {“attackName”:”REvil Compromise”,”hostname”:”host1”} into a Pub/Sub topic. This is a log from Custom Application A for our example.

When we set up the FortiSIEM integration, we’ll do something to specify a log keyword to uniquely identify what type of logs these are.

When FortiSIEM ingests the log, it will appear in this format:

1 192.168.1.20 google.com CUSTOM_APP_A {“attackName”:”REvil Compromise”,”hostname”:”host1”}

This is important for log parsing, as we can write a parser that matches this log header, to process these logs. Any log in this Pub/Sub topic gets this header. This helps us write parsing in a simplified manner, as not all logs are cleanly structured and helps identify what or where the logs are from originally.

For custom log parsing, see the NSE training documentation on the topic, or consult FortiCare Professional Services.