Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • External Systems Configuration Guide

    Home FortiSIEM 6.5.1 External Systems Configuration Guide
    6.5.1
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.1.7
    7.1.6
    7.1.5
    7.1.4
    7.1.3
    7.1.2
    7.1.1
    7.1.0
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.7.9
    6.7.8
    6.7.7
    6.7.6
    6.7.5
    6.7.4
    6.7.3
    6.7.2
    6.7.1
    6.7.0
    6.6.5
    6.6.4
    6.6.3
    6.6.2
    6.6.1
    6.6.0
    6.5.3
    6.5.2
    6.5.1
    6.5.0
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.3.3
    6.3.2
    6.3.1
    6.3.0
    6.2.1
    6.2.0
    6.1.2
    6.1.1
    6.1.0
    5.4.0
    5.3.3
    5.3.2
    5.3.1
    5.3.0
    5.0.0

    KVM

    KVM

    Support Added: FortiSIEM 6.3.1

    Last Modification: FortiSIEM 6.3.1

    Vendor Version Tested: Not Provided

    Vendor: Free Software released under the General Public License (GPL).

    Product Information: https://www.linux-kvm.org/page/Main_Page

    What is Discovered and Monitored

    Method

    Information discovered

    Metrics collected

    Logs collected

    Used for

    syslog

    Host name, Reporting IP

    None

    Virtual Machine monitoring and changes

    Security Monitoring

    Event Types

    • LINUX_Auditd_VIRT_MACHINE_ID

    • LINUX_Auditd_VIRT_CONTROL

    • LINUX_Auditd_VIRT_RESOURCE

    Rules

    There are no specific rules.

    Reports

    There are no specific reports.

    Configuration

    To configure, take the following steps:

    1. Install auditd daemon on linux host. (i.e apt-get install auditd)

    2. Edit/etc/audit/auditd.conf and configure as follows (take note of log_format = ENRICHED as this provides the real users behind the UIDs and AUIDs):

      Note: This file controls the configuration of the audit daemon.

      local_events = yes
write_logs = yes
log_file = /var/log/audit/audit.log
log_group = root
log_format = ENRICHED
flush = INCREMENTAL_ASYNC
freq = 50
max_log_file = 8
num_logs = 5
priority_boost = 4
disp_qos = lossy
dispatcher = /sbin/audispd
name_format = NONE
##name = mydomain
max_log_file_action = ROTATE
space_left = 75
space_left_action = SYSLOG
action_mail_acct = root
admin_space_left = 50
admin_space_left_action = SUSPEND
disk_full_action = SUSPEND
disk_error_action = SUSPEND
use_libwrap = yes
##tcp_listen_port =
tcp_listen_queue = 5
tcp_max_per_addr = 1
##tcp_client_ports = 1024-65535
tcp_client_max_idle = 0
enable_krb5 = no
krb5_principal = auditd
##krb5_key_file = /etc/audit/audit.key
distribute_network = no

    3. Configure rsyslog to send this logfile via syslog by editing /etc/rsyslog.conf and adding these lines:
      Note: This does not need Linux agent. 

      $ModLoad imfile
$InputFileName /var/log/audit/audit.log
$InputFileTag tag_audit_log:
$InputFileStateFile audit_log
$InputFileSeverity info
$InputFileFacility local6
$InputRunFileMonitor
*.* @replace.with.fortisiem.collector.IP:514

    Sample Logs

    Sample logs are provided here. For more information on logs, see https://libvirt.org/auditlog.html.

    <182>Jul 26 15:20:36 fsa3000e4 tag_audit_log: type=VIRT_CONTROL msg=audit(1627305635.364:82451): pid=25686 uid=0 auid=4294967295 ses=4294967295 msg='virt=kvm op=start reason=booted vm="DT_FSR_Agent" uuid=104735e9-c1ea-44bc-8d99-0fe6fde58b73 vm-pid=25722 exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
    <182>Jul 26 15:20:36 fsa3000e4 tag_audit_log: type=VIRT_RESOURCE msg=audit(1627305634.788:82437): pid=25686 uid=0 auid=4294967295 ses=4294967295 msg='virt=kvm resrc=net reason=open vm="DT_FSR_Agent" uuid=104735e9-c1ea-44bc-8d99-0fe6fde58b73 net=52:54:00:e7:84:3c path="/dev/net/tun" rdev=0A:C8 exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
    <182>Jul 26 15:20:36 fsa3000e4 tag_audit_log: type=VIRT_MACHINE_ID msg=audit(1627305634.632:82435): pid=25686 uid=0 auid=4294967295 ses=4294967295 msg='virt=kvm vm="DT_FSR_Agent" uuid=104735e9-c1ea-44bc-8d99-0fe6fde58b73 vm-ctx=+64055:+64055 img-ctx=+64055:+64055 model=dac exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
    Previous
    Next

    KVM

    KVM

    Support Added: FortiSIEM 6.3.1

    Last Modification: FortiSIEM 6.3.1

    Vendor Version Tested: Not Provided

    Vendor: Free Software released under the General Public License (GPL).

    Product Information: https://www.linux-kvm.org/page/Main_Page

    What is Discovered and Monitored

    Method

    Information discovered

    Metrics collected

    Logs collected

    Used for

    syslog

    Host name, Reporting IP

    None

    Virtual Machine monitoring and changes

    Security Monitoring

    Event Types

    • LINUX_Auditd_VIRT_MACHINE_ID

    • LINUX_Auditd_VIRT_CONTROL

    • LINUX_Auditd_VIRT_RESOURCE

    Rules

    There are no specific rules.

    Reports

    There are no specific reports.

    Configuration

    To configure, take the following steps:

    1. Install auditd daemon on linux host. (i.e apt-get install auditd)

    2. Edit/etc/audit/auditd.conf and configure as follows (take note of log_format = ENRICHED as this provides the real users behind the UIDs and AUIDs):

      Note: This file controls the configuration of the audit daemon.

      local_events = yes
write_logs = yes
log_file = /var/log/audit/audit.log
log_group = root
log_format = ENRICHED
flush = INCREMENTAL_ASYNC
freq = 50
max_log_file = 8
num_logs = 5
priority_boost = 4
disp_qos = lossy
dispatcher = /sbin/audispd
name_format = NONE
##name = mydomain
max_log_file_action = ROTATE
space_left = 75
space_left_action = SYSLOG
action_mail_acct = root
admin_space_left = 50
admin_space_left_action = SUSPEND
disk_full_action = SUSPEND
disk_error_action = SUSPEND
use_libwrap = yes
##tcp_listen_port =
tcp_listen_queue = 5
tcp_max_per_addr = 1
##tcp_client_ports = 1024-65535
tcp_client_max_idle = 0
enable_krb5 = no
krb5_principal = auditd
##krb5_key_file = /etc/audit/audit.key
distribute_network = no

    3. Configure rsyslog to send this logfile via syslog by editing /etc/rsyslog.conf and adding these lines:
      Note: This does not need Linux agent. 

      $ModLoad imfile
$InputFileName /var/log/audit/audit.log
$InputFileTag tag_audit_log:
$InputFileStateFile audit_log
$InputFileSeverity info
$InputFileFacility local6
$InputRunFileMonitor
*.* @replace.with.fortisiem.collector.IP:514

    Sample Logs

    Sample logs are provided here. For more information on logs, see https://libvirt.org/auditlog.html.

    <182>Jul 26 15:20:36 fsa3000e4 tag_audit_log: type=VIRT_CONTROL msg=audit(1627305635.364:82451): pid=25686 uid=0 auid=4294967295 ses=4294967295 msg='virt=kvm op=start reason=booted vm="DT_FSR_Agent" uuid=104735e9-c1ea-44bc-8d99-0fe6fde58b73 vm-pid=25722 exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
    <182>Jul 26 15:20:36 fsa3000e4 tag_audit_log: type=VIRT_RESOURCE msg=audit(1627305634.788:82437): pid=25686 uid=0 auid=4294967295 ses=4294967295 msg='virt=kvm resrc=net reason=open vm="DT_FSR_Agent" uuid=104735e9-c1ea-44bc-8d99-0fe6fde58b73 net=52:54:00:e7:84:3c path="/dev/net/tun" rdev=0A:C8 exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
    <182>Jul 26 15:20:36 fsa3000e4 tag_audit_log: type=VIRT_MACHINE_ID msg=audit(1627305634.632:82435): pid=25686 uid=0 auid=4294967295 ses=4294967295 msg='virt=kvm vm="DT_FSR_Agent" uuid=104735e9-c1ea-44bc-8d99-0fe6fde58b73 vm-ctx=+64055:+64055 img-ctx=+64055:+64055 model=dac exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
    Previous
    Next