Fortinet black logo

External Systems Configuration Guide

Netwrix Auditor (via Correlog Windows Agent)

Netwrix Auditor (via Correlog Windows Agent)

What is Discovered and Monitored

Protocol Information Discovered Metrics/LOG collected Used for
Via Correlog Windows Agent Host name and Device Type from LOG 2 Security logs Security and Compliance monitoring

Event Types

Go to ADMIN > Device Support > Event Types and search for "Netwrix_Auditor_".

Rules

None

Reports

None

Configuration

Configure Netwrix Auditor to send logs to Correlog Windows Agent. FortiSIEM will automatically parse the logs as long as they appear in the format below.

Sample Events

<158>2018 Jul 27 07:20:36 CorreLog_Win_Agent ACME-NETWRIX Netwrix_Auditor_Integration 0: Netwrix_Auditor_Integration_API: DataSource : Windows Server Action : Removed Message: Removed DNS A Where : ACME-DC02 ObjectType : DNS A Who : system What : DNS Server\SAC-DC02\acmegroup.local\ACME-TRADE08 IN A 10.150.90.180 1200 When : 2018-07-27T14:15:43Z Details : IP Address: 10.150.90.180, TTL: 1200, Container name: acmegroup.local, Owner name: acmegroup.local -

Netwrix Auditor (via Correlog Windows Agent)

Netwrix Auditor (via Correlog Windows Agent)

What is Discovered and Monitored

Protocol Information Discovered Metrics/LOG collected Used for
Via Correlog Windows Agent Host name and Device Type from LOG 2 Security logs Security and Compliance monitoring

Event Types

Go to ADMIN > Device Support > Event Types and search for "Netwrix_Auditor_".

Rules

None

Reports

None

Configuration

Configure Netwrix Auditor to send logs to Correlog Windows Agent. FortiSIEM will automatically parse the logs as long as they appear in the format below.

Sample Events

<158>2018 Jul 27 07:20:36 CorreLog_Win_Agent ACME-NETWRIX Netwrix_Auditor_Integration 0: Netwrix_Auditor_Integration_API: DataSource : Windows Server Action : Removed Message: Removed DNS A Where : ACME-DC02 ObjectType : DNS A Who : system What : DNS Server\SAC-DC02\acmegroup.local\ACME-TRADE08 IN A 10.150.90.180 1200 When : 2018-07-27T14:15:43Z Details : IP Address: 10.150.90.180, TTL: 1200, Container name: acmegroup.local, Owner name: acmegroup.local -