- What is Discovered and Monitored
- Event Types
- Settings for Access Credentials
- Example Syslog
|Protocol||Information Discovered||Metrics Collected||Used For|
|Syslog||Host Name, Access IP, Vendor/Model||Over 150 event types to include Protocol Anomaly, Traffic Volume Anomaly, DoS Attacks,||Security Monitoring|
In ADMIN > Device Support > Event Types, search for "FortiDDoS" to see the event types associated with this device.
There are many IPS correlation rules for this device under RESOURCES > Rules > Security > Exploits.
There are many reports for this device under RESOURCES > Reports > Function > Security.
FortiSIEM processes FortiDDoS events via syslog. Configure FortiDDoS to send syslog to FortiSIEM as directed in the device's product documentation by taking the following steps:
FortiDDOS documentation available here: https://help.fortinet.com/fddos/4-7-0/index.htm#fortiddos/Configuring_remote_log_server_settings_for_event_l.htm
Navigate to Log & Report > Event Log Remote.
Complete the configuration.
Set these Access Method Definition values to allow FortiSIEM to communicate with your device.
|Device Type||Fortinet FortiDDos|
|Access Protocol||See Access Credentials|
|Port||See Access Credentials|
|Password config||See Password Configuration|
Jan 10 16:01:50 172.30.84.114 devid=FI400B3913000032 date=2015-01-23 time=17:42:00
type=attack SPP=1 evecode=1 evesubcode=8 dir=0 protocol=1 sIP=0.0.0.0 dIP=0.0.0.0
devid=FI800B3913000055 date=2017-01-27 time=18:24:00 tz=PST type=attack spp=0 evecode=2
evesubcode=61 description="Excessive Concurrent Connections Per Source flood" dir=1
sip=18.104.22.168 dip=22.214.171.124 subnet_name=default dropcount=40249 facility=Local0