Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • External Systems Configuration Guide

    Home FortiSIEM 6.7.3 External Systems Configuration Guide
    6.7.3
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.1.7
    7.1.6
    7.1.5
    7.1.4
    7.1.3
    7.1.2
    7.1.1
    7.1.0
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.7.9
    6.7.8
    6.7.7
    6.7.6
    6.7.5
    6.7.4
    6.7.3
    6.7.2
    6.7.1
    6.7.0
    6.6.5
    6.6.4
    6.6.3
    6.6.2
    6.6.1
    6.6.0
    6.5.3
    6.5.2
    6.5.1
    6.5.0
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.3.3
    6.3.2
    6.3.1
    6.3.0
    6.2.1
    6.2.0
    6.1.2
    6.1.1
    6.1.0
    5.4.0
    5.3.3
    5.3.2
    5.3.1
    5.3.0
    5.0.0

    Fortinet FortiAnalyzer

    Fortinet FortiAnalyzer

    Overview

    Customers of both FortiAnalyzer and FortiSIEM may want to take already aggregated event data received on FortiAnalzyer and forward those events to FortiSIEM.

    Configuring FortiAnalyzer

    Setting Up the Syslog Server
    1. Login to FortiAnalyzer.
    2. Go to System Settings > Advanced > Syslog Server.
      1. Click the Create New button.
      2. Enter the Name. (It is recommended to use the name of the FortiSIEM server.)
      3. Fill in the IP address (or FQDN) with the IP or a fully qualified name of the FortiSIEM server.
      4. Leave the Syslog Server Port to the default value '514'.
      5. Click OK to save your entries.
    Pre-Configuration for Log Forwarding

    To configure FortiAnalyzer event forwarding to FortiSIEM, you must first set up the following.

    1. Install a FortiSIEM collector in the same subnet as FortiAnalyzer that will be forwarding the events.
      Note: The same subnet request is required as FortiAnalyzer will later be configured to spoof packets to the collector. RPF (reverse path forwarding checks) on network equipment would have to be disabled if FortiAnalyzer and collector existed on different subnets.

    2. It is recommended that for every 5,000 EPS (events per second) ingested, you add 1 collector that is 8vCPU, 8GB RAM. If you have more than 5,000 EPS forwarding from FortiAnalyzer, please set up a load balancer with multiple collectors behind it, allowing UDP 514 inbound.

    Configuring Log Forwarding

    Take the following steps to configure log forwarding on FortiAnalyzer.

    1. Go to System Settings > Log Forwarding.

    2. Click the Create New button in the toolbar. The Create New Log Forwarding pane opens.

    3. fill in the information as per the below table, then click OK to create the new log forwarding. The FortiAnalyzer device will start forwarding logs to the server.

      Field Input
      Name FortiSIEM-Forwarding
      Status On
      Remote Server Type Syslog
      Compression OFF
      Sending Frequency Real-time

      Log Forwarding Filters

      Select all desired Administrative Domains (ADOMs) / device logs you’d like to forward

    4. Go to the CLI Console and configure the CLI only log forward option by running the following CLI commands.
      Notes:

      • Logs received by FortiAnalyzer, and then forwarded to FortiSIEM, have the source IP of the log packet overwritten with the IP address of the FortiAnalyzer appliance. This hides the “true” source of the log packet from FortiSIEM. To override this behavior, FortiAnalyzer can spoof the original log sender's IP address when forwarding to FortiSIEM. This allows FortiSIEM collectors to receive all the original information as if it received the logs directly from the originating device.

      • For FortiAnalyzer versions 6.0 and later, use the following CLI:

        Note: Replace <id> with the actual name of the log forward created earlier.

        config system log-forward
    edit <id>
        set mode forwarding
        set fwd-max-delay realtime
        set server-name "<FSM_Collector>"   
        set server-ip "a.b.c.d"
        set fwd-log-source-ip original_ip
        set fwd-server-type syslog
    next
end

      • For FortiAnalyzer versions 5.6 to 5.9, use the following CLI:
        Note: Replace <id> with the actual name of the log forward created earlier.

        config system log-forward
          edit <id>
           set mode forwarding
           set fwd-max-delay realtime
           set server-ip "a.b.c.d"
           set fwd-log-source-ip original_ip
           set fwd-server-type syslog
         next
        end

      • For FortiAnalyzer versions earlier than 5.6, use the following CLI:
        Note: Replace <id> with the number for your FortiSIEM syslog entry.

        config system aggregation-client
          edit <id> 
            set fwd-log-source-ip original_ip
        end

      • To configure FortiAnalyzer to forward its own local logs, see Configuring FortiAnalyzer to Forward its own System Event Logs.

    Configuring FortiSIEM Collector to Receive Logs from FortiAnalyzer

    To configure the FortiSIEM collector to receive logs from FortiAnalyzer, you will need to disable RPF checks that would normally cause the collector virtual machine from dropping the log packet as it is spoofed.

    sysctl -w net.ipv4.conf.all.rp_filter=0

    To make this change persistent across reboots, add the following code to the /etc/sysctl.conf file.

    net.ipv4.conf.all.rp_filter=0

    Configuring FortiAnalyzer to Forward its own System Event Logs

    FortiAnalyzer can forward two primary types of logs, each configured differently:

    • Events received from other devices (FortiGates, FortiMail, FortiManager, etc)

    • Locally generated System events (FortiAnalyzer admin login attempts, config changes, etc)

    FortiAnalyzer System Event Logs via Syslog

    • 9 event types

    • no rules

    • no reports

    • no dashboards

    Configuring FortiAnalyzer System's Local Log

    To configure the system's local log, replace the IP with the IP of the FortiSIEM collector.

    config system syslog
edit "fortisiem"
                set ip "192.168.1.1"
end
config system locallog syslogd setting
set status enable
set syslog-name "fortisiem"
end

    Previous
    Next

    Fortinet FortiAnalyzer

    Fortinet FortiAnalyzer

    Overview

    Customers of both FortiAnalyzer and FortiSIEM may want to take already aggregated event data received on FortiAnalzyer and forward those events to FortiSIEM.

    Configuring FortiAnalyzer

    Setting Up the Syslog Server
    1. Login to FortiAnalyzer.
    2. Go to System Settings > Advanced > Syslog Server.
      1. Click the Create New button.
      2. Enter the Name. (It is recommended to use the name of the FortiSIEM server.)
      3. Fill in the IP address (or FQDN) with the IP or a fully qualified name of the FortiSIEM server.
      4. Leave the Syslog Server Port to the default value '514'.
      5. Click OK to save your entries.
    Pre-Configuration for Log Forwarding

    To configure FortiAnalyzer event forwarding to FortiSIEM, you must first set up the following.

    1. Install a FortiSIEM collector in the same subnet as FortiAnalyzer that will be forwarding the events.
      Note: The same subnet request is required as FortiAnalyzer will later be configured to spoof packets to the collector. RPF (reverse path forwarding checks) on network equipment would have to be disabled if FortiAnalyzer and collector existed on different subnets.

    2. It is recommended that for every 5,000 EPS (events per second) ingested, you add 1 collector that is 8vCPU, 8GB RAM. If you have more than 5,000 EPS forwarding from FortiAnalyzer, please set up a load balancer with multiple collectors behind it, allowing UDP 514 inbound.

    Configuring Log Forwarding

    Take the following steps to configure log forwarding on FortiAnalyzer.

    1. Go to System Settings > Log Forwarding.

    2. Click the Create New button in the toolbar. The Create New Log Forwarding pane opens.

    3. fill in the information as per the below table, then click OK to create the new log forwarding. The FortiAnalyzer device will start forwarding logs to the server.

      Field Input
      Name FortiSIEM-Forwarding
      Status On
      Remote Server Type Syslog
      Compression OFF
      Sending Frequency Real-time

      Log Forwarding Filters

      Select all desired Administrative Domains (ADOMs) / device logs you’d like to forward

    4. Go to the CLI Console and configure the CLI only log forward option by running the following CLI commands.
      Notes:

      • Logs received by FortiAnalyzer, and then forwarded to FortiSIEM, have the source IP of the log packet overwritten with the IP address of the FortiAnalyzer appliance. This hides the “true” source of the log packet from FortiSIEM. To override this behavior, FortiAnalyzer can spoof the original log sender's IP address when forwarding to FortiSIEM. This allows FortiSIEM collectors to receive all the original information as if it received the logs directly from the originating device.

      • For FortiAnalyzer versions 6.0 and later, use the following CLI:

        Note: Replace <id> with the actual name of the log forward created earlier.

        config system log-forward
    edit <id>
        set mode forwarding
        set fwd-max-delay realtime
        set server-name "<FSM_Collector>"   
        set server-ip "a.b.c.d"
        set fwd-log-source-ip original_ip
        set fwd-server-type syslog
    next
end

      • For FortiAnalyzer versions 5.6 to 5.9, use the following CLI:
        Note: Replace <id> with the actual name of the log forward created earlier.

        config system log-forward
          edit <id>
           set mode forwarding
           set fwd-max-delay realtime
           set server-ip "a.b.c.d"
           set fwd-log-source-ip original_ip
           set fwd-server-type syslog
         next
        end

      • For FortiAnalyzer versions earlier than 5.6, use the following CLI:
        Note: Replace <id> with the number for your FortiSIEM syslog entry.

        config system aggregation-client
          edit <id> 
            set fwd-log-source-ip original_ip
        end

      • To configure FortiAnalyzer to forward its own local logs, see Configuring FortiAnalyzer to Forward its own System Event Logs.

    Configuring FortiSIEM Collector to Receive Logs from FortiAnalyzer

    To configure the FortiSIEM collector to receive logs from FortiAnalyzer, you will need to disable RPF checks that would normally cause the collector virtual machine from dropping the log packet as it is spoofed.

    sysctl -w net.ipv4.conf.all.rp_filter=0

    To make this change persistent across reboots, add the following code to the /etc/sysctl.conf file.

    net.ipv4.conf.all.rp_filter=0

    Configuring FortiAnalyzer to Forward its own System Event Logs

    FortiAnalyzer can forward two primary types of logs, each configured differently:

    • Events received from other devices (FortiGates, FortiMail, FortiManager, etc)

    • Locally generated System events (FortiAnalyzer admin login attempts, config changes, etc)

    FortiAnalyzer System Event Logs via Syslog

    • 9 event types

    • no rules

    • no reports

    • no dashboards

    Configuring FortiAnalyzer System's Local Log

    To configure the system's local log, replace the IP with the IP of the FortiSIEM collector.

    config system syslog
edit "fortisiem"
                set ip "192.168.1.1"
end
config system locallog syslogd setting
set status enable
set syslog-name "fortisiem"
end

    Previous
    Next