Configuring Local Syslog File Ingestion from a Directory

Currently, FortiSIEM handles logs either (a) sent to it via Protocols such as Syslog, SNMP trap and so on or (b) pulled from devices via Protocols such as WMI, Checkpoint LEA and so on.

FortiSIEM can process log files copied to a directory on one of the FortiSIEM nodes:

• Copy the files to a specific directory named by the reporting device IP. For Service Provider installations, create this directory on the Collector of the Organization to which these log files belong. The attribute event_sftp_directory in phoenix_config.txt defines the path. For example, to handle logs from a device with IP: 1.2.3.4, create log files in <event_sftp_directory>/1.2.3.4. A typical example is opt/phoenix/cache/syslog/1.2.3.4.
• Each log in the files should be formatted exactly in the same way as sent by the device. If this is a new log source, a new parser may need to be defined.
• Each file should have a distinct time stamp to prevent files from being overwritten.
• Set event_eps_limit_controls in phoenix_config.txt to control the EPS burst.
  • If event_eps_limit_controls is set to '10', FortiSIEM will process 30 events from this file in 3 seconds.
  • If event_eps_limit_controls is set to '0', FortiSIEM will process as many log files as possible and this may inhibit the overall EPS license usage.
  • If you change a phoenix_config.txt parameter, then reload the parser on that node.

Note the following:

• The log file is deleted once it has been read. Keep a separate backup if required.
• The system requires write access to the log file directory in order to delete the log file once read. This is important because if the log file cannot be deleted, it is repeatedly read and consumed by FortiSIEM resulting in many duplicate events and extra EPS consumption.