Fortinet FortiPAM
FortiSIEM Support added: 7.2.0
Vendor: Fortinet
Vendor version tested: FortiPAM 1.3.0
Product Information: https://www.fortinet.com/products/fortipam
FortiPAM provides privileged access management, control, and monitoring of elevated and privileged accounts, processes, and critical systems across the entire IT environment. FortiPAM is part of the Fortinet Security Fabric, integrating with products such as FortiClient, FortiAuthenticator, and FortiToken.
Configuration
To configure FortiPAM to send logs to FortiSIEM, take the following steps.
Note: See the latest FortiPAM Administration Guide for the most recent information.
- Go to Log & Report > Log Settings.
- In Additional Information, select Edit in CLI.
The CLI console opens. -
Use the following parameters in the table below to configure FortiPAM, taking note of the following:
status {enable | disable}
Enable/disable remote syslog logging (default = disable).
The following parameters are only available when the status is set as enable.
server <string>
Address of the remote syslog server.
<string> must be configured as the FortiSIEM IP address.
mode {legacy-reliable | reliable | udp}
-
The remote syslog logging mode:
legacy-reliable
: Legacy reliable syslogging by RFC3195 (Reliable Delivery for Syslog). -
reliable
: Reliable syslogging by RFC6587 (Transmission of Syslog Messages over TCP). -
udp
: syslogging over UDP (default).
If you leave the default UDP (most performant), the port will be UDP 514. If you select
reliable
syslog, ensure your collector has more vCPU and RAM to accommodate the reduced throughput performance.port <integer>
The server listening port number (default = 514, 0 - 65535).
Select 514 if UDP mode, or TCP 1470 if using
reliable
mode.facility {kernel | user | mail | daemon | auth | syslog | lpr | news | uucp | cron | authpriv | ftp | ntp | audit | alert | clock | local0 | local1 | local2 | local3 | local4 | local5 | local6 | local7}
The remote syslog facility (default = local7):
kernel
: Kernel messages.user
: Random user-level messages.mail
: Mail system.daemon
: System daemons.auth
: Security/authorization messages.syslog
: Messages generated internally by syslog.lpr
: Line printer subsystem.news
: Network news subsystem.uucp
: Network news subsystem.cron
: Clock daemon.authpriv
: Security/authorization messages (private).ftp
: FTP daemon.ntp
: NTP daemon.audit
: Log audit.alert
: Log alert.clock
: Clock daemon.local0 ... local7
: Reserved for local use.
In most cases, you can leave the default option and not set this.
source-ip <string>
The source IP address of syslog.
(Optional) If you have multiple paths to reach the FortiSIEM collector, the packet log source is set to the egress IP. For a consistent log source, it is recommended to use a loopback address here, so no matter the egress interface, the packet source (reporting IP in the SIEM) is the same. This is especially recommended if the log traffic traverses an IPSEC tunnel to reach the FortiSIEM collector.
format {cef | csv | default | rfc5424}
The log format:
-
cef
: CEF (Common Event Format) format. -
csv
: CSV (Comma Separated Values) format. -
default
: Syslog format (default). -
rfc5424
: Syslog RFC5424 format.
Leave as
default
, the default syslog format.priority {default | low}
The log transmission priority:
-
default: Set Syslog transmission priority to default (default).
-
low: Set Syslog transmission priority to low.
max-log-rate <integer>
The syslog maximum log rate in MBps (default = 0, 0 - 100000 where 0 = unlimited).
interface-select-method {auto | sdwan | specify}
Specify how to select outgoing interface to reach the server:
auto
: Set outgoing interface automatically (default).sdwan
: Set outgoing interface by SD-WAN or policy routing rules.specify
: Set outgoing interface manually.
-
-
After adjusting the parameters, click x to close the CLI console.
Sample Events
<189>date=2023-12-14 time=12:36:33 devname="FPAVULTM1234567" devid="FPAVULTM1234567" eventtime=1702557393665511462 tz="+0000" logid="0100040704" type="event" subtype="system" level="notice" vd="root" logdesc="System performance statistics" action="perf-stats" cpu=0 mem=52 totalsession=107 disk=1 bandwidth="1/0" setuprate=0 disklograte=0 fazlograte=0 freediskstorage=28493 sysuptime=485465 waninfo="N/A" msg="Performance statistics: average CPU: 0, memory: 52, concurrent sessions: 107, setup-rate: 0"
<187>date=2023-12-14 time=12:38:50 devname="FPAVULTM1234567" devid="FPAVULTM1234567" eventtime=1702557529389749042 tz="+0000" logid="0105048038" type="event" subtype="wad" level="error" vd="root" logdesc="SSL Fatal Alert received" session_id=6458ac42 policyid=1 srcip=10.0.5.3 srcport=57291 dstip=10.0.5.45 dstport=443 action="receive" alert="2" desc="certificate unknown" msg="SSL Alert received"
date=2023-08-24 time=17:23:03 devname="FPAVULTM1234567" devid="FPAVULTM1234567" eventtime=1692922983764461604 tz="-0700" logid="2304064604" type="secret" subtype="secret-request" eventtype="secret-request" action="pass" operation="request" secretid=2820 secret="PC0" account="testUser1" uuid="8d9dcc5a-37c2-51ee-069b-8707661bb425" user="user1" starttime="2023-08-24 17:23:00" expirytime="2023-08-24 17:53:00" msg="Created secret request."