log siem-policy
Use this command to configure a connection to one or more ArcSight SIEM (security information and event management) servers, IBM
QRadar servers or Azure Security Center (if your FortiWeb-VM is deployed on Microsoft Azure). The policy is used by the log syslogd
configuration to define the specific ArcSight server, QRadar server or Azure Event Hub on which log messages are stored. For details, see log syslogd.
To use this command, your administrator account’s access control profile must have either w
or rw
permission to the loggrp
area. For details, see Permissions.
Syntax
config log siem-policy
edit "<policy_name>"
config siem-server-list
edit <entry_index>
set type <arcsight-cef | qradar-leef | azure-cef>
set port <port_int>
end
next
end
Variable | Description | Default |
Enter the name of a new or existing SIEM policy. The maximum length is 63 characters. To display the list of existing policies, enter:
|
No default. | |
Enter the index number of the individual entry in the table. |
No default. | |
Enter to store log messages to a SIEM (Security Information and Event Management) server. According to the specified SIEM policy, FortiWeb will carry out one of the following actions:
FortiWeb sends log entries in CEF (Common Event Format) format. There is a 256 byte limit for URLs. If this option is enabled, but no trigger action is selected for a specific type of violation, FortiWeb records every occurrence of that violation to the resource specified by SIEM Policy. The Azure CEF policy type requires you to complete Azure event hub settings using the system eventhub CLI command. Note: Before you enable this option, verify that log frequency is not too great. If logs are very frequent, enabling this option can decrease performance and cause the FortiWeb appliance to send many log messages to the resource. Note: You cannot view logs stored remotely from the FortiWeb web UI. |
arcsight-cef
|
|
Enter the port where the ArcSight or QRadar server listens for log output. |
514
|
|
Enter the IP address of the ArcSight or QRadar server. | No default. |
Example
This example creates SIEM_Policy1
. FortiWeb contacts the ArcSight server using its IP address, 192.0.2.10
. Communications occur over the standard port number for ArcSight, UDP port 514
. The FortiWeb appliance sends log messages to the server in CEF format.
config log siem-policy
edit "SIEM_Policy1"
config siem-server-list
edit 1
set type arcsight-cef
set port 514
set server "192.0.2.10"
end
next
end