Fortinet black logo

CLI Reference

log siem-policy

log siem-policy

Use this command to configure a connection to one or more ArcSight SIEM (security information and event management) servers, IBM QRadar servers or Azure Security Center (if your FortiWeb-VM is deployed on Microsoft Azure). The policy is used by the log syslogd configuration to define the specific ArcSight server, QRadar server or Azure Event Hub on which log messages are stored. For details, see log syslogd.

To use this command, your administrator account’s access control profile must have either w or rw permission to the loggrp area. For details, see Permissions.

Syntax

config log siem-policy

edit "<policy_name>"

config siem-server-list

edit <entry_index>

set type <arcsight-cef | qradar-leef | azure-cef>

set port <port_int>

set server "<siem_ipv4>"

end

next

end

Variable Description Default

"<policy_name>"

Enter the name of a new or existing SIEM policy. The maximum length is 63 characters.

To display the list of existing policies, enter:

edit ?

No default.

<entry_index>

Enter the index number of the individual entry in the table.
No default.

type <arcsight-cef | qradar-leef | azure-cef>

Enter to store log messages to a SIEM (Security Information and Event Management) server. According to the specified SIEM policy, FortiWeb will carry out one of the following actions:

  • arcsight-cef—Store log messages remotely to an ArcSight server
  • qradar-leef—Store log messages remotely to a QRadar server
  • azure-cef—Send log messages to Azure Event Hub (only available for FortiWeb-VM installed on Azure)

FortiWeb sends log entries in CEF (Common Event Format) format. There is a 256 byte limit for URLs.

If this option is enabled, but no trigger action is selected for a specific type of violation, FortiWeb records every occurrence of that violation to the resource specified by SIEM Policy.

The Azure CEF policy type requires you to complete Azure event hub settings using the system eventhub CLI command.

Note: Before you enable this option, verify that log frequency is not too great. If logs are very frequent, enabling this option can decrease performance and cause the FortiWeb appliance to send many log messages to the resource.

Note: You cannot view logs stored remotely from the FortiWeb web UI.

arcsight-cef

port <port_int>

Enter the port where the ArcSight or QRadar server listens for log output. 514

server "<siem_ipv4>"

Enter the IP address of the ArcSight or QRadar server. No default.

Example

This example creates SIEM_Policy1. FortiWeb contacts the ArcSight server using its IP address, 192.0.2.10. Communications occur over the standard port number for ArcSight, UDP port 514. The FortiWeb appliance sends log messages to the server in CEF format.

config log siem-policy

edit "SIEM_Policy1"

config siem-server-list

edit 1

set type arcsight-cef

set port 514

set server "192.0.2.10"

end

next

end

Related topics

log siem-policy

log siem-policy

Use this command to configure a connection to one or more ArcSight SIEM (security information and event management) servers, IBM QRadar servers or Azure Security Center (if your FortiWeb-VM is deployed on Microsoft Azure). The policy is used by the log syslogd configuration to define the specific ArcSight server, QRadar server or Azure Event Hub on which log messages are stored. For details, see log syslogd.

To use this command, your administrator account’s access control profile must have either w or rw permission to the loggrp area. For details, see Permissions.

Syntax

config log siem-policy

edit "<policy_name>"

config siem-server-list

edit <entry_index>

set type <arcsight-cef | qradar-leef | azure-cef>

set port <port_int>

set server "<siem_ipv4>"

end

next

end

Variable Description Default

"<policy_name>"

Enter the name of a new or existing SIEM policy. The maximum length is 63 characters.

To display the list of existing policies, enter:

edit ?

No default.

<entry_index>

Enter the index number of the individual entry in the table.
No default.

type <arcsight-cef | qradar-leef | azure-cef>

Enter to store log messages to a SIEM (Security Information and Event Management) server. According to the specified SIEM policy, FortiWeb will carry out one of the following actions:

  • arcsight-cef—Store log messages remotely to an ArcSight server
  • qradar-leef—Store log messages remotely to a QRadar server
  • azure-cef—Send log messages to Azure Event Hub (only available for FortiWeb-VM installed on Azure)

FortiWeb sends log entries in CEF (Common Event Format) format. There is a 256 byte limit for URLs.

If this option is enabled, but no trigger action is selected for a specific type of violation, FortiWeb records every occurrence of that violation to the resource specified by SIEM Policy.

The Azure CEF policy type requires you to complete Azure event hub settings using the system eventhub CLI command.

Note: Before you enable this option, verify that log frequency is not too great. If logs are very frequent, enabling this option can decrease performance and cause the FortiWeb appliance to send many log messages to the resource.

Note: You cannot view logs stored remotely from the FortiWeb web UI.

arcsight-cef

port <port_int>

Enter the port where the ArcSight or QRadar server listens for log output. 514

server "<siem_ipv4>"

Enter the IP address of the ArcSight or QRadar server. No default.

Example

This example creates SIEM_Policy1. FortiWeb contacts the ArcSight server using its IP address, 192.0.2.10. Communications occur over the standard port number for ArcSight, UDP port 514. The FortiWeb appliance sends log messages to the server in CEF format.

config log siem-policy

edit "SIEM_Policy1"

config siem-server-list

edit 1

set type arcsight-cef

set port 514

set server "192.0.2.10"

end

next

end

Related topics