Technical Tip: Integrate FortiAnalyzer and FortiSIEM

Description

This article describes how to integrate FortiAnalyzer into FortiSIEM. This article shows the step by step configuration of FortiAnalyzer and FortiSIEM.

The article deals with the following:

• Configuring FortiAnalyzer.
• Setting Up the Syslog Server. 
• Pre-Configuration for Log Forwarding.
• Configuring Log Forwarding.

Scope

FortiAnalyzer and FortiSIEM.

IPs considered in this scenario:

FortiAnalyzer – 172.30.115.249

FortiSIEM – 172.29.52.243

Note: Connectivity between FortiAnalyzer and FortiSIEM has to be either on LAN or over Public IP.

Solution

1. Log in to the FortiAnalyzer that needs to be added to the FortiSIEM.

2. After logging in, select Root Domain if the following page does not open directly:

3. Go to System Settings -> Advance  -> Syslog.

    

• Select the Create New option. 
• Enter the Name. (It is recommended to use the name of the FortiSIEM server.) 
• Fill in the IP address (or FQDN) with the IP or a fully qualified name of the FortiSIEM server.
• Leave the Syslog Server Port to the default value '514'. 
• Select OK to save the entries.

Configuring Log Forwarding:

Note:

Why Forwarding mode is used - Forwarding Mode:

Logs are forwarded in real-time or near real-time as received. See modes - FortiAnalyzer administration guide for instructions on how to configure the appropriate mode in both the GUI and CLI.

Install a FortiSIEM collector in the same subnet as FortiAnalyzer that will be forwarding the events.

The same subnet request is required as FortiAnalyzer will later be configured to spoof packets to the collector. RPF (reverse path forwarding checks) on network equipment would have to be disabled if FortiAnalyzer and collector existed on different subnets.

To disable this, go to the FortiSIEM CLI:

sysctl -w net.ipv4.conf.all.rp_filter=0

Make changes to the system file because after a reboot, the FortiSIEM values will change again to 1. Add the following code to the file: 

vi /etc/sysctl.conf 

(

vi- to edit the file insert via “i”

save it via, “:wq!”

)

net.ipv4.conf.all.rp_filter=0

4. Log forwarding configuration via the CLI:

Log forwarding configuration via the GUI:

Open the CLI again and check the settings as follows:

(Configure locallog syslogd settings as well.)

config system locallog syslogd setting

    set status enable

    set syslog-name "FortiSIEM"

end

Log into the FortiSIEM -> Dashboard and select the FortiSIEM dashboard. (Use a new time configuration to check whether receiving any logs or not.)

FortiAnalyzer can forward two primary types of logs, each configured differently: 

• Events received from other devices (FortiGates, FortiMail, FortiManager, etc) (via syslog).
• Locally generated System events (FortiAnalyzer admin login attempts, config changes, etc) (via locallog syslogd setting).

Troubleshooting:

If there are some issues with log forwarding, check the log forwarding stats by using:

diagnose test application logfwd 4

If there are issues with the forwarding engine, reset the logfwd process:

diagnose test application logfwd 99

diagnose test application logfwd

Notes:

• Source IP should be the reporting IP in FortiSIEM side.
• There is a known issue that in some FortiAnalyzer versions, the FortiAnalyzer is overwriting the source IP address of the payload, and it works when disabling the the reliability in FortiAnalyzer log forwarding configuration.
• FortiSIEM is filling the Reporting IP field from the source IP of the packet and the Host IP field from the 'deviceip' or 'client_ip' found in the payload.