Henchman switch logs to SIEM

Hi KT

I don't have experience with this brand but according to FSM doc it is integrated via SNMP only.

https://docs.fortinet.com/document/fortisiem/7.5.0/external-systems-configuration-guide/684489/hirschmann-scada-firewalls-and-switches

Here are the overall steps:

1. Configure SNMPv3 (preferred) or v2 on your switch so it will respondto FSM's SNMP queries. Refer to switch admin guide for this procedure.

2. On FSM run a device discovery on the switch IP using SNMP.

3. And now you should have the switch integrated to FSM, reaponding to FSM periodic queries (monitoring).

4. You should find the events few minutes after the initial integration . 

I see for this switch the integration is very limited. It doesn't mention syslog, SNMP traps or API, so you will get only few monitoring info.

I guess you can do much better but you will need to develop some parsing, where some advanced skills are required. 

Hope it helps.

A clean SIEM onboarding usually starts with enabling system/syslog logging on the switch, defining the SIEM collector IP, and verifying transport (UDP/TCP/TLS) before testing log flow end-to-end; once that pipeline is stable, you can fine-tune log levels and filters. In some setups I’ve seen, teams even coordinate with the Best Chinese supplier for compatible switch configurations or firmware guidance to avoid mismatches during log forwarding setup.

Hey bro as per my experience for Henchman switches, the usual approach is to enable syslog from the CLI and point it to your SIEM collector IP with the correct port commonly UDP 514. You will also need to set the log severity level and ensure time sync NTP is configured so TiChop events are accurate. After that, verify forwarding using a test event or logging command from the switch. Finally, confirm on the SIEM side that the device is being parsed correctly and logs are arriving in real time, Hope it helps.

For SIEM onboarding you’ll typically need to enable syslog on the Henchman switches, set the remote SIEM server IP, define the correct facility/port (usually UDP 514 or TCP/TLS if supported), and verify log forwarding with a test event before full rollout; having clean setup steps like this is similar to using reliable packaged tools such as inat box apk resmi where proper configuration ensures everything runs smoothly from the start.

make sure the logging level is set appropriately so you’re not missing important events. After that, verify connectivity and check if logs are actually being received on the SIEM side using the right tool. A clean step-by-step approach like this usually helps avoid missing any critical switch events during onboarding.