Anyone using their Fortianalyzer as a syslog store?

In the meantime I downloaded the VM version of 5.2.1 ... and I can't see anywhere that its possible to set up a syslog server in the FAZ (there is only an option to forward syslog events off to another syslog server elsewhere).

So did I dream that you could run a syslog server with 5.2.x ?

Thanks Andrea,

That's very helpful.  I set up a test with my current v5.0 firmware on the FL100C.  I put Snare syslog tools on my PC and set it for forward some Event Log data to the FL100C as syslog data on port 514.  I can confirm that a new Unregistered Device showed up on the Fortianalyzer immediately.  But I am unable to Promote this device; it throws an error saying "Device type not supported by the ADOM".  So I will wait until its a suitable time, update the FL100C to v5.2 and then try again.

Cheers,

Steve

from error, seems you did not enable ADOM function

by default, FAZ ADOM function is disabled, and can only manage FGT logs, and you can enable ADOM in System Settings dashboard and then you can promote syslog device to syslog ADOM.

thanks

Simon

Thanks Simon,

I just tried enabling the ADOM functionality and, hey presto, its all looking good.  I am now successfully shipping syslog data into the Fortianalyzer.  I guess I will need to do some exploring and find out what's possible on the reporting side of things.

Cheers,

Steve

Have run into what seems like an insurmountable problem.  I was wanting to use a command-line tool to generate syslog entries when a user logs in/out of their PC (via logon/logoff script).  In testing I can see that as this runs on each PC, a new Device is flagged in the Fortianalyzer and its just not practical for me to have 150-odd syslog devices.  What I really need the Fortianalyzer to do for me is allow me to set up one (1) syslog device and then allow me to direct all syslog(514) data into that device.  Seems it won't let me do that?  Does anyone have a suggestion as to how I might get around this constraint?  I've considered ideas like setting up a virtual IP and redirecting all syslog traffic through that IP, but it all seems to complex; it really ought to be easier than that I think.

Hi, Stephen,

For your case, maybe you can create a virtual group (log array) for these syslog devices, and also maybe can create a different syslog ADOM for them.

Thanks

Simon

Thanks for the suggestions.  I tried creating a new ADOM v5.2 syslog and then created a Log Array as well.  But this doesn't seem to change the behaviour.  PCs which send syslog data still show up as Unregistered devices and have to be manually added.  It would be nice if it were possible to configure a default syslog and then set it so that new devices auto-add themselves to the default store.  Or even if I could define rules to direct the syslog data, such as "any device matching 192.168.11.0/24 or 192.168.12.0/24" or something like that.