This article covers a basic setup steps allowing FortiAnalyzer (FAZ) to accept FortiClients (FCT) logs.
FAZ collects FCT logs into FortiClient ADOM. They logs are stored under the EMS's serial number managing the FortiClients.
And in order to do so the EMS needs to be registered at the FAZ.
FAZ collects FCT logs into FortiClient ADOM. They are stored under the EMS serial number managing these FortiClients. In order to do so the EMS needs to be registered at the FAZ.
[ol]
Enter FortiClient ADOM FAZ_GUI\System Settings\All ADOMs\<right click on FortiClient>\Enter ADOM\Registering EMS on FAZ FAZ_GUI\Device Manager\Add Device\...enter EMS IP, serial number, etcConfigure EMS to have FAZ IP and log settings properties send to FCTs. EMS > Endpoint Profiles> EMS Profiles > <select profile> > System Settings > Log Settings > <enable Upload Logs to FortiAnalyzer/FortiManager>...Deploy FortiClient profile.Verification[ul]After scheduled time the logs should be available on FAZ. GUI\Log View\Log Browse\. FCT sends log file(s) to FAZ according scheduled settings configured in step 3. It uses tcp 514. (FCT for Chromebook is scheduled to be supported in FAZ 5.6.1+)A sniffer on FAZ could be used to verify if FCT logs are arriving FAZ#diagnose sniffer packet any 'host <FCT IP> and tcp and port 514'[/ul][/ol]
