Explorer

Solved

Incident type events forwarded via syslog

Forum|Forum|1 year ago
May 8, 2025
4 replies
1636 views

Hi, I'm new here

I have the SIEM analyst role and I have read-only access to the fortianalyzer.

I have to monitor all the events that it detects as incidents.

This fortianalyzer manages more than 10 firewalls and I only want to get the events that are most relevant or what fortianalyzer considers as an incident or what most draws attention and contributes to security issues to avoid incidents.

According to what I have investigated this is the configuration that I should request to the firewall administrator but I would appreciate if you could share with me your recommendations

config system log-forward     edit 1         set mode forwarding         set fwd-max-delay realtime         set server-name "SIEM_Server"         set server-addr "192.169.1.1"         set fwd-server-type cef         set server-port 6515         set fwd-reliable enable         set log-filter-status enable         config log-filter             edit 1                 set field "event"                 set value "security"             next             edit 2                 set field "level"                 set oper ">="                 set value "information"             next         end     next end

FortiAnalyzer

Best answer by juanc

Hello,

It was just this that I needed, I already asked the administrator to apply this configuration.

config system log-forward     edit 1         set mode forwarding         set fwd-max-delay realtime         set server-name "Logs_To_Vision_One"         set server-addr "192.168.1.1"         set server-port 6515         set fwd-server-type cef         set fwd-reliable enable         set log-filter-status enable         set log-filter-logic and             config log-filter                 edit 1                     set field level                     set value "alert"                 next                 edit 2                     set field level                     set value "critical"                 next                 edit 3                     set field level                     set value "emergency"                 next                 edit 4                     set field level                     set oper >=                     set value "information"                 next             end              next end

Stephen_G

Moderator

Hello,

Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.

If anyone viewing this topic has any knowledge on this, I encourage you to reply.

Thanks,

Stephen_G - Fortinet Community Team

Secusaurus

Contributor III

Hi @juanc,

There is a lot of missing information in your question.

Most SIEM systems prefer syslog, but it could be that your are using something closer to a SOAR that is more an event-driven system and therefor prefers the common event format (cef). So, the parameters fwd-server-type, server-port and fwd-reliable (which switches between tcp and udp) strongly depend on your requirements.

Speaking about the log filter: I don't know the field "event". You could set the field to "type" and the value to "event" then, but I think, this is not what you are targeting for. "Events" on FortiGates are system events like av-definition updates or SD-WAN-events like switching WAN-interfaces, etc.

You would more likely look for the log type "utm" which relate to security profiles of the firewall. Note, that you miss the general deny of traffic (which is interesting in a port scan) and e.g. vpn logons/failures completely with that filter.

But:

The FortiAnalyzer has two kinds of logs: The logs that it receives from other components (like firewalls, sandboxes, clients, etc.) and the logs that it generates itself. If you configure log *forwarding*, you are forwarding logs of other devices.

It could be - but this is something you need to discuss with your customer or team -, that the real request is that you receive the events (incidents) that the FortiAnalyzer *generates*. As the FAZ is kind of a "mini-SIEM", it can also correlate logs from the devices, make assumptions and generate events (called "incidents" in a real SIEM). If you like to get them, then you need to either configure the event handlers on the FAZ itself or send the local logs to your SIEM (see `config system locallog syslogd setting` for further details).

@Anthony_E: This is a topic for FortiAnalyzer, not FortiSIEM. I think, you can move it back ;)

Best,

Christian

NSE8 | Fortinet Advanced MSSP Partner

Anthony_E

Staff

Thank you as Christian :)!

Best Regards

juancAuthorAnswer

Explorer

Hello,

It was just this that I needed, I already asked the administrator to apply this configuration.

config system log-forward     edit 1         set mode forwarding         set fwd-max-delay realtime         set server-name "Logs_To_Vision_One"         set server-addr "192.168.1.1"         set server-port 6515         set fwd-server-type cef         set fwd-reliable enable         set log-filter-status enable         set log-filter-logic and             config log-filter                 edit 1                     set field level                     set value "alert"                 next                 edit 2                     set field level                     set value "critical"                 next                 edit 3                     set field level                     set value "emergency"                 next                 edit 4                     set field level                     set oper >=                     set value "information"                 next             end              next end

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded