Issue integrating AWS Network Firewall CloudWatch logs with FortiSIEM – Log Stream wildcard behavior

Hi

We are trying to integrate AWS Network Firewall logs with FortiSIEM using CloudWatch Logs, as per the FortiSIEM External Systems Configuration Guide. Below are the details of our setup and the challenge we are facing.

Environment & Setup

• AWS Network Firewall is configured successfully

• Logs are being sent to CloudWatch Logs

• Two types of logs are enabled:

  • Alert logs

  • Flow logs

• We are using CloudWatch Logs integration (API-based) in FortiSIEM (not S3/SQS)

CloudWatch Configuration

Log Group

Log Streams (auto-rotating, hourly)

Example streams visible in CloudWatch:

Alert logs

Flow logs

The stream name changes every hour, while the prefix remains constant.

FortiSIEM Side (What we tested)

FortiSIEM uses the backend script:

This script:

• Uses DescribeLogStreams for discovery

• Supports wildcard (*) in Log Stream Name

• Uses GetLogEvents per discovered stream

We tested the script manually from the FortiSIEM supervisor and confirmed:

• Log Group is correct

• Logs are present in CloudWatch

• IAM permissions are correct (logs:DescribeLogStreams, logs:GetLogEvents)

Log Stream Name Challenge

Case 1: Exact log stream name

Example:

✔ Works initially
:cross_mark: Fails after one hour when stream rotates

Case 2: Wildcard log stream name

Example:

This matches how the backend script is designed (prefix + wildcard handling).

However, when we configure this in the FortiSIEM UI:

• Credential Test gets stuck

• No success or failure message

• No explicit error in UI

• No clear error in logs indicating invalid credentials or API failure

This happens only when * is used at the end of the Log Stream Name.

What We Have Confirmed

• CloudWatch Logs contain data (verified in AWS console)

• Log Group name is correct and exact

• IAM permissions are sufficient

• The same credentials work when an exact stream name is used

• Issue occurs only with wildcard stream configuration

• Backend script (aws-phgetflowlogs.php) clearly supports wildcard discovery using:

  • logStreamNamePrefix

  • fnmatch() filtering

Questions to the Community / Fortinet Team

1. Is wildcard (*) officially supported in Log Stream Name for CloudWatch-based log sources in FortiSIEM UI?

2. Is there any UI-side validation or limitation that causes credential test to hang when wildcard is used?

3. Is there a recommended way to handle hourly rotating Network Firewall log streams in CloudWatch with FortiSIEM?

4. Are Alert logs and Flow logs expected to be configured as separate log sources, even if they share the same log group?

5. Is there any known issue or patch related to CloudWatch log stream discovery for AWS Network Firewall?