Using FortiAnalyzer as generic Syslog server, parse logs from non-Fortinet sources

Forum|Forum|1 year ago
November 28, 2024
2 replies
2347 views

Hello,

After making a research regarding of the (im)possibility to make it work, and some tests on FAZ 7.4.x, I wonder if this is feasible or even in the roadmap. Apparently the log parsers can be assigned to a device only if it is recognized as Fortinet, and appears first as unauthorized. However, sending syslog to FAZ from any device seems to store the logs into the Syslog ADOM, but when you try to assign a parser it's not possible because there is no device to select. Also, even if the logs would come from a Fortinet device (e.g. FortiSOAR), the docs say they would be parsed and inserted in a "SIEM db". But how can the latter be used?

Any ideas?

Thank you

Cristian

FortiAnalyzer

Renante_Era

Staff

I think the feature you're looking is in FortiSIEM -- SIEM Solutions & Tools | Get Best Enterprise SIEM Software | FortiSIEM

CrisPeteAuthor

New Member

Thanks for your answer. However, I would like to understand the functionalities available in FortiAnalyzer, the role of the parsers, which devices sending syslog can be integrated in FAZ, and how can be the SIEM DB used in FAZ.

dingjerry_FTNT

Staff

Hi @CrisPete ,

In Incidents & Events > Log Parser > Log Parsers page, you may enable a parser there. i.e. syslog.

Then go back to Incidents & Events > Log Parser > Assigned Parsers page, create a new one, you can select that enabled parser in the Application.

Not sure whether this is what you need.

dingjerry_FTNT

Staff

Hi @CrisPete ,

I hope that there is some info in this doc for you:

https://docs.fortinet.com/document/fortianalyzer/7.4.0/custom-log-parsers/88208/introduction

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded