Correlating Firewall Logs end to end

AliHaider · ‎09-22-2022

Hello,

I would like to know how multiple FortiGate logs for one flow can be traced back.

e.g. External IP hits Public NAT IP on Fortigate (log 1), this is then DNat to internal IP, which is then in turn SNat to another external IP (log 2). What unique field can I used to match these two logs (session ID? event time?) within the FortiGate Logs.

addtionally, does FortiSIEM support NXlog agent forwarding logs in any format?

BR,
Ali

simonai · ‎09-25-2022

Hi Ali

I once did that a long time ago with Splunk, if I remeber correctly there we used the Session ID to match the logs of a WAF to the original IPs masked by the Fortigate in front of it.

Regards
Simon-------------------------------------------
Original Message:
Sent: Sep 22, 2022 09:00 AM
From: Ali Haider
Subject: Correlating Firewall Logs end to end

Hello,

I would like to know how multiple FortiGate logs for one flow can be traced back.

e.g. External IP hits Public NAT IP on Fortigate (log 1), this is then DNat to internal IP, which is then in turn SNat to another external IP (log 2). What unique field can I used to match these two logs (session ID? event time?) within the FortiGate Logs.

addtionally, does FortiSIEM support NXlog agent forwarding logs in any format?

BR,
Ali