FortiWeb

KalanaChandrasiri · ‎09-22-2019

Hi People,

I need to configure FortiWeb syslogs to FortiWeb.

In Fortiweb 4000 it has both Syslog Policy and SIEM policy (Under Log Policy). What is the supportive method for FortiSIEM?

If we configured SIEM policy it shows only QRadar LEEF and ArcSight CEF. What is best method.

I saw that there is a comment as "CEF" is not support with FortiSIEM.

Regards,
Kalana

------------------------------
kalana
------------------------------

FSM_FTNT · ‎09-23-2019

Hi Kalana,

FortiSIEM version 5.2.5 supports FortiWeb using Syslog format.

The recevied log format should be key value pair format, similar to this:

date=2016-02-18 time=10:00:05 log_id=00001002 msg_id=000067508821 device_id=FV400D3A15450010 vd="root" timezone="(GMT+3:00)Baghdad" type=event subtype="admin" pri=information trigger_policy="" user=admin ui=GUI action=edit status=success msg="User admin changed global from GUI(196.168.6.66)"

View solution in original post

FSM_FTNT · ‎09-23-2019

Hi Kalana,

FortiSIEM version 5.2.5 supports FortiWeb using Syslog format.

The recevied log format should be key value pair format, similar to this:

date=2016-02-18 time=10:00:05 log_id=00001002 msg_id=000067508821 device_id=FV400D3A15450010 vd="root" timezone="(GMT+3:00)Baghdad" type=event subtype="admin" pri=information trigger_policy="" user=admin ui=GUI action=edit status=success msg="User admin changed global from GUI(196.168.6.66)"

KalanaChandrasiri · ‎09-23-2019

@Daniel,

Are we able to configure custom log format in FortiWeb ?

FSM_FTNT · ‎09-26-2019

The format needs to be the standard Key Value Pair log format. If you customise then the FortiSIEM parser may also need to be customised.