FortiAnalyzer
FortiAnalyzer can receive logs and Windows host events directly from endpoints connected to EMS, and you can use FortiAnalyzer to analyze the logs and run reports.
mdeparisse_FTNT
Article Id 190143

Description


This article describes how to integrate EMS and FortiClient in the FortiAnalyzer so that it can centralize logging.

Solution

 

  1. Verify the compatibility of the EMS server and FortiClient with the FortiAnalyzer. This can be found on the FortiClient release note, on the EMS release note and on the FortiAnalyzer release note.

    Note: The new Fabric ADOM can also be used since FortiAnalyzer 6.2 to receive logs from the FortiClient stations.

    Configure the https-logging from FortiAnalyzer via CLI:

     

    (port1)# show
    config system interface
        edit "port1"
            set ip 10.47.3.65 255.255.240.0
            set allowaccess ping ssh https https-logging
        next
    end

  2. Enable ADOM on the FortiAnalyzer so that the EMS server can be handled by the correct ADOM (FortiClient ADOM).

  3. Make sure to have sufficient size for this ADOM. By default, the size is 1 GB.

  4. Configure the EMS server so that it uses the FortiAnalyzer, as a log receiver on the FortiClient profile.


 

  1. Connect the FortiClient to the EMS server as follows:



     

  2. Check that the EMS detects the client.


     

  3. Enable Antivirus detection or Web Filter to generate logs from the FortiClient as follows:





     

  4. Push the new updated profile.


     

  5. Go on the FortiClient and generate logs using a web browser or EICAR virus detection. Navigate here from the FortiClient station to download EICAR virus detection.

     
     


  6. Go on the FortiClient ADOM.
     
     
     
  7. As logs are generated by the FortiClient. The logs will turn green as follows:
     
     
     
  8. If logs are not turning green, it is possible to check the raw log: logview, logbrowse, and filter by the EMS serial to see the FortiClient traffic and event log. Check if any of those logs appear.
     
    Note: If this is not the case, navigate again from the FortiClient and de-register and register once again the client to generate logs.
     
  9. If no logs are seen, provide the team with the following information:
  • exe tac report of the FortiAnalyzer and config.
  • diag sniffer packet any ' host <FCLT IP> ' 3 0 a.
  • Wireshark from the FortiClient while navigating the net (to generate logs packet):
  • The sniff may show TCP SYN 4-way handshake successful but no logs are sent by the FortiClient (make sure to have the latest version of FortiClient and FortiAnalyzer). 
  • Ping from the FortiClient to the FortiAnalyzer.
  • FortiClient Diagnostic Tool.


Related article:

Technical Tip: Control logging from FortiClient EMS to FortiAnalyzer

Technical Tip: Control logging from FortiClient EMS to FortiAnalyzer
DOCS: Configuring log storage policy

Technical Tip: How to make multitenancy visible from FortiAnalyzer

DOCS: EMS Connector

Technical Tip: How to run a FortiClient Endpoint Antivirus scanning using FortiSoC Playbook

Technical Tip: How to implement Indicators Of Compromised (IOC) Automation Stitch between FortiGate,...

Technical Tip: How to determine the failed status from FortiSoC Playbook monitor