FortiAnalyzer
FortiAnalyzer can receive logs and Windows host events directly from endpoints connected to EMS, and you can use FortiAnalyzer to analyze the logs and run reports.
Anonymous
Not applicable
Article Id 220756

Description

 

This article describes how to integrate FortiAnalyzer into FortiSIEM. This article shows the step by step configuration of FortiAnalyzer and FortiSIEM.

 

The article deals with the following:

- Configuring FortiAnalyzer.

- Setting Up the Syslog Server. 

- Pre-Configuration for Log Forwarding .

- Configuring Log Forwarding .

 

Scope

 

FortiAnalyzer and FortiSIEM.

 

IPs considered in this scenario:

 

FortiAnalyzer – 172.30.115.249

FortiSIEM – 172.29.52.243

 

Note: Connectivity between FortiAnalyzer and FortiSIEM has to be either on LAN or over Public IP.

 

Solution

 

1) Log in to the FortiAnalyzer that needs to be added to the FortiSIEM.

 

Aashiq_Z_4-1660320437352.png

 

2) Post login Select Root Domain if below page does not opens directly.

 

Aashiq_Z_5-1660320561914.png

 

3) Go to System Settings - > Advance  - > Syslog

 

Aashiq_Z_6-1660320753352.png

 

- Select the Create New option. 

- Enter the Name. (It is recommended to use the name of the FortiSIEM server.) 

- Fill in the IP address (or FQDN) with the IP or a fully qualified name of the FortiSIEM server.

- Leave the Syslog Server Port to the default value '514'. 

- Select OK to save the entries.

 

Aashiq_Z_8-1660320960927.png

 

Configuring Log Forwarding

 

Note:

 

Why Forwarding mode is used - Forwarding Mode

Logs are forwarded in real-time or near real-time as received. This mode can be configured in both the GUI and CLI. https://docs2.fortinet.com/document/fortianalyzer/6.0.4/administration-guide/171028/modes

 

Install a FortiSIEM collector in the same subnet as FortiAnalyzer that will be forwarding the events.

 

The same subnet request is required as FortiAnalyzer will later be configured to spoof packets to the collector. RPF (reverse path forwarding checks) on network equipment would have to be disabled if FortiAnalyzer and collector existed on different subnets.

 

To disable this, go to FortiSIEM CLI:

 

sysctl -w net.ipv4.conf.all.rp_filter=0

 

Aashiq_Z_10-1660321278384.png

 

Make changes to the system file because post rebooting the FortiSIEM values will change again to 1, add the following code to the file: 

 

vi /etc/sysctl.conf 

(

vi- to edit the file insert via “i”

save it via, “:wq!”

)

net.ipv4.conf.all.rp_filter=0

 

Aashiq_Z_11-1660321798519.png

 

4) Log forwarding configuration via CLI:

 

Aashiq_Z_12-1660321840641.jpeg

 

Log forwarding configuration via GUI:

 

Aashiq_Z_13-1660321872685.png

 

Aashiq_Z_14-1660321907817.png

 

Open CLI again and check the settings as below:

(Configure locallog syslogd settings as well)

 

# config system locallog syslogd setting

    set status enable

    set syslog-name "FortiSIEM"

  end

 

Aashiq_Z_15-1660322067695.png

 

Log into the FortiSIEM - > Dashboard and select FortiSIEM dashboard. (new time configuration to check whether receiving any logs or not)

 

Aashiq_Z_16-1660322170940.png

 

FortiAnalyzer can forward two primary types of logs, each configured differently: 

- Events received from other devices (FortiGates, FortiMail, FortiManager, etc)  (via syslog)

- Locally generated System events (FortiAnalyzer admin login attempts, config changes, etc) (via locallog syslogd setting)

 

Troubleshooting:

 

If there are some issues with log forwarding, check the log forwarding stats by using:

 

# diagnose test application logfwd 4

 

If there are issues with the forwarding engine, reset the logfwd process:

 

# diagnose test application logfwd 99

# diagnose test application logfwd