Created on 08-12-2022 09:46 AM Edited on 08-23-2022 12:32 AM By Anthony_E
Description
This article describes how to integrate FortiAnalyzer into FortiSIEM. This article shows the step by step configuration of FortiAnalyzer and FortiSIEM.
The article deals with the following:
- Configuring FortiAnalyzer.
- Setting Up the Syslog Server.
- Pre-Configuration for Log Forwarding .
- Configuring Log Forwarding .
Scope
FortiAnalyzer and FortiSIEM.
IPs considered in this scenario:
FortiAnalyzer – 172.30.115.249
FortiSIEM – 172.29.52.243
Note: Connectivity between FortiAnalyzer and FortiSIEM has to be either on LAN or over Public IP.
Solution
1) Log in to the FortiAnalyzer that needs to be added to the FortiSIEM.
2) Post login Select Root Domain if below page does not opens directly.
3) Go to System Settings - > Advance - > Syslog
- Select the Create New option.
- Enter the Name. (It is recommended to use the name of the FortiSIEM server.)
- Fill in the IP address (or FQDN) with the IP or a fully qualified name of the FortiSIEM server.
- Leave the Syslog Server Port to the default value '514'.
- Select OK to save the entries.
Configuring Log Forwarding
Note:
Why Forwarding mode is used - Forwarding Mode
Logs are forwarded in real-time or near real-time as received. This mode can be configured in both the GUI and CLI. https://docs2.fortinet.com/document/fortianalyzer/6.0.4/administration-guide/171028/modes
Install a FortiSIEM collector in the same subnet as FortiAnalyzer that will be forwarding the events.
The same subnet request is required as FortiAnalyzer will later be configured to spoof packets to the collector. RPF (reverse path forwarding checks) on network equipment would have to be disabled if FortiAnalyzer and collector existed on different subnets.
To disable this, go to FortiSIEM CLI:
sysctl -w net.ipv4.conf.all.rp_filter=0
Make changes to the system file because post rebooting the FortiSIEM values will change again to 1, add the following code to the file:
vi /etc/sysctl.conf
(
vi- to edit the file insert via “i”
save it via, “:wq!”
)
net.ipv4.conf.all.rp_filter=0
4) Log forwarding configuration via CLI:
Log forwarding configuration via GUI:
Open CLI again and check the settings as below:
(Configure locallog syslogd settings as well)
# config system locallog syslogd setting
set status enable
set syslog-name "FortiSIEM"
end
Log into the FortiSIEM - > Dashboard and select FortiSIEM dashboard. (new time configuration to check whether receiving any logs or not)
FortiAnalyzer can forward two primary types of logs, each configured differently:
- Events received from other devices (FortiGates, FortiMail, FortiManager, etc) (via syslog)
- Locally generated System events (FortiAnalyzer admin login attempts, config changes, etc) (via locallog syslogd setting)
Troubleshooting:
If there are some issues with log forwarding, check the log forwarding stats by using:
# diagnose test application logfwd 4
If there are issues with the forwarding engine, reset the logfwd process:
# diagnose test application logfwd 99
# diagnose test application logfwd
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.