FortiAnalyzer can receive logs and Windows host events directly from endpoints connected to EMS, and you can use FortiAnalyzer to analyze the logs and run reports.
Not applicable
Article Id 220756



This article describes how to integrate FortiAnalyzer into FortiSIEM. This article shows the step by step configuration of FortiAnalyzer and FortiSIEM.


The article deals with the following:

- Configuring FortiAnalyzer.

- Setting Up the Syslog Server. 

- Pre-Configuration for Log Forwarding .

- Configuring Log Forwarding .




FortiAnalyzer and FortiSIEM.


IPs considered in this scenario:


FortiAnalyzer –

FortiSIEM –


Note: Connectivity between FortiAnalyzer and FortiSIEM has to be either on LAN or over Public IP.




1) Log in to the FortiAnalyzer that needs to be added to the FortiSIEM.




2) Post login Select Root Domain if below page does not opens directly.




3) Go to System Settings - > Advance  - > Syslog




- Select the Create New option. 

- Enter the Name. (It is recommended to use the name of the FortiSIEM server.) 

- Fill in the IP address (or FQDN) with the IP or a fully qualified name of the FortiSIEM server.

- Leave the Syslog Server Port to the default value '514'. 

- Select OK to save the entries.




Configuring Log Forwarding




Why Forwarding mode is used - Forwarding Mode

Logs are forwarded in real-time or near real-time as received. This mode can be configured in both the GUI and CLI.


Install a FortiSIEM collector in the same subnet as FortiAnalyzer that will be forwarding the events.


The same subnet request is required as FortiAnalyzer will later be configured to spoof packets to the collector. RPF (reverse path forwarding checks) on network equipment would have to be disabled if FortiAnalyzer and collector existed on different subnets.


To disable this, go to FortiSIEM CLI:


sysctl -w net.ipv4.conf.all.rp_filter=0




Make changes to the system file because post rebooting the FortiSIEM values will change again to 1, add the following code to the file: 


vi /etc/sysctl.conf 


vi- to edit the file insert via “i”

save it via, “:wq!”






4) Log forwarding configuration via CLI:




Log forwarding configuration via GUI:






Open CLI again and check the settings as below:

(Configure locallog syslogd settings as well)


# config system locallog syslogd setting

    set status enable

    set syslog-name "FortiSIEM"





Log into the FortiSIEM - > Dashboard and select FortiSIEM dashboard. (new time configuration to check whether receiving any logs or not)




FortiAnalyzer can forward two primary types of logs, each configured differently: 

- Events received from other devices (FortiGates, FortiMail, FortiManager, etc)  (via syslog)

- Locally generated System events (FortiAnalyzer admin login attempts, config changes, etc) (via locallog syslogd setting)




If there are some issues with log forwarding, check the log forwarding stats by using:


# diagnose test application logfwd 4


If there are issues with the forwarding engine, reset the logfwd process:


# diagnose test application logfwd 99

# diagnose test application logfwd