FortiAnalyzer
FortiAnalyzer can receive logs and Windows host events directly from endpoints connected to EMS, and you can use FortiAnalyzer to analyze the logs and run reports.
HernandezA
Staff
Staff
Article Id 412480
Description This article provides the validation process when FortiAnalyzer only shows System Events in the FortiClient Logview Menu.
Scope FortiAnalyzer, FortiAnalyzer Cloud, FortiClient EMS.
Solution

Prerequisites:

  1. The user has already created the FortiAnalyzer/FortiManager Cloud instance in the same account as the device with the available license feature. See the Cloud deployment guide.
  2. The user has access to the FortiAnalyzer/FortiManager Cloud instance with an administrator account.
  3. Integrate FortiClient EMS in the FortiAnalyzer: Technical Tip: How to integrate FortiClient EMS in the FortiAnalyzer.

 

Context

FortiAnalyzer categorizes the base on LogView according to the following sections:

  • Upload UTM Logs -> Traffic.
  • Upload System Event -> Event (endpoint control, update, and FortiClient events).
  • Upload Security Event -> Event (Malware Protection, Web Filter, Vulnerability Scan, and Application Firewall events).
  • Upload Vulnerability Logs -> Vulnerability Scan.
  • Upload Event Logs -> Event.

 

It is a common scenario that after adding FortiClient EMS logging in FortiAnalyzer, the administrator can only see system events in the logview section of FortiAnalyzer.

 

If it were only assigned to the endpoint group, the system endpoint profile suspects something is wrong with the logging, because there are no logs related to traffic, but there are some other configurations that must be applied to ensure the information is being generated.

 

OnlysysEVENTS.jpg

 

It could be confirmed that the connection between EMS and FortiAnalyzer was registered in FortiAnalyzer logs and the device manager status.

 

confirmedSesionwithEMS.jpg

 

connectorUP.jpg

 

Confirm the configuration and assignment of the endpoint profiles; at least the web-filter profile must be assigned.

 

systemprofile.jpg

 

videofilteprofile.jpg

 

Vulnerabilityprofile.jpg

 

Webfilterprofile.jpg

 

Profilesaddedbutnoendpointtraffic.jpg

 

The endpoint must be generating traffic logs to be recorded.

 

broswereventblok.jpg

 

videoYTgames.jpg

 

Wait for the endpoints to send the logs to FortiAnalyzer, and after being inserted, the traffic section will be displayed.

 

trafficevents.jpg

 

Important considerations:

  • The FortiAnalyzer, FortiClient EMS, and endpoint must have the same time/time zone to avoid issues with log visibility.
  • In case the endpoints do not have profiles that record UTM logs, the information cannot be generated in FortiAnalyzer because it does not have the conditions to index traffic entries.
  • The device manager in FortiAnalyzer could show the status of the FortiClient EMS device with a red arrow (down status), when previously it was confirmed that the FortiClient EMS and endpoints had already sent logs. This scenario happens because the FortiClient EMS does not have new logs to send to FortiAnalyzer, and FortiAnalyzer is still listening and waiting for logs. 

 

Related article:

Technical Tip: How to integrate FortiClient EMS in the FortiAnalyzer