A guide to sending your logs from FortiGate to Microsoft Sentinel using the Azure Monitor Agent (AMA).
Introduction
Some customers may require to forward logs to one or more SIEM solutions, such as Microsoft Sentinel.
The guide provides a comprehensive walkthrough for integrating FortiGate with Microsoft Sentinel via Azure Monitor Agent (AMA). Other options are available via FortiAnalyzer (e.g. to reduce the number of logs send to Microsoft Sentinel) or have been available but have been deprecated since by Microsoft.
To ingest CEF logs from FortiGate into Microsoft Sentinel, a dedicated Linux machine is configured to serve as proxy server for log collection and forwarding to the Microsoft Sentinel workspace.
The Linux machine is structured with two key components:
-
Syslog Daemon (Log Collector): Utilizing either rsyslog or syslog-ng, this daemon performs dual functions:
- Actively listens for Syslog messages in CEF format originating from FortiGate on TCP/UDP port 514.
- Send logs to Azure Monitor Agent (AMA) on localhost, utilizing TCP port 28330.
-
Azure Monitor Agent (AMA): The agent parses the logs and then sends them to your Microsoft Sentinel (Log Analytics) workspace via HTTPS 443.
For more details please review this link
Prerequisites:
- Log Analytics Workspace link.
- Microsoft Sentinel onboarded with the Log Analytics Workspace link.
- Dedicated linux VM link.
To establish the integration between Microsoft Sentinel and FortiGate, follow these steps:
- Install Common Event Format Data Connector
- Create Data Collection Rule (DCR) (if you don't have one)
- Install CEF Collector on Linux
- Configure FortiGate Device
Install Common Event Format Data Connector
- Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade.
- Search for 'Common Event Format (CEF) and install it. This will deploy for you Common Event Format (CEF) via AMA.
- Open connector page for Common Event Format (CEF) via AMA.
- Use the same location as your log analytics workspace
- Add linux machine as a resource
- Collect facility log_local7 and set the min log level to be collected
You can find below an ARM template example for DCR configuration:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"dataCollectionRules_ya_dcr_ama_agent_name": {
"defaultValue": "mydcr",
"type": "String"
},
"workspaces_ya_faz_ama_externalid": {
"defaultValue": "/subscriptions/xxxxxxxxxxxxxxxxxxxxxx/resourceGroups/ya-faz-sentinel-ama/providers/Microsoft.OperationalInsights/workspaces/ya-faz-ama",
"type": "String"
}
},
"variables": {},
"resources": [
{
"type": "Microsoft.Insights/dataCollectionRules",
"apiVersion": "2023-03-11",
"name": "[parameters('dataCollectionRules_ya_dcr_ama_agent_name')]",
"location": "westeurope",
"tags": {
"createdBy": "Sentinel"
},
"kind": "Linux",
"identity": {
"type": "SystemAssigned"
},
"properties": {
"dataSources": {
"syslog": [
{
"streams": [
"Microsoft-CommonSecurityLog"
],
"facilityNames": [
"local7"
],
"logLevels": [
"Notice",
"Warning",
"Error",
"Critical",
"Alert",
"Emergency"
],
"name": "sysLogsDataSource-1039681479"
},
{
"streams": [
"Microsoft-CommonSecurityLog"
],
"facilityNames": [
"nopri"
],
"logLevels": [
"Emergency"
],
"name": "sysLogsDataSource-1697966155"
}
]
},
"destinations": {
"logAnalytics": [
{
"workspaceResourceId": "[parameters('workspaces_ya_faz_ama_externalid')]",
"name": "DataCollectionEvent"
}
]
},
"dataFlows": [
{
"streams": [
"Microsoft-CommonSecurityLog"
],
"destinations": [
"DataCollectionEvent"
]
}
]
}
}
]
}
Install the Common Event Format (CEF) collector on a Linux machine by executing the following Python script:
sudo wget -O Forwarder_AMA_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Forwarder_AMA_installer.py&&sudo python3 Forwarder_AMA_installer.py
Following this configuration on the Linux machine, the FortiGate device is then set up to dispatch Syslog messages with TCP port 514 in CEF format to the designated proxy machine using the provided command:
config log syslogd setting
set status enable
set server "liux VM IP address"
set mode reliable
set facility local7
set format cef
end
The facility to local7 has been configured should match "Collect" in the Data Collection Rule configuration.
- The following command can be used to check the log statistics sent from FortiGate:
diagnose test application syslogd 4
- Restart rsyslog
sudo systemctl restart rsyslog
- Validate that the syslog daemon is running on the TCP port and that the AMA is listening by reviewing the configuration file /etc/rsyslog.conf . After verification, use the following command to confirm:
netstat -lnptv
- Run the following command in the background to capture messages sent from a logger or a connected device:
tcpdump -i any port 514 -A -vv &
After you complete the validation, we recommend that you stop the tcpdump: Type fg and then select Ctrl+C
- Verify the correct installation of the connector by running the troubleshooting script using one of the following commands:
sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python3 Sentinel_AMA_troubleshoot.py --cef
- Check data connector page and verify that the DCR is corectly assigned and that the log is well ingested in CommonSecurityLog Table.
You can review the link for more technical details about FortiGate integration With Microsoft Sentinel.
Log Filtering
Log forwarding to Microsoft Sentinel can lead to significant costs, making it essential to implement an efficient filtering mechanism. In essence, you have the flexibility to toggle the traffic log on or off via the graphical user interface (GUI) on FortiGate devices, directing it to either FortiAnalyzer or a syslog server, and specifying the severity level.
Additionally, you can undertake more advanced filtering through CLI, allowing for tailored filtering based on specific values. Please refer to the following link.
On the other hand, you can select the minimum log level for each facility from DCR (collect tab). When you select a log level, Microsoft Sentinel collects logs for the selected level and other levels with higher severity. For example, if you select LOG_ERR, Microsoft Sentinel collects logs for the LOG_ERR, LOG_CRIT, LOG_ALERT, and LOG_EMERG levels.
Links
Additional links to documents, tips and deprecated options:
- Fortinet docs: https://docs.fortinet.com/document/fortigate-public-cloud/7.6.0/azure-administration-guide/69067/azu...
- Technical tip: https://community.fortinet.com/t5/FortiGate/Technical-Tip-FortiGate-Integration-with-Microsoft-Senti...
- Microsoft Sentinel connnector: https://azuremarketplace.microsoft.com/en-us/marketplace/apps/azuresentinel.azure-sentinel-solution-..., https://learn.microsoft.com/en-us/azure/sentinel/data-connectors-reference#fortinet
