|
To set up IBM QRadar as the Syslog server for FortiGate to send its logs to, follow the steps:
Step 1: Configure IBM QRadar to Receive Syslog Messages.
- Create a Log Source in QRadar.
Log in to the QRadar Console. In the Admin tab, go to Data Sources -> Log Sources.
Select 'New Log Source'.
Select 'Single Log Source'.
Search for the FortiGate.
Choose the 'Syslog' protocol.
Here, it is necessary to fill out these boxes:
Name: Give it a name, like 'FortiGate Syslog'.
Description: To properly identify the FortiGate that sends the logs.
Enabled: This is to enable/disable the log source.
Groups: If having groups of log sources pre-configured it is possible to choose them.
Events Coalescing: Enable or disable it depending on how it is desired to handle duplicate events.
Log Source Identifier: Type the IP address of the FortiGate device. Select Save.
If the Source is showing as 'Not Available' is required to 'deploy' the changes.
- Syslog Port Configuration.
QRadar needs to listen on the appropriate port for Syslog, usually UDP 514 or TCP 514. This can be verified at Admin -> System Settings. If necessary, enable listening on an alternate port by changing firewall rules on QRadar.
Step 2: Configure FortiGate to Send Syslog to QRadar.
Log in to the FortiGate device via a CLI or GUI.
- Add Syslog Server in FortiGate (CLI).
It is required to define QRadar as a Syslog server in the FortiGate configuration.
config log syslogd setting
set status enable
set server <QRadar_IP> ---> Enter the IP address of the QRadar server.
set mode <udp or TCP> ---> Depending on the QRadar configuration.
set port <port> ---> Port 514 is the default Syslog port.
set facility local7 ---> It is possible to choose another facility if necessary.
set format default ---> Use the default Syslog format.
end
- Configure Syslog Filtering (Optional).
It is possible to filter what logs to send. For example, traffic logs, and event logs:
config log syslogd filter
set severity information ---> Change the log level as desired: information, warning, critical, etc.
set forward-traffic enable ---> Enable forwarding traffic logs.
set local-traffic enable ---> Enable local traffic logs.
end
- Adding Syslog Server using FortiGate GUI.
It is also possible to configure Syslog using the FortiGate GUI:
Log in to the FortiGate GUI.
Go to Log & Report -> Log Settings.
On the configuration page, select Add Syslog in Remote Logging and Archiving.
Input the IP address of the QRadar server. Select Apply.
Related article:
Troubleshooting Tip: Syslog and log trouble shooting via CLI
|
