Hello Fortinet Community,
We are currently using **FortiAnalyzer v7.2.5 (build 1574)** and want to forward **analyzed threat data**, not raw traffic logs, to an external SIEM (Zenius).
Instead of using simple syslog forwarding for FortiGate traffic logs, we would like to selectively send **enriched and detected events generated by FortiAnalyzer itself**. Specifically, we are interested in forwarding:
1. **All Events** shown in **FortiSoC > Event Monitor > All Events**
2. **IPS logs with CVE-ID** (Log View > Security > Intrusion Prevention)
3. **High session count per source/destination** (e.g., more than 10,000 sessions within 10 minutes, from FortiView > Traffic > Top Sources/Destinations)
We attempted Log Forwarding (Syslog and CEF), but only raw logs are transmitted, and enriched fields such as `eventmsg`, `cve-id`, or `threat score` are missing.
Also, we checked that the **Event Handler UI currently does not allow setting a "Send to Syslog Server" action**.
**Questions:**
- Is it possible to export only FortiAnalyzer-detected or enriched events to an external SIEM?
- If so, what is the correct way to configure this? (via Event Handler, Playbook, or CLI?)
- Are there limitations in v7.2.5 that require a firmware upgrade?
Any guidance or documentation would be greatly appreciated.
Thank you!
