Help
FortiSIEM Discussions
Ricardo_forigua
New Contributor II

Created on ‎12-27-2023 05:22 AM

Modify rule "No logs from a device"

Hi, I would like to understand the FortiSIEM rule "No logs from a device" which I think is when a device stops sending logs for 10 minutes, I have many alerts and I want to increase the time from 10 minutes to 1 hour, How i can do it?

261
0 Kudos
1 Solution
cdurkin_FTNT
Staff
Staff

Created on ‎12-27-2023 06:45 AM

2 Options ..

 

1) Globally (for every device)

 

Admin / Device Support / Custom Properties

 

Change the 'EventRecvTimeGapHigh' setting, which defaults to 10 minutes.

 

 

2) Per Individual Device 

 

CMDB / Devices  ..  Edit Device / Device Properties

 

Change the ..

'Event Receive Time Gap High Threshold minutes'. Setting per device.

 

More admin with this method, but you can define a threshold per device.

 

 

 

ie: If a FW has not delivered syslog in the last 5 minutes .. its a issue.

     If a layer 2 switch has not delivered syslog in the last 72 hours .. it might be normal behavior.

View solution in original post

242
0 Kudos
1 REPLY 1
cdurkin_FTNT
Staff
Staff

Created on ‎12-27-2023 06:45 AM

2 Options ..

 

1) Globally (for every device)

 

Admin / Device Support / Custom Properties

 

Change the 'EventRecvTimeGapHigh' setting, which defaults to 10 minutes.

 

 

2) Per Individual Device 

 

CMDB / Devices  ..  Edit Device / Device Properties

 

Change the ..

'Event Receive Time Gap High Threshold minutes'. Setting per device.

 

More admin with this method, but you can define a threshold per device.

 

 

 

ie: If a FW has not delivered syslog in the last 5 minutes .. its a issue.

     If a layer 2 switch has not delivered syslog in the last 72 hours .. it might be normal behavior.

243
0 Kudos
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.