SSL-VPN succssfully login is not detected by FortiSIEM

Ireda1 · ‎10-30-2024

Dears

I have Fortigate integrated with FortiSIEM as external logging.

- In FortiSIEM, for SSL-VPN:

1- failure logins detected and we can show failure logging.

2- Succsse log is not shown

On FortiGate > log and reporting > setttings ----ALL

How can we show the successfully login on fortiSIEM?

Stephen_G · ‎11-03-2024

Hi Ireda1,

I have moved your topic to the FortiSIEM discussions board, where you are more likely to receive a relevant reply.

Kind regards,

Stephen - Fortinet Community Team

Secusaurus · ‎11-03-2024

Hello @Ireda1,

Unless you are using log filtering on the FSM, these events should be there. Every event you can see in the FortiGate log is forwarded via syslog to the SIEM (or using the hop through the FortiAnalyzer). Have a look at the parameters in the logs of the FortiGate and pick a value which you won't likely see in other logs (e.g. remote ip), do a Analytics-search on the FSM in "Raw Log" "contains" and your value. You should see the events, even if they are not parsed.

It should be in the event types category successful vpn logins (CMDB), but I assume you already searched for them.

The FortiGate parser has changed in the last couple of versions from time to time, so check for the correct event type. Could be that you just picked one from another version.

Best,

Christian

FCP & FCSS Security Operations | Fortinet Advanced Partner

SSL-VPN succssfully login is not detected by FortiSIEM

Nominate a Forum Post for Knowledge Article Creation