Help
FortiSIEM
FortiSIEM provides Security Information and Event Management (SIEM) and User and Entity Behavior Analytics (UEBA)
RuiChang
Staff
Staff

Created on ‎03-04-2025 10:47 PM Edited on ‎06-16-2025 12:12 AM By Moderator

Article Id 380412

Technical Tip: Kubernetes log forwarding to FortiSIEM

Description

 

This article provides a method to monitor Kubernetes logs via log forwarding to FortiSIEM.

 

Scope

 

FortiSIEM.

 

Solution

 

Kubernetes technology is not supported by FortiSIEM at the moment to pull the logs manually. However, if the Kubernetes cluster is deployed as Linux or Windows Operating systems, FortiSIEM agents can be implemented to pull the logs:

 

Windows Agent Installation:

FortiSIEM Windows Agent

 

Linux Agent Installation:

FortiSIEM Linux Agent

 

Note:

FortiSIEM Agent is only able to pull the Windows or Linux Agent from the system. The logs from the containers will not be forwarded/pulled.

 

If users need to forward the logs of a container deployed in the Kubernetes cluster, users need to configure it manually. In this example, the Linux Kubernetes configuration is completed as below:

 

  1. Configure Kubernetes logging system: Logging Architecture.

 

Examples of YAML configuration:

 

apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: Kubernetes-FSM-test
  name: Kubernetes-FSM-test
spec:
  containers:
  - image: busybox:1.31.1
    name: FSM-container
    command:
    - "sh"
    - "-c"
    - "tail -f /data/date.log"
    volumeMounts:
    - mountPath: /data
      name: FSM-log
  volumes:
  - name: FSM-log
    emptyDir: {}
  dnsPolicy: ClusterFirst
  restartPolicy: Always
status: {}

 

To apply the above configuration and run as a pod, use below command:

 

kubectl apply -f PATH_OF_YAML

 

  1. Configure/etc/rsyslog.conf as below:

 

# Log path
# Replace <pods name> & <container name> with actual path in /var/log/pods
$InputFileName /var/log/pods/<pods name>/<container name>/*.log
$InputFileTag <Tag>
$InputFileStateFile <Tag>

# Replace the <Level> with desired level, reference: https://wiki.gentoo.org/wiki/Rsyslog#Severity
$InputFileSeverity <Level>

# Replace the <Linux facility> with desired integer, reference: https://wiki.gentoo.org/wiki/Rsyslog#Facility
$InputFileFacility <Linux facility>
$InputRunFileMonitor

# Syslog destination
# Replace <FSM IP> with FortiSIEM IP/FQDN
*.* @<FSM IP>:514

 

  1. Restart the rsyslog service on the Linux server:

 

systemctl restart rsyslog.service

 

FortiSIEM should receive the logs in Analytics:

 

RuiChang_0-1741145846739.png

 

Note:

Kubernetes logs are not fully supported yet, as the container may contain products that are not supported by FortiSIEM.

If Unknown_EventType is received in the FortiSIEM, users need to configure a custom parser based on users environment.

Creating a Custom Parser

 

Related documents:

Logging Architecture

Creating a Custom Parser

599
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.