FortiSIEM provides Security Information and Event Management (SIEM) and User and Entity Behavior Analytics (UEBA)
Article Id 309104
Description This article describes how to configure custom listening ports on a Collector to receive logs through the syslog protocol.
Scope FortiSIEM

Open a console or SSH connection to a Collector and follow these steps:


  1. Edit the /opt/phoenix/config/phoenix_config.txt file.

  2. Identify the following strings (included in the [BEGIN PHPARSER] section):

# FSM internal parameter; FSM overwrites

listen_port_list=514,6100 #external,internal. Don't change the order and number of this list w/o understanding.

# FSM internal parameter; FSM overwrites


# FSM upgrade preserves customer changes to parameter value


# FSM internal parameter; FSM overwrites




  1. Change the following values to the custom ports:


  • listen_port_list is the list of UDP listening port (you can add your port here)
  • listen_tcp_port_list is the list of TCP listening port (you can add your port here)
  • listen_tls_port_list is the list of TLS listening port 


For example, to use 5014 UDP and 5015 UDP as listening ports, use the following configuration:





  1. Restart FortiSIEM services.

    Stop FortiSIEM services: 

phtools --stop all


Start FortiSIEM services: 


phtools --start all



Check if FortiSIEM services are up and running using the command phstatus. No process should appear in a DOWN state.



  1. To verify if the custom ports configured are in a LISTEN state, run the following command:


netstat -an | grep <custom port>






  1. Run the following commands to allow inbound connections to the configured custom port:


firewall-cmd --permanent --add-port=<port-number>/<tcp/udp>

firewall-cmd --reload 


  1. On the FortiSIEM GUI, use the Analytics tab to check if events can be received from external devices that sent logs to the configured Collector custom port.