Technical Tip: Modify Collectors' default listening port numbers used by FortiSIEM to ingest logs through the syslog protocol

Open a console or SSH connection to a Collector and follow these steps:

1. Edit the /opt/phoenix/config/phoenix_config.txt file.
   
   
2. Identify the following strings (included in the [BEGIN PHPARSER] section):

# FSM internal parameter; FSM overwrites

listen_port_list=514,6100 #external,internal. Don't change the order and number of this list w/o understanding.

# FSM internal parameter; FSM overwrites

listen_tcp_port_list=514,1470

# FSM upgrade preserves customer changes to parameter value

listen_tcp_timeout=60

# FSM internal parameter; FSM overwrites

listen_tls_port_list=6514

3. Change the following values to the custom ports:

• listen_port_list is the list of UDP listening port (you can add your port here)
• listen_tcp_port_list is the list of TCP listening port (you can add your port here)
• listen_tls_port_list is the list of TLS listening port 

For example, to use 5014 UDP and 5015 UDP as listening ports, use the following configuration:

listen_port_list=5014,5015

4. Restart FortiSIEM services.
   
   Stop FortiSIEM services: 

phtools --stop all

Start FortiSIEM services: 

phtools --start all

Check if FortiSIEM services are up and running using the command phstatus. No process should appear in a DOWN state.

5. To verify if the custom ports configured are in a LISTEN state, run the following command:

netstat -an | grep <custom port>

6. Run the following commands to allow inbound connections to the configured custom port:

firewall-cmd --permanent --add-port=<port-number>/<tcp/udp>

firewall-cmd --reload 

7. On the FortiSIEM GUI, use the Analytics tab to check if events can be received from external devices that sent logs to the configured Collector custom port.