Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
tsimeonov_FTNT

Configuring FortiAnalyzer to accept FortiClients' logs

This article covers a basic setup steps allowing FortiAnalyzer (FAZ) to accept FortiClients (FCT) logs.

FAZ collects FCT logs into FortiClient ADOM.  They logs are stored under the EMS's serial number managing the FortiClients. 

And in order to do so the EMS needs to be registered at the FAZ.

 

FAZ collects FCT logs into FortiClient ADOM.  They are stored under the EMS serial number managing these FortiClients.  In order to do so the EMS needs to be registered at the FAZ.

[ol]
  • Enter FortiClient ADOM FAZ_GUI\System Settings\All ADOMs\<right click on FortiClient>\Enter ADOM\
  • Registering EMS on FAZ FAZ_GUI\Device Manager\Add Device\...enter EMS IP, serial number, etc
  • Configure EMS to have FAZ IP and log settings properties send to FCTs. EMS > Endpoint Profiles> EMS Profiles > <select profile> > System Settings > Log Settings > <enable Upload Logs to FortiAnalyzer/FortiManager>...
  • Deploy FortiClient profile.
  • Verification[ul]
  • After scheduled time the logs should be available on FAZ. GUI\Log View\Log Browse\. FCT sends log file(s) to FAZ according scheduled settings configured in step 3. It uses tcp 514. (FCT for Chromebook is scheduled to be supported in FAZ 5.6.1+)
  • A sniffer on FAZ could be used to verify if FCT logs are arriving FAZ#diagnose sniffer packet any 'host <FCT IP> and tcp and port 514'[/ul][/ol]

     

  • 2 REPLIES 2
    apolis
    New Contributor

    Hello,

     

    I followed your steps to add EMS to FAZ. Is it normal if EMS status in FAZ showing "Log Status Down" and Real-Time have red circle?

     

    Thanks.

    hzhao_FTNT

    Hi there,

     

    It depends on your "upload schedule" on EMS profile setting. Currently if one device didn't receive logs for 15min, it will be marked as  "Log Status Down". 

     

    regards,

    hz