Configuring FortiAnalyzer to accept FortiClients' logs
This article covers a basic setup steps allowing FortiAnalyzer (FAZ) to accept FortiClients (FCT) logs.
FAZ collects FCT logs into FortiClient ADOM. They logs are stored under the EMS's serial number managing the FortiClients.
And in order to do so the EMS needs to be registered at the FAZ.
FAZ collects FCT logs into FortiClient ADOM. They are stored under the EMS serial number managing these FortiClients. In order to do so the EMS needs to be registered at the FAZ.
Enter FortiClient ADOM
FAZ_GUI\System Settings\All ADOMs\<right click on FortiClient>\Enter ADOM\
Registering EMS on FAZ
FAZ_GUI\Device Manager\Add Device\...enter EMS IP, serial number, etc
Configure EMS to have FAZ IP and log settings properties send to FCTs.
EMS > Endpoint Profiles> EMS Profiles > <select profile> > System Settings > Log Settings > <enable Upload Logs to FortiAnalyzer/FortiManager>...
Deploy FortiClient profile.
After scheduled time the logs should be available on FAZ. GUI\Log View\Log Browse\.
FCT sends log file(s) to FAZ according scheduled settings configured in step 3. It uses tcp 514.
(FCT for Chromebook is scheduled to be supported in FAZ 5.6.1+)
A sniffer on FAZ could be used to verify if FCT logs are arriving
FAZ#diagnose sniffer packet any 'host <FCT IP> and tcp and port 514'[/ul][/ol]