Configuring FortiAnalyzer to accept FortiClients' logs

tsimeonov_FTNT · ‎02-15-2017

This article covers a basic setup steps allowing FortiAnalyzer (FAZ) to accept FortiClients (FCT) logs.

FAZ collects FCT logs into FortiClient ADOM. They logs are stored under the EMS's serial number managing the FortiClients.

And in order to do so the EMS needs to be registered at the FAZ.

FAZ collects FCT logs into FortiClient ADOM. They are stored under the EMS serial number managing these FortiClients. In order to do so the EMS needs to be registered at the FAZ.

[ol]

Enter FortiClient ADOM FAZ_GUI\System Settings\All ADOMs\<right click on FortiClient>\Enter ADOM\

Registering EMS on FAZ FAZ_GUI\Device Manager\Add Device\...enter EMS IP, serial number, etc

Configure EMS to have FAZ IP and log settings properties send to FCTs. EMS > Endpoint Profiles> EMS Profiles > <select profile> > System Settings > Log Settings > <enable Upload Logs to FortiAnalyzer/FortiManager>...

Deploy FortiClient profile.

Verification[ul]

After scheduled time the logs should be available on FAZ. GUI\Log View\Log Browse\. FCT sends log file(s) to FAZ according scheduled settings configured in step 3. It uses tcp 514. (FCT for Chromebook is scheduled to be supported in FAZ 5.6.1+)

A sniffer on FAZ could be used to verify if FCT logs are arriving FAZ#diagnose sniffer packet any 'host <FCT IP> and tcp and port 514'[/ul][/ol]

apolis · ‎01-16-2018

Hello,

I followed your steps to add EMS to FAZ. Is it normal if EMS status in FAZ showing "Log Status Down" and Real-Time have red circle?

Thanks.

hzhao_FTNT · ‎01-16-2018

Hi there,

It depends on your "upload schedule" on EMS profile setting. Currently if one device didn't receive logs for 15min, it will be marked as "Log Status Down".

regards,

hz

Configuring FortiAnalyzer to accept FortiClients' logs

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website