Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
adem_netsys
Contributor

Log Source SIEM

Hi guys,

 

In fortisiem, some of the log sources are sent to supervisor and some to collector. Is there any way to see this on the GUI other than getting a dump?

2 Solutions
Richie_C

Hi 

I'm thinking that you could achieve it with an analytics search. I don't actually have a collector in my test setup, but my idea is to search all logs and then aggregate the search with reporting IP and collector name or collector id. Then use the count function as per the screenshot. I'm not sure if it will work if you have loads of events, but maybe you could play around with the filters to help narrow down the search.

 

I hope it helps!

Take a backup before making any changes

View solution in original post

heng

Richie is right, you can use the "change display fields" under the analytic to filter accordingly. E.g. if you see the Collector ID=1, that's mean the logs is sending to the supervisor while other not equal to 1 will be the corresponding collector with Collector ID=10002 for instance.

 

image.png

 

NSE8

View solution in original post

8 REPLIES 8
Anthony_E
Community Manager
Community Manager

Hello Adem,


Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.


Thanks,

Anthony-Fortinet Community Team.
Anthony_E
Community Manager
Community Manager

Hello Adem,

 

We are still looking for someone to help you.

We will come back to you ASAP.


Regards,

Anthony-Fortinet Community Team.
heng
Staff
Staff

Hi there, 

 

May I know what is the ask here to be more specific? You want to look at the formatted log (Under GUI Analytic) or the achieve log via GUI? 

NSE8
adem_netsys

Hi, i'm sorry for late reply. For example, we want the products in the customer environment to send logs only to the collector, but there were products that sent logs to the supervisor before. Can I see where the log is coming to the supervisor on the gui?

Richie_C

Hi 

I'm thinking that you could achieve it with an analytics search. I don't actually have a collector in my test setup, but my idea is to search all logs and then aggregate the search with reporting IP and collector name or collector id. Then use the count function as per the screenshot. I'm not sure if it will work if you have loads of events, but maybe you could play around with the filters to help narrow down the search.

 

I hope it helps!

Take a backup before making any changes
adem_netsys

Hi @Richie_C,

 

thanks for all your help, you have been very helpful

heng

Richie is right, you can use the "change display fields" under the analytic to filter accordingly. E.g. if you see the Collector ID=1, that's mean the logs is sending to the supervisor while other not equal to 1 will be the corresponding collector with Collector ID=10002 for instance.

 

image.png

 

NSE8
adem_netsys

Hi @heng 

 

thanks for all your help :)

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors