Hi guys,
In fortisiem, some of the log sources are sent to supervisor and some to collector. Is there any way to see this on the GUI other than getting a dump?
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi
I'm thinking that you could achieve it with an analytics search. I don't actually have a collector in my test setup, but my idea is to search all logs and then aggregate the search with reporting IP and collector name or collector id. Then use the count function as per the screenshot. I'm not sure if it will work if you have loads of events, but maybe you could play around with the filters to help narrow down the search.
I hope it helps!
Created on 12-07-2023 08:25 AM Edited on 12-07-2023 08:25 AM
Richie is right, you can use the "change display fields" under the analytic to filter accordingly. E.g. if you see the Collector ID=1, that's mean the logs is sending to the supervisor while other not equal to 1 will be the corresponding collector with Collector ID=10002 for instance.
Hello Adem,
Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.
Thanks,
Hello Adem,
We are still looking for someone to help you.
We will come back to you ASAP.
Regards,
Hi there,
May I know what is the ask here to be more specific? You want to look at the formatted log (Under GUI Analytic) or the achieve log via GUI?
Hi, i'm sorry for late reply. For example, we want the products in the customer environment to send logs only to the collector, but there were products that sent logs to the supervisor before. Can I see where the log is coming to the supervisor on the gui?
Hi
I'm thinking that you could achieve it with an analytics search. I don't actually have a collector in my test setup, but my idea is to search all logs and then aggregate the search with reporting IP and collector name or collector id. Then use the count function as per the screenshot. I'm not sure if it will work if you have loads of events, but maybe you could play around with the filters to help narrow down the search.
I hope it helps!
Created on 12-07-2023 08:25 AM Edited on 12-07-2023 08:25 AM
Richie is right, you can use the "change display fields" under the analytic to filter accordingly. E.g. if you see the Collector ID=1, that's mean the logs is sending to the supervisor while other not equal to 1 will be the corresponding collector with Collector ID=10002 for instance.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1696 | |
1091 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.