Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
CrisPete
New Contributor

Using FortiAnalyzer as generic Syslog server, parse logs from non-Fortinet sources

Hello,

After making a research regarding of the (im)possibility to make it work, and some tests on FAZ 7.4.x, I wonder if this is feasible or even in the roadmap. Apparently the log parsers can be assigned to a device only if it is recognized as Fortinet, and appears first as unauthorized. However, sending syslog to FAZ from any device seems to store the logs into the Syslog ADOM, but when you try to assign a parser it's not possible because there is no device to select. Also, even if the logs would come from a Fortinet device (e.g. FortiSOAR), the docs say they would be parsed and inserted in a "SIEM db". But how can the latter be used?

Any ideas?

Thank you

Cristian

5 REPLIES 5
Renante_Era
Staff
Staff

 

I think the feature you're looking is in FortiSIEM -- SIEM Solutions & Tools | Get Best Enterprise SIEM Software | FortiSIEM

 

CrisPete

Thanks for your answer. However, I would like to understand the functionalities available in FortiAnalyzer, the role of the parsers, which devices sending syslog can be integrated in FAZ, and how can be the SIEM DB used in FAZ.

dingjerry_FTNT

Hi @CrisPete ,

 

In Incidents & Events > Log Parser > Log Parsers page, you may enable a parser there. i.e. syslog.  

 

Then go back to Incidents & Events > Log Parser > Assigned Parsers page, create a new one, you can select that enabled parser in the Application.

 

Not sure whether this is what you need. 

Regards,

Jerry
CrisPete

Hi dingjerry, thanks for your reply. The problem is that I already tried this, and although in ADOM Syslog I see the device (and also the logs, but not parsed), even if the Syslog parser was enabled, when I want to assign it the operation is impossible because there is no device in the list.2024-11-28_13h31_17.png

 

 

2024-11-28_13h30_29.png

 

dingjerry_FTNT

Hi @CrisPete ,

 

I hope that there is some info in this doc for you:

 

https://docs.fortinet.com/document/fortianalyzer/7.4.0/custom-log-parsers/88208/introduction

Regards,

Jerry
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors