This article describes how to integrate EMS and FortiClient in the FortiAnalyzer so that it can centralize logging.
1) Verify the compatibility of the EMS server and FortiClient with the FortiAnalyzer. This can be found on the FortiClient release note, on the EMS release note and the FortiAnalyzer release note.
Note: The new Fabric ADOM can also be used since FortiAnalyzer 6.2 to receive log from the FortiClient stations.
2) Enable ADOM on the FortiAnalyzer so that the EMS server can be handled by the correct ADOM (FortiClient ADOM).
3) Make sure to have sufficient size for this ADOM. By default, the size is 1Gb.
4) Configure the EMS server so that it uses the FortiAnalyzer, as a log receiver on the FortiClient profile.
5) Connect the FortiClient to the EMS server as follows:
6) Check that the EMS detects the client.
7) Enable Antivirus detection or Web Filter in order to generate logs from the FortiClient as follows:
8) Push the new updated profile.
9) Go on the FortiClient and generate logs using web browser or EICAR virus detection. Please click here from the FortiClient station to download EICAR virus detection.
o exe tac report of the FAZ and config
o diag sniffer packet any “ host <FCLT IP> “ 3 0 a
o Wireshark form the FortiClient while navigating the net (to generate logs packet):
The sniff may show TCP SYN 4 way handshake successful but no logs are sent by the FCT (make sure you have the latest version of FCT and FAZ)
o Ping from the FortiClient to the FortiAnalyzer.
o FortiClient Diagnostic Tool.