Versions Compared

Old Version 7

changes.mady.by.user Aaron Gabriel (Deactivated)

Saved on

compared with

New Version Current

changes.mady.by.user Aaron Gabriel (Deactivated)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Topics Discussed

...

You can use this document to send Fortinet Security Gateway logs to Armor's Security Information & Event Management (SIEM).


Pre-Deployment Considerations

...

  1. In the Armor Management Portal (AMP), in the left-side navigation, click Security.

  2. Click Log & Data Management.

  3. Click Agent Sources.

  4. Locate and select the desired log relay.

  5. Click Overview.

  6. Locate and copy the Public IP.

...

  1. Log into your Fortinet Security Gateway.

  2. In the upper, right corner, select CLI Console.

    Image RemovedImage Added

  3. Run the following commands to configure the device to send syslogs to Log Relay, which will then forward the logs to Armor.

    Code Block
    languagebash
    fgvm1 # config log syslogd setting 
fgvm1 (setting) # set status enable
fgvm1 (setting) # set format default
fgvm1 (setting) # set server <LOG_RELAY_IP_ADDRESS> 
fgvm1 (setting) # set port 10073 
fgvm1 (setting) # end

    1. To validate your current configuration, run the following command, either before or after the [fgvm1 (setting) # end] command.

      Code Block
      languagebash
      fgvm1 # show log syslogd setting
      Note

      If the format was set to something other than default, when the [fgvm1#show log syslogd setting] command is run, the current format will be returned (e.g. cef).

      Within the command line, update the format command to default [fgvm1 (setting)#set format default].

  4. Verify that logs are formatted correctly, similar to either of the following examples:

    Note

    Fortigate can send messages in multiple formats.

    Example 1

    Code Block
    Jul  9 14:26:58 13.47.22.124 date=2019-07-09 time=14:26:58 devname=XXX-FW1 devid=YYY logid=0000000013 type=traffic subtype=forward level=notice vd=root srcip=89.28.174.28 srcport=46796 srcintf="port9" dstip=13.47.22.175 dstport=1639 dstintf="port11" sessionid=2232272452 proto=6 action=deny policyid=0 policytype=policy

    Example 2

    Code Block
    date=2019-07-09 time=14:26:58 devname=XXX-FW1 devid=YYY logid=0000000013 type=traffic subtype=forward level=notice vd=root srcip=89.28.174.28 srcport=46796 srcintf="port9" dstip=13.47.22.175 dstport=1639 dstintf="port11" sessionid=2232272452 proto=6 action=deny policyid=0 policytype=policy

...