Topics Discussed
Table of Contents | ||||
---|---|---|---|---|
|
Insert excerpt | ||||||||
---|---|---|---|---|---|---|---|---|
|
You can use this document to send Fortinet Security Gateway logs to Armor's Security Information & Event Management (SIEM).
Pre-Deployment Considerations
...
Before you begin, review the following requirements:
Log Relay
To create a remote Log Relay, you must already have:
A Log Relay server on your account
To learn how to add Log Relay to your account, see Obtain Log Relay for Remote Log Collection
Configured the system clock
Log Relay IP Address
You must be able to retrieve the log relay IP address from your AMP account:
In the Armor Management Portal (AMP), in the left-side navigation, click Security.
Click Log & Data Management.
Click Agent Sources.
Locate and select the desired log relay.
Click Overview.
Locate and copy the Public IP.
Update your Fortinet Security Gateway
...
Log into your Fortinet Security Gateway.
In the upper, right corner, select CLI Console.
Run the following commands to configure the device to send syslogs to Log Relay, which will then forward the logs to Armor.
Code Block language bash fgvm1 # config log syslogd setting fgvm1 (setting) # set status enable fgvm1 (setting) # set format default fgvm1 (setting) # set server <LOG_RELAY_IP_ADDRESS> fgvm1 (setting) # set port 10073 fgvm1 (setting) # end
To validate your current configuration, run the following command, either before or after the [fgvm1 (setting) # end] command.
Code Block language bash fgvm1 # show log syslogd setting
Note If the format was set to something other than default, when the [fgvm1#show log syslogd setting] command is run, the current format will be returned (e.g. cef).
Within the command line, update the format command to default [fgvm1 (setting)#set format default].
Verify that logs are formatted correctly, similar to either of the following examples:
Note Fortigate can send messages in multiple formats.
Example 1
Code Block Jul 9 14:26:58 13.47.22.124 date=2019-07-09 time=14:26:58 devname=XXX-FW1 devid=YYY logid=0000000013 type=traffic subtype=forward level=notice vd=root srcip=89.28.174.28 srcport=46796 srcintf="port9" dstip=13.47.22.175 dstport=1639 dstintf="port11" sessionid=2232272452 proto=6 action=deny policyid=0 policytype=policy
Example 2
Code Block date=2019-07-09 time=14:26:58 devname=XXX-FW1 devid=YYY logid=0000000013 type=traffic subtype=forward level=notice vd=root srcip=89.28.174.28 srcport=46796 srcintf="port9" dstip=13.47.22.175 dstport=1639 dstintf="port11" sessionid=2232272452 proto=6 action=deny policyid=0 policytype=policy
Verify Logs in AMP
...
In the Armor Management Portal (AMP), you can view the actual logs to confirm that the configuration was successful.
In the Armor Management Portal (AMP), in the left-side navigation, click Security.
Click Log & Data Management, and then select Search.
In the search field, enter the IP address or the device name.
For example, you can enter *13.47.22.124* or *XXX-FW1*
This action will display collected FortiGate logs for that particular device.
Info | ||
---|---|---|
TroubleshootingCommand Help Within the CLI Console, you can use the question mark (?) key to display command help.
|
Additional Documentation
For more information on using CLI, click here.