In this article:
Configuring FortiGate Security Gateway to forward events
To forward Fortinet FortiGate Security Gateway events to Chronicle, you must configure a syslog
destination.
- Log in to the command line on your Fortinet FortiGate Security Gateway appliance.
- Type the following commands, in order, replacing the variables with values that suit your environment.
- Firewall - Forti:
sh full-configuration | grep -f syslogd
config log syslogd2 setting <---
set status enable
set server "xx.xx.xx.xx" – (Forwarder IP)
set mode udp
set port 11588 (Note: This port needs to be verified with Netenrich Support)
set facility local6
set source-ip "xx.xx.xx.xx" – (Firewall IP)
end
example: set facility syslog
Note: If you set the value of reliable as enable, it sends as TCP; if you set the value of reliable as disable, it sends as UDP.
Configuring a syslog through GUI
- Login through existing server and browse with the Firewall IP.
- Enable syslog configuration as shown below.
- Go to log&report->log settings -> follow as shown in below snip.
- Enable send logs to syslog -> provide shipper IP.
- Ensure log settings should be All, as shown below.
- Enable log level to All (Do not set to Disable & UTM) under firewall policy.
- Ensure Implicit deny should also be in enable state.
- Below are the screen shots for reference.
- Once we are done with syslog configuration and policy changes.
- Open command line as shown in below snip and type below command.
- Show full-configuration | grep -f syslogd
- Set source IP & Facility as shown in below snip.
- Enable resolve-ip for any fortigate device as shown in below snap
- Repeat the process for each device which needs to be onboarded to chronicle.
- Once the configuration is completed, need to validate the logs in chronicle using a regular expression as (".*") or with specific hostname, will provide the log source types which are ingesting to chronicle, below is the screen shot for reference.
Comments
0 comments
Please sign in to leave a comment.