New management extension - FortiSIEM Collector 7.0.1

You have the option to install FortiSIEM Collector as a management extension application (MEA) on FortiAnalyzer. You can configure FortiAnalyzer to forward all logs to FortiSIEM Collector MEA, and FortiSIEM Collector MEA forwards all logs to FortiSIEM Supervisor. FortiSIEM Supervisor centrally manages FortiSIEM Collector MEA.

FortiSIEM Collector MEA does not require a license, and can enabled on FortiAnalyzer by using the GUI or CLI.

Following is a summary of how to enable and set up FortiSIEM Collector MEA:

1. On FortiAnalyzer, enable FortiSIEM Collector MEA. See Enabling FortiSIEM Collector MEA.
2. On FortiSIEM Supervisor, create a user for registration of FortiSIEM Collector MEA, and register the MEA. See Configuring FortiSIEM Supervisor.
3. On FortiAnalyzer, configure log forwarding to FortiSIEM Collector MEA. See Configuring log forwarding on FortiAnalyzer.
4. (Optional) On FortiAnalyzer, configure event log forwarding to FortiSIEM Collector MEA. See Configuring event log forwarding on FortiAnalyzer.
5. On FortiSIEM Collector MEA, configure log forwarding to FortiSIEM Supervisor. See Configuring log forwarding on FortiSIEM Collector MEA.

This topic also includes sample logs. See Sample logs.

Enabling FortiSIEM Collector MEA

This section describes how to enable FortiSIEM Collector MEA on FortiAnalyzer.

To enable FortiSIEM Collector:

1. On FortiAnalyzer, go to Management Extensions.

   

2. Click FortiSIEM Collector.

   

   A confirmation dialog box displays.

   

3. Click OK.

   FortiSIEM Collector installation begins.

   

   An information dialog box is displayed.

   

4. Click OK to close the dialog box.

   After FortiSIEM Collector is enabled and opened, the dashboard is displayed.

   

Configuring FortiSIEM Supervisor

On FortiSIEM Supervisor, create a new user for FortiSIEM Collector MEA, and use the user to register FortiSIEM Collector MEA with FortiSIEM Supervisor.

To configure FortiSIEM Supervisor:

1. On FortiSIEM Supervisor, go to the CMDB > Users > Ungrouped, and create a new user for FortiSIEM Collector.

   For registration purposes, the user should have a System Role set to Full Admin.

   

2. Go to the ADMIN > Collector, and register FortiSIEM Collector.

   The name is used later on FortiSIEM Collector MEA.

   

Configuring log forwarding on FortiAnalyzer

Configure FortiAnalyzer to forward logs to FortiSIEM Collector MEA.

To configure log forwarding on FortiAnalyzer:

1. On FortiAnalyzer, go to the System Settings > Log Forwarding, and click Create New.

   The Create New Log Forwarding pane is displayed.

   

2. Complete the following options, and click OK.

   

   The log forwarding configuration is saved.

Configuring event log forwarding on FortiAnalyzer

You can forward FortiAnalyzer event logs to FortiSIEM Collector. This section describes how to configure forwarding of event logs.

To configure event log forwarding of FortiAnalyzer:

1. On FortiAnalyzer, go to System Settings > Advanced > Syslog Server, and click Create New.

   The Create New Syslog Server Settings pane is displayed.

2. Complete the following options, and click OK.

   

   The syslog server settings are saved.

3. Configure the syslogd setting by using the CLI.

   

4. (Optional) If FortiAnalyzer with FortiSIEM Collector receives logs from another external FortiAnalyzer, you can configure the external FortiAnalyzer to send logs to FortiAnalyzer with FortiSIEM Collector.
   1. On the external FortiAnalyzer, go to System Settings > Advanced > Device Log Settings.
   2. Select Send the local event logs to FortiAnalyzer/FortiManager.
   3. In the IP Address box, type the IP address of FortiAnalyzer with FortiSIEM Collector.
   4. Click OK.

   

5. On FortiAnalyzer with FortiSIEM Collector, go to Log View > Event log to view the logs.

   

Configuring log forwarding on FortiSIEM Collector MEA

Configure FortiSIEM Collector MEA to forward logs to FortiSIEM Supervisor.

To configure FortiSIEM Collector MEA to forward logs to FortiSIEM Supervisor:

1. On FortiSIEM Collector MEA, click Setup.

   The Docker Collector Setup pane is displayed.

   

2. Complete the following options, and click Save.

   

   FortiSIEM Collector MEA is registered with FortiSIEM Supervisor.

   

3. In FortiSIEM Collector MEA, go to Health > System Info, and view the Status as Registered.

   

Sample logs

In this scenario, FortiGates have been registered to FortiAnalyzer, and FortiAnalyzer forwards the traffic logs to FortiSIEM Collector MEA. FortiSIEM Collector MEA is registered to its Supervisor, and FortiSIEM Collector MEA forwards logs to FortiSIEM Supervisor.

A second FortiAnalyzer is configured to send its event logs to FortiAnalyzer with FortiSIEM Collector MEA.

In FortiAnalyzer, the Security Fabric is displayed as follows:

You can also view the following topology in FortiAnalyzer:

With this configuration, you can view the following logs in FortiSIEM Supervisor:

• Root log
• Logs from one of the downstream FortiGate devices
• Event logs from FortiAnalyzer

  The event logs are forwarded to FortiSIEM Collector MEA, which forwards the logs to FortiSIEM Supervisor.

• Event logs from an external FortiAnalyzer

  The event logs are forwarded FortiAnalyzer with FortiSIEM Collector MEA, and FortiSIEM Collector MEA forwards the logs to FortiSIEM Supervisor.

In the following example, you can view the root log in FortiSIEM Supervisor:

In the following example, you can view logs from one of the downstream FortiGate devices in FortiSIEM Supervisor:

In the following example, you can view event logs from FortiAnalyzer that are forwarded to FortiSIEM Collector MEA, which forwards the logs to FortiSIEM Supervisor:

In the following example, you can view event logs from an external FortiAnalyzer that are forwarded FortiAnalyzer with FortiSIEM Collector MEA, and FortiSIEM Collector MEA forwards the logs to FortiSIEM Supervisor: