Administration Guide

Setting up FortiAnalyzer
- Connecting to the GUI
  - FortiAnalyzer Setup wizard
  - Activating VM licenses
- Security considerations
  - Restricting GUI access by trusted host
  - Other security considerations
- GUI overview
- Target audience and access level
- Initial setup
- FortiManager features
- Next steps
- Restarting and shutting down
FortiAnalyzer Key Concepts
- Operation modes
- Administrative domains
- Logs
- Log storage
- FortiView dashboard
Device Manager
- ADOMs
- FortiClient EMS devices
- Unauthorized devices
- Using FortiManager to manage FortiAnalyzer devices
- Adding devices
- Managing devices
- Device groups
  - Adding device groups
  - Managing device groups
FortiView
- Monitors
- FortiView
- Enabling and disabling FortiView
Log View and Log Quota Management
- Types of logs collected for each device
- Log messages
- Log groups
- Log browse
- Log and file storage
Fabric View
- Fabric Connectors
- Subnets
- Identity Center
  - Identity Center dashboard
- Asset Center
  - Asset Center dashboard
- Configuring endpoint and end user data sources
Fortinet Security Fabric
- Adding a Security Fabric group
- Displaying Security Fabric topology
- Security Fabric traffic log to UTM log correlation
- Security Fabric ADOMs
- Enabling SAML authentication in a Security Fabric
Incident and Event Management
- Event handlers
- Events
- Incidents
FortiSoC
- Viewing FortiSoC dashboards
- Configuring playbook automation
- Threat Hunting
- Outbreak Alerts
Reports
- How ADOMs affect reports
- Predefined reports, templates, charts, and macros
- Logs used for reports
- How charts and macros extract data from logs
- How auto-cache works
- Generating reports
- Creating reports
- Managing reports
  - Organizing reports into folders
  - Importing and exporting reports
- Report template library
- Chart library
  - Creating charts
  - Managing charts
- Macro library
  - Creating macros
  - Managing macros
- Datasets
- Output profiles
  - Creating output profiles
  - Managing output profiles
- Report languages
  - Exporting and modifying a language
  - Importing a language
- Report calendar
  - Viewing all scheduled reports
  - Managing report schedules
FortiRecorder
- Configuring cameras in the Camera Manager
- Face Recognition
- Watching live and recorded video in the Monitor
- Enabling and disabling FortiRecorder
System Settings
- Dashboard
- Logging Topology
- Network
- RAID Management
- Administrative Domains (ADOMs)
- Certificates
- Log Forwarding
- Fetcher Management
- Event Log
  - Event log filtering
- Task Monitor
- SNMP
- Mail Server
- Syslog Server
  - Send local logs to syslog server
- Meta Fields
- Device logs
- File Management
- Advanced Settings
- Restart, shut down, or reset FortiAnalyzer
Administrators
- Trusted hosts
- Monitoring administrators
- Disconnecting administrators
- Managing administrator accounts
- Administrator profiles
- Authentication
- Global administration settings
- Two-factor authentication
  - Configuring FortiAuthenticator
  - Configuring FortiAnalyzer
High Availability
- Configuring HA options
  - Log synchronization
  - Configuration synchronization
- Monitoring HA status
  - If the primary unit fails
- Load balancing
- Upgrading the FortiAnalyzer firmware for an operating cluster
Collectors and Analyzers
- Configuring the Collector
- Configuring the Analyzer
- Fetching logs from the Collector to the Analyzer
Management Extensions
- FortiSIEM MEA
- FortiSOAR MEA
- Enabling management extension applications
  - CLI for management extensions
- Accessing management extension logs
- Checking for new versions and upgrading
Appendix A - Supported RFC Notes
Appendix B - Log Integrity and Secure Log Transfer
- Maximum TLS/SSL version compatibility
Appendix C - FortiAnalyzer Ansible Collection documentation
Change Log

Home FortiAnalyzer 7.2.0 Administration Guide

7.2.0

User and endpoint ID log fields

Log information about user and endpoint IDs is available in Log View and can be viewed by configuring these fields as displayed columns. See Customizing displayed columns.

UEBA User ID and UEBA Endpoint ID fields with values below 1024 are special cases which are tracked by FortiAnalyzer's UEBA. See the table below for information on what each value represents.

Value	Name	Description
1	EPEU_NOT_IMPL_DEVTYPE	EP and EU not implemented for this devtype.
2	EPEU_NOT_IMPL_LOGTYPE	EP and EU not implemented for this logtype.
3	EPEU_NO_ENOUGH_INFO	Not enough information to identify an EP or EU.
4	EPEU_CANNOT_GET_UID	Cannot get a UID range (max limit reached).
5	EPEU_INTERNAL_ERROR	Internal error (e.g. cannot allocate memory).
6	EPEU_HA_BACKUP_ASK_FAIL	Ask primary failed and could not recover.
7	EPEU_HA_REBUILD_THROTTLE	Prevent too many EP and EU requests during database rebuilding.
8	EPEU_CLIENT_ASK_FAIL	Ask server failed and could not recover.
10	EPEU_NOT_SUPPORT_LOGVER	Log version is not supported.
100	EPEU_ID_LOCAL_HOST	Local host event, such as a local host event in FortiGate.
101	EPEU_ID_UNTRACK_IP	IP is public and related interface role is not LAN.
102	EPEU_ID_UNTRACK_LOGID	Log ID is not identified.
103	EPEU_ID_UNTRACK_TOOMANYIP	Too many IPs on one MAC.
104	EPEU_ID_UNTRACK_VPN_IP	Do not track VPN IP.

When a device has FortiClient installed and FortiAnalyzer is able to retrieve endpoint information, all interfaces of this device will belong to a single endpoint with the FCT-UID as the key. For devices without FortiClient that have multiple NICs, each interface appears as a separate endpoint.

The User ID and UEBA User ID fields are interchangeable and contain the same information.

The Endpoint ID and UEBA Endpoint ID fields are interchangeable and contain the same information.