Fortinet white logo
Fortinet white logo

Administration Guide

SIEM log parsers

SIEM log parsers

FortiAnalyzer's SIEM capabilities parse, normalize, and correlate logs from Fortinet products, Apache and Nginx web servers, and the security event logs of Windows and Linux hosts (with Fabric Agent integration). The SIEM logs are displayed as Fabric logs in Log View and can be used when generating reports. See Types of logs collected for each device.

Parsing is predefined by FortiAnalyzer and does not require manual configuration by administrators. The predefined SIEM log parsers can be managed in Incidents & Events > Log Parser. This pane includes predefined log parsers and any custom log parsers that you have imported.

This topic includes information about:

Log Parsers

Go to Incidents & Events > Log Parser > Log Parsers and select Show Predefined and Show Custom to show all available log parsers in the table view.

The table view has the following columns:

Column Description

#

The priority of the log parser.

To change the priority of a log parser, click and hold the checkbox for the row. Drag and drop the row in the desired priority.

Name The name of the SIEM log parser.
Application

The application of the log parser, such as FortiGate.

Category

The category of the log parser, such as Fortinet Device.

Status

The status of the log parser: Enabled or Disabled.

Double-click a log parser in the table view to display the Log View for Log Parser pane. This pane displays all related SIEM logs for the log parser in a table view.

Tooltip

You can also view the SIEM logs from Log View > Fabric > All. Filter the log view by Data Parser Name = name of the log parser to display the related logs. For example, filter by Data Parser Name = FortiGate Log Parser to display logs related to the predefined FortiGate Log Parser.

You can perform the following actions from Incidents & Events > Log Parser > Log Parsers:

Action Description
Import Import a custom log parser. The log parser must be in JSON format.
Export

Export a log parser in the JSON format.

View Logs

Open the Log View for Log Parser pane to display all related SIEM logs in a table view.

Delete

Delete a custom log parser. You cannot delete a predefined log parser.

Enable

Enable a log parser.

Disable

Disable a log parser. You cannot disable a log parser if it is assigned and in use.

Validate

Validate a raw log with the selected log parser. You cannot perform the Validate action with more than one log parser at a time.

See below for more information about these actions.

To import a custom log parser:
  1. In Incidents & Events > Log Parser > Log Parsers, click Import.

    The Import Log Parser dialog displays.

  2. Drag and drop or select the log parser.

    The log parser must be in the correct format as a JSON file to meet the requirements checked during the import.

  3. Click OK.

    Once added, the custom log parser will be included in the table view when Show Custom is selected.

To export a log parser:
  1. In Incidents & Events > Log Parser > Log Parsers, select the checkbox for log parser(s).
  2. Click Export.

    The log parser(s) are exported in JSON format. You can export predefined log parsers to use them as a template for custom log parsers.

To enable or disable a log parser:
  1. In Incidents & Events > Log Parser > Log Parsers, select the checkbox for log parser(s).
  2. Click Enable or Disable.

    The Enable action is only available when the selected log parsers are disabled.

    The Disable action is only available when the selected log parsers are enabled. The action can only be performed when the log parser is not assigned to any devices.

To validate if the original logs can be parsed:
  1. In Incidents & Events > Log Parser > Log Parsers, select the checkbox for a log parser.
  2. Click Validate.

    The Validate Log Parser pane opens.

  3. Enter a log to validate and click Validate.

    A Parse Result displays in the Validate Log Parser pane.

Assigned Parsers

Go to Incidents & Events > Log Parser > Assigned Parsers to view the devices/applications and their current log parser assignments in a table view.

To assign a log parser to a device/application:
  1. In Incidents & Events > Log Parser > Assigned Parsers, click Create New.

    The Assign Parser pane displays.

  2. From the Device ID dropdown, select a device for the log parser assignment.
  3. From the Application dropdown, select an application for the log parser assignment.
  4. From the Current Parser dropdown, select the log parser.

    The log parser must use the selected Application. See Incidents & Events > Log Parser > Log Parsers to determine which application is used by the log parser.

  5. Click OK.
To edit a log parser assignment:
  1. In Incidents & Events > Log Parser > Assigned Parsers, click Create New.

    The Change Parser pane displays.

  2. From the Current Parser dropdown, select the log parser.

    The log parser must use the selected Application. See Incidents & Events > Log Parser > Log Parsers to determine which application is used by the log parser.

  3. Click OK.

SIEM log parsers

SIEM log parsers

FortiAnalyzer's SIEM capabilities parse, normalize, and correlate logs from Fortinet products, Apache and Nginx web servers, and the security event logs of Windows and Linux hosts (with Fabric Agent integration). The SIEM logs are displayed as Fabric logs in Log View and can be used when generating reports. See Types of logs collected for each device.

Parsing is predefined by FortiAnalyzer and does not require manual configuration by administrators. The predefined SIEM log parsers can be managed in Incidents & Events > Log Parser. This pane includes predefined log parsers and any custom log parsers that you have imported.

This topic includes information about:

Log Parsers

Go to Incidents & Events > Log Parser > Log Parsers and select Show Predefined and Show Custom to show all available log parsers in the table view.

The table view has the following columns:

Column Description

#

The priority of the log parser.

To change the priority of a log parser, click and hold the checkbox for the row. Drag and drop the row in the desired priority.

Name The name of the SIEM log parser.
Application

The application of the log parser, such as FortiGate.

Category

The category of the log parser, such as Fortinet Device.

Status

The status of the log parser: Enabled or Disabled.

Double-click a log parser in the table view to display the Log View for Log Parser pane. This pane displays all related SIEM logs for the log parser in a table view.

Tooltip

You can also view the SIEM logs from Log View > Fabric > All. Filter the log view by Data Parser Name = name of the log parser to display the related logs. For example, filter by Data Parser Name = FortiGate Log Parser to display logs related to the predefined FortiGate Log Parser.

You can perform the following actions from Incidents & Events > Log Parser > Log Parsers:

Action Description
Import Import a custom log parser. The log parser must be in JSON format.
Export

Export a log parser in the JSON format.

View Logs

Open the Log View for Log Parser pane to display all related SIEM logs in a table view.

Delete

Delete a custom log parser. You cannot delete a predefined log parser.

Enable

Enable a log parser.

Disable

Disable a log parser. You cannot disable a log parser if it is assigned and in use.

Validate

Validate a raw log with the selected log parser. You cannot perform the Validate action with more than one log parser at a time.

See below for more information about these actions.

To import a custom log parser:
  1. In Incidents & Events > Log Parser > Log Parsers, click Import.

    The Import Log Parser dialog displays.

  2. Drag and drop or select the log parser.

    The log parser must be in the correct format as a JSON file to meet the requirements checked during the import.

  3. Click OK.

    Once added, the custom log parser will be included in the table view when Show Custom is selected.

To export a log parser:
  1. In Incidents & Events > Log Parser > Log Parsers, select the checkbox for log parser(s).
  2. Click Export.

    The log parser(s) are exported in JSON format. You can export predefined log parsers to use them as a template for custom log parsers.

To enable or disable a log parser:
  1. In Incidents & Events > Log Parser > Log Parsers, select the checkbox for log parser(s).
  2. Click Enable or Disable.

    The Enable action is only available when the selected log parsers are disabled.

    The Disable action is only available when the selected log parsers are enabled. The action can only be performed when the log parser is not assigned to any devices.

To validate if the original logs can be parsed:
  1. In Incidents & Events > Log Parser > Log Parsers, select the checkbox for a log parser.
  2. Click Validate.

    The Validate Log Parser pane opens.

  3. Enter a log to validate and click Validate.

    A Parse Result displays in the Validate Log Parser pane.

Assigned Parsers

Go to Incidents & Events > Log Parser > Assigned Parsers to view the devices/applications and their current log parser assignments in a table view.

To assign a log parser to a device/application:
  1. In Incidents & Events > Log Parser > Assigned Parsers, click Create New.

    The Assign Parser pane displays.

  2. From the Device ID dropdown, select a device for the log parser assignment.
  3. From the Application dropdown, select an application for the log parser assignment.
  4. From the Current Parser dropdown, select the log parser.

    The log parser must use the selected Application. See Incidents & Events > Log Parser > Log Parsers to determine which application is used by the log parser.

  5. Click OK.
To edit a log parser assignment:
  1. In Incidents & Events > Log Parser > Assigned Parsers, click Create New.

    The Change Parser pane displays.

  2. From the Current Parser dropdown, select the log parser.

    The log parser must use the selected Application. See Incidents & Events > Log Parser > Log Parsers to determine which application is used by the log parser.

  3. Click OK.