Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiAnalyzer 7.4.1 Administration Guide
    7.4.1
    7.6.1
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.2.13
    6.2.12
    6.2.11
    6.2.10
    6.2.9
    6.2.8
    6.2.7
    6.2.6
    6.2.5
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.0.12
    6.0.11
    6.0.10
    6.0.9
    6.0.8
    6.0.7
    6.0.6
    6.0.5
    6.0.4
    6.0.3
    6.0.2
    6.0.1
    6.0.0
    5.6.11
    5.6.10
    5.6.10
    5.6.9
    5.6.8
    5.6.7
    5.6.6
    5.6.5
    5.6.4
    5.6.3
    5.6.2
    5.6.1
    5.6.0
    5.4.7
    5.4.6
    5.4.5
    5.4.4
    5.4.3
    5.4.2
    5.4.1
    5.4.0
    5.2.10
    5.2.9
    5.2.7
    5.2.6
    5.2.5
    5.2.4
    5.2.3
    5.2.2
    5.2.1
    5.2.0
    5.0.13
    5.0.11
    5.0.10
    5.0.9
    5.0.8
    5.0.7
    5.0.6
    5.0.5
    5.0.4
    5.0.3
    5.0.2
    4.3.0
    4.2.0
    4.1.0
    4.0.0

    SIEM log parsers

    SIEM log parsers

    FortiAnalyzer's SIEM capabilities parse, normalize, and correlate logs from Fortinet products, Apache and Nginx web servers, and the security event logs of Windows and Linux hosts (with Fabric Agent integration). The SIEM logs are displayed as Fabric logs in Log View and can be used when generating reports. See Types of logs collected for each device.

    Parsing is predefined by FortiAnalyzer and does not require manual configuration by administrators. The predefined SIEM log parsers can be managed in Incidents & Events > Log Parser. This pane includes predefined log parsers and any custom log parsers that you have imported.

    This topic includes information about:

    Log Parsers

    Go to Incidents & Events > Log Parser > Log Parsers and select Show Predefined and Show Custom to show all available log parsers in the table view.

    The table view has the following columns:

    Column Description

    #

    The priority of the log parser.

    To change the priority of a log parser, click and hold the checkbox for the row. Drag and drop the row in the desired priority.

    Name The name of the SIEM log parser.
    Application

    The application of the log parser, such as FortiGate.

    Category

    The category of the log parser, such as Fortinet Device.

    Status

    The status of the log parser: Enabled or Disabled.

    Double-click a log parser in the table view to display the Log View for Log Parser pane. This pane displays all related SIEM logs for the log parser in a table view.

    Tooltip

    You can also view the SIEM logs from Log View > Fabric > All. Filter the log view by Data Parser Name = name of the log parser to display the related logs. For example, filter by Data Parser Name = FortiGate Log Parser to display logs related to the predefined FortiGate Log Parser.

    You can perform the following actions from Incidents & Events > Log Parser > Log Parsers:

    Action Description
    Import Import a custom log parser. The log parser must be in JSON format.
    Export

    Export a log parser in the JSON format.

    View Logs

    Open the Log View for Log Parser pane to display all related SIEM logs in a table view.

    Delete

    Delete a custom log parser. You cannot delete a predefined log parser.

    Enable

    Enable a log parser.

    Disable

    Disable a log parser. You cannot disable a log parser if it is assigned and in use.

    Validate

    Validate a raw log with the selected log parser. You cannot perform the Validate action with more than one log parser at a time.

    See below for more information about these actions.

    To import a custom log parser:
    1. In Incidents & Events > Log Parser > Log Parsers, click Import.

      The Import Log Parser dialog displays.

    2. Drag and drop or select the log parser.

      The log parser must be in the correct format as a JSON file to meet the requirements checked during the import.

    3. Click OK.

      Once added, the custom log parser will be included in the table view when Show Custom is selected.

    To export a log parser:
    1. In Incidents & Events > Log Parser > Log Parsers, select the checkbox for log parser(s).
    2. Click Export.

      The log parser(s) are exported in JSON format. You can export predefined log parsers to use them as a template for custom log parsers.

    To enable or disable a log parser:
    1. In Incidents & Events > Log Parser > Log Parsers, select the checkbox for log parser(s).
    2. Click Enable or Disable.

      The Enable action is only available when the selected log parsers are disabled.

      The Disable action is only available when the selected log parsers are enabled. The action can only be performed when the log parser is not assigned to any devices.

    To validate if the original logs can be parsed:
    1. In Incidents & Events > Log Parser > Log Parsers, select the checkbox for a log parser.
    2. Click Validate.

      The Validate Log Parser pane opens.

    3. Enter a log to validate and click Validate.

      A Parse Result displays in the Validate Log Parser pane.

    Note

    Third party logs can be parsed in JSON format.

    Assigned Parsers

    Go to Incidents & Events > Log Parser > Assigned Parsers to view the devices/applications and their current log parser assignments in a table view.

    To assign a log parser to a device/application:
    1. In Incidents & Events > Log Parser > Assigned Parsers, click Create New.

      The Assign Parser pane displays.

    2. From the Device ID dropdown, select a device for the log parser assignment.
    3. From the Application dropdown, select an application for the log parser assignment.
    4. From the Current Parser dropdown, select the log parser.

      The log parser must use the selected Application. See Incidents & Events > Log Parser > Log Parsers to determine which application is used by the log parser.

    5. Click OK.
    To edit a log parser assignment:
    1. In Incidents & Events > Log Parser > Assigned Parsers, click Create New.

      The Change Parser pane displays.

    2. From the Current Parser dropdown, select the log parser.

      The log parser must use the selected Application. See Incidents & Events > Log Parser > Log Parsers to determine which application is used by the log parser.

    3. Click OK.
    Previous
    Next

    SIEM log parsers

    SIEM log parsers

    FortiAnalyzer's SIEM capabilities parse, normalize, and correlate logs from Fortinet products, Apache and Nginx web servers, and the security event logs of Windows and Linux hosts (with Fabric Agent integration). The SIEM logs are displayed as Fabric logs in Log View and can be used when generating reports. See Types of logs collected for each device.

    Parsing is predefined by FortiAnalyzer and does not require manual configuration by administrators. The predefined SIEM log parsers can be managed in Incidents & Events > Log Parser. This pane includes predefined log parsers and any custom log parsers that you have imported.

    This topic includes information about:

    Log Parsers

    Go to Incidents & Events > Log Parser > Log Parsers and select Show Predefined and Show Custom to show all available log parsers in the table view.

    The table view has the following columns:

    Column Description

    #

    The priority of the log parser.

    To change the priority of a log parser, click and hold the checkbox for the row. Drag and drop the row in the desired priority.

    Name The name of the SIEM log parser.
    Application

    The application of the log parser, such as FortiGate.

    Category

    The category of the log parser, such as Fortinet Device.

    Status

    The status of the log parser: Enabled or Disabled.

    Double-click a log parser in the table view to display the Log View for Log Parser pane. This pane displays all related SIEM logs for the log parser in a table view.

    Tooltip

    You can also view the SIEM logs from Log View > Fabric > All. Filter the log view by Data Parser Name = name of the log parser to display the related logs. For example, filter by Data Parser Name = FortiGate Log Parser to display logs related to the predefined FortiGate Log Parser.

    You can perform the following actions from Incidents & Events > Log Parser > Log Parsers:

    Action Description
    Import Import a custom log parser. The log parser must be in JSON format.
    Export

    Export a log parser in the JSON format.

    View Logs

    Open the Log View for Log Parser pane to display all related SIEM logs in a table view.

    Delete

    Delete a custom log parser. You cannot delete a predefined log parser.

    Enable

    Enable a log parser.

    Disable

    Disable a log parser. You cannot disable a log parser if it is assigned and in use.

    Validate

    Validate a raw log with the selected log parser. You cannot perform the Validate action with more than one log parser at a time.

    See below for more information about these actions.

    To import a custom log parser:
    1. In Incidents & Events > Log Parser > Log Parsers, click Import.

      The Import Log Parser dialog displays.

    2. Drag and drop or select the log parser.

      The log parser must be in the correct format as a JSON file to meet the requirements checked during the import.

    3. Click OK.

      Once added, the custom log parser will be included in the table view when Show Custom is selected.

    To export a log parser:
    1. In Incidents & Events > Log Parser > Log Parsers, select the checkbox for log parser(s).
    2. Click Export.

      The log parser(s) are exported in JSON format. You can export predefined log parsers to use them as a template for custom log parsers.

    To enable or disable a log parser:
    1. In Incidents & Events > Log Parser > Log Parsers, select the checkbox for log parser(s).
    2. Click Enable or Disable.

      The Enable action is only available when the selected log parsers are disabled.

      The Disable action is only available when the selected log parsers are enabled. The action can only be performed when the log parser is not assigned to any devices.

    To validate if the original logs can be parsed:
    1. In Incidents & Events > Log Parser > Log Parsers, select the checkbox for a log parser.
    2. Click Validate.

      The Validate Log Parser pane opens.

    3. Enter a log to validate and click Validate.

      A Parse Result displays in the Validate Log Parser pane.

    Note

    Third party logs can be parsed in JSON format.

    Assigned Parsers

    Go to Incidents & Events > Log Parser > Assigned Parsers to view the devices/applications and their current log parser assignments in a table view.

    To assign a log parser to a device/application:
    1. In Incidents & Events > Log Parser > Assigned Parsers, click Create New.

      The Assign Parser pane displays.

    2. From the Device ID dropdown, select a device for the log parser assignment.
    3. From the Application dropdown, select an application for the log parser assignment.
    4. From the Current Parser dropdown, select the log parser.

      The log parser must use the selected Application. See Incidents & Events > Log Parser > Log Parsers to determine which application is used by the log parser.

    5. Click OK.
    To edit a log parser assignment:
    1. In Incidents & Events > Log Parser > Assigned Parsers, click Create New.

      The Change Parser pane displays.

    2. From the Current Parser dropdown, select the log parser.

      The log parser must use the selected Application. See Incidents & Events > Log Parser > Log Parsers to determine which application is used by the log parser.

    3. Click OK.
    Previous
    Next