Remote logging support for FortiClient (Linux)
FortiClient (Linux) endpoints can now send logs to FortiAnalyzer for historical logging and reporting.
The EMS administrator can provide a FortiAnalyzer's IP address in an endpoint profile. All endpoints registered to the EMS that have this endpoint profile applied send logs to the specified FortiAnalyzer. FortiClient (Linux) also sends vulnerability and antivirus (AV) scan results, the user avatar, and Telemetry messages to FortiAnalyzer. The logs and vulnerability scan results display in FortiView and Log View in FortiAnalyzer.
This feature is new for FortiClient (Linux) 6.2.0, but is available for earlier versions of FortiClient (Windows) and FortiClient (macOS).
To configure the endpoint profile in EMS:
- In EMS, go to Endpoint Profiles and select the desired endpoint profile.
- On the System Settings tab, enable Upload Logs to FortiAnalyzer/FortiManager.
- In the IP Address/Hostname field, enter the FortiAnalyzer's IP address. In this example, the FortiAnalyzer's IP address is 10.127.121.15.
- Update other settings, such as Upload UTM Logs, Upload Vulnerability Logs, Log Generation Timeout, and so on, as desired.
- Save the profile.
- If the profile has not already been configured as part of an endpoint policy, go to Endpoint Policy and configure this profile as part of a policy that is assigned to an endpoint group. All endpoints in this group will now send logs to FortiAnalyzer. Endpoints only send logs to FortiAnalyzer as long as they are registered to EMS.
When a vulnerability scan completes, FortiClient sends logs to FortiAnalyzer. You can review the logs in Log View or FortiView in FortiAnalyzer.
FortiClient also sends vulnerability scan results to EMS. These display on the Vulnerability Events tab when viewing endpoint details.