To support lite SIEM functionality for the Fabric environment, as the Fabric Agent, FortiClient (macOS) collects and sends endpoint host logs (
/var/log/system.log) to FortiAnalyzer for analysis.
In this configuration, a FortiClient (macOS) endpoint is registered to EMS. FortiAnalyzer has authorized this EMS for log submission. FortiClient (macOS) uploads logs to the FortiAnalyzer as the EMS profile specifies.
- In EMS, go to Endpoint Profiles > Manage Profiles.
- Select the desired profile.
- On the System Settings tab, enable Upload Logs to FortiAnalyzer/FortiManager.
- Enable Send OS Events.
- In the IP Address/Hostname field, enter the FortiAnalyzer IP address.
- Click Save.
The following shows how these logs display in FortiAnalyzer.