Fortinet black logo

Administration Guide

Home FortiEDR/XDR 5.2.1 Administration Guide
5.2.1
6.2.0
6.0.0
5.2.1
5.2.0
5.1.0
5.0.0
4.2.0
4.1.1
4.1.0

Syslog

Syslog

The SYSLOG option enables you to configure FortiEDR to automatically send FortiEDR events to one or more standard Security Information and Event Management (SIEM) solutions via Syslog.

The FortiEDR Central Manager server sends the raw data for security event aggregations. Each entry contains a raw data ID and an event ID. Raw data items belonging to the same security event aggregation share the same event ID, which enables the SIEM to combine them into one security event on the SIEM side, in order to remain aligned with the FortiEDR system.

Use the Define New Syslog button () to define a new Syslog destination. The Syslog Name is a free-text field that identifies this destination in the FortiEDR.

Note

Syslog messages are only sent for security events that occur on devices that are part of Collector Groups that are assigned to a Playbook policy in which the Send Syslog Notification option is checked.
To select which syslog messages to send:
  1. Select a syslog destination row.
  2. Use the sliders in the NOTIFICATIONS pane on the right to enable or disable the destination per event type (system events, security events or audit trail) as shown below:

To select which fields will be included in the syslog messages:

Check the checkbox of the fields that you want to be sent to your Syslog.

Caution

Warning: If syslog is configured for both Hoster view and an organization, two syslog events will be sent.

For more information on syslog messages, such as message types and fields, see FortiEDR Syslog Message Reference.

Previous
Next

Syslog

The SYSLOG option enables you to configure FortiEDR to automatically send FortiEDR events to one or more standard Security Information and Event Management (SIEM) solutions via Syslog.

The FortiEDR Central Manager server sends the raw data for security event aggregations. Each entry contains a raw data ID and an event ID. Raw data items belonging to the same security event aggregation share the same event ID, which enables the SIEM to combine them into one security event on the SIEM side, in order to remain aligned with the FortiEDR system.

Use the Define New Syslog button () to define a new Syslog destination. The Syslog Name is a free-text field that identifies this destination in the FortiEDR.

Note

Syslog messages are only sent for security events that occur on devices that are part of Collector Groups that are assigned to a Playbook policy in which the Send Syslog Notification option is checked.
To select which syslog messages to send:
  1. Select a syslog destination row.
  2. Use the sliders in the NOTIFICATIONS pane on the right to enable or disable the destination per event type (system events, security events or audit trail) as shown below:

To select which fields will be included in the syslog messages:

Check the checkbox of the fields that you want to be sent to your Syslog.

Caution

Warning: If syslog is configured for both Hoster view and an organization, two syslog events will be sent.

For more information on syslog messages, such as message types and fields, see FortiEDR Syslog Message Reference.

Previous
Next