Fortinet black logo

Administration Guide

Home FortiNDR 7.4.3 Administration Guide
7.4.3
7.4.4
7.4.3
7.4.2
7.4.1
7.4.0
7.2.3
7.2.2
7.2.1
7.2.0
7.1.0
7.0.6
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0

Log Settings

Log Settings

Go to Log & Report > Log Settings to configure Syslog settings for FortiAnalyzer (7.0.1 and higher) and FortiSIEM (6.3.0 and higher). You can use the secondary Syslog field to send the same logs to different Syslog servers. You can configure both fields to send to both FortiAnalyzer and FortiSIEM.

Log Settings send Syslog messages about the Attack Scenario to other devices such as FortiAnalyzer or FortiSIEM.

Note

  • Upload file and Network share file detection will not send Syslog upon detection because they cannot trigger Attack Scenario. This is because the sample flows from attacker to victim and they do not have flows of virus.

  • Inline, ICAP, Sniffer and OFTP detections will trigger Syslog being sent to FortiAnalyzer or FortiSIEM, since they have this information.

Log Settings in Center mode

In Center mode, the Log Settings can be configured to send the Center's system event log to the syslog servers. Detection logs, including malware logs and NDR logs that record events occurring in the sensors, are sent directly from the sensors themselves. To upload and edit the sensor syslog configurations, go to System > Sensor Settings and click Restore Configuration. For more information, see Sensor Settings (Center Standalone) .

To configure the Log Settings:
  1. Go to Log & Report > Log Settings.
  2. Configure the following settings:

    Send logs to FortiAnalyzer/FortiSIEMClick to Enable or Disable.
    TypeSyslog Protocol.
    Log Server AddressEnter the FortiAnalyzer/FortiSIEM log server address.
    PortEnter the FortiAnalyzer/FortiSIEM port number. Default is UDP: 514.
    Send logs to Syslog Server 1Click to Enable or Disable.
    TypeSyslog Protocol.
    Log Server AddressEnter the Syslog Server 1 log server address.
    PortEnter the Syslog Server 1 log server port number. Default is UDP: 514.
  3. Click OK.
Previous
Next

Log Settings

Go to Log & Report > Log Settings to configure Syslog settings for FortiAnalyzer (7.0.1 and higher) and FortiSIEM (6.3.0 and higher). You can use the secondary Syslog field to send the same logs to different Syslog servers. You can configure both fields to send to both FortiAnalyzer and FortiSIEM.

Log Settings send Syslog messages about the Attack Scenario to other devices such as FortiAnalyzer or FortiSIEM.

Note

  • Upload file and Network share file detection will not send Syslog upon detection because they cannot trigger Attack Scenario. This is because the sample flows from attacker to victim and they do not have flows of virus.

  • Inline, ICAP, Sniffer and OFTP detections will trigger Syslog being sent to FortiAnalyzer or FortiSIEM, since they have this information.

Log Settings in Center mode

In Center mode, the Log Settings can be configured to send the Center's system event log to the syslog servers. Detection logs, including malware logs and NDR logs that record events occurring in the sensors, are sent directly from the sensors themselves. To upload and edit the sensor syslog configurations, go to System > Sensor Settings and click Restore Configuration. For more information, see Sensor Settings (Center Standalone) .

To configure the Log Settings:
  1. Go to Log & Report > Log Settings.
  2. Configure the following settings:

    Send logs to FortiAnalyzer/FortiSIEMClick to Enable or Disable.
    TypeSyslog Protocol.
    Log Server AddressEnter the FortiAnalyzer/FortiSIEM log server address.
    PortEnter the FortiAnalyzer/FortiSIEM port number. Default is UDP: 514.
    Send logs to Syslog Server 1Click to Enable or Disable.
    TypeSyslog Protocol.
    Log Server AddressEnter the Syslog Server 1 log server address.
    PortEnter the Syslog Server 1 log server port number. Default is UDP: 514.
  3. Click OK.
Previous
Next