Adding FortiGate Firewall (Over CLI) via Syslog
You'll redirect the logs of the FortiGate product to the Logsign Unified SecOps Platform via the SSH connection over the CLI (Command Line). First, open the application for SSH connection and start the connection by typing the IP address of your FortiGate product. After entering user information, enter the following commands respectively:
config log syslogd setting -> We are going to config mode to do Syslog tuning for your FortiGate
product.
set status enable -> We are activating the setting
Set server LOGSIGN_IP_ADDRESS -> IP address of Logsign Unified SecOps Platform (For ex. set server 10.0.0.10) set port 514 -> Port information to send logs set facility local0 ->
You can define the type of logs coming from the FortiGate product end -> Terminate and save the configurations you made.
To summarize the information of the settings you've made, go back to the config mode and see the configurations created with the show command. Once you've configured the settings on the FortiGate side, let's add this source to the Logsign Unified SecOps Platform.
In the Logsign Unified SecOps Platform web interface, click the + Device button in the menu bar on the top of the page, which is opened by clicking on the Settings tab. Then select brand information in the Vendor section of Fortinet. Because you've FortiGate, select FortiGate in this part as well. A page will come up to configure your FortiGate product.
Host: IP address information of the Fortigate product that you want to retrieve the logs.
Encoding: utf_8, which is accepted as the general standard in Information Technologies, is set as default. Agree in the same way.
Offset: To explain it in terms of definition, let's say "time difference." If the "system" time you want to log in is forward or backward from the real-time difference, you can edit it accordingly. The symbol "+" moves forward, and "-" moves backward. Time information is specified in minutes.
Data Policy: As a definition, you can filter in or out of incoming data. In the Data Policy section, you can specify the kind of logs (word, event movement type, etc.) that you want to receive or not from the source. The default setting here is the Default Policy, which has the default rule is "collect all logs."
Max Line Length to Process: Each log is generated as a single line. So, the Logsign Unified SecOps Platform takes these logs and analyzes them. In some cases, the number of characters in a single line of a single log file can be more significant than two thousand forty-eight (2048). In such cases, you can change this part.
Check Health: If you tick the box, that will inform you about the service and operability of the Logsign Unified SecOps Platform. The Health Check Period tab will come up when you tick the box. This part is the time interval information to be checked.
Device Name: You must enter a descriptive name according to the configuration that you are making (For ex., FortiFW). It can provide convenience for people who analyze logs. You can think of the Description field as a resource-specific area.
Tag: Slightly different from the Description section, it can be used for a broader purpose. For example, you can query by tag; and make tag-based definitions while creating a report if you use multiple FWs and define each tag as forti1 or forti2. If you want to query about an event, you will get a shorter result when searching according to the forti1 name.
Once configured your FortiGate product, click the Save button to save your configuration and add the source.
Adding FortiGate Firewall (Over GUI) via Syslog
You've seen how to add the FortiGate product as a source with the CLI, and now you can add your Logsign Unified SecOps Platform as a Syslog Server to your FortiGate device.
First, write the IP address of your FortiGate device on your WEB browser. Then you will be redirected to the Dashboard page by default after you enter the device user information. From the menu bar on the left side of the page, come to Log & Report -> Log Config -> Log Settings section.
On this page, select the logs that you want to take and configure the Logsign Unified SecOps Platform as Syslog Server.
After you have marked the Send Logs to Syslog box under the Logging and Archiving heading, write the IP address of the Logsign Unified SecOps Platform in the Server field on the right. After marking the Event Logging box, check the boxes of the logs you want to receive. It's recommended to check the Enable All box to ensure that all logs come.
After performing the configurations, click the Apply button under the page to save and apply the settings.
You'll add the FortiGate device as a source on the Logsign Unified SecOps Platform side after showing the product as the Syslog Server on the FortiGate side as the source.
In the Logsign Unified SecOps Platform web interface, click the "+ Device" button in the menu bar on the top of the page, which is opened by clicking on the Settings tab. In the Source Type Selection section, choose the Syslog method because you'll add a network-based device. Select FortiGate as a sub-product after selecting Fortinet as brand information on the following page. You'll fill out the information on the FortiGate device that you want to retrieve the logs.