FortiGate – send logon events to Syslog

glitchlist Blog Leave a Comment

logon events like Administrators accesses o SSLVPN logins can be logged and sended to an event correlator (SIEM) for further analisys.

On FortiOS you should config by CLI these commands:

fortigate605-lab # config global
fortigate605-lab (global) # config log syslogd2 setting
fortigate605-lab (setting) # set status enable 
fortigate605-lab (setting) # set server 10.9.9.10
fortigate605-lab (setting) # end
fortigate605-lab (global) # config log  syslogd2 filter
fortigate605-lab (filter) # set forward-traffic disable
fortigate605-lab (filter) # set local-traffic disable
fortigate605-lab (filter) # set multicast-traffic disable
fortigate605-lab (filter) # set sniffer-traffic disable
fortigate605-lab (filter) # set anomaly disable
fortigate605-lab (filter) # set voip disable
fortigate605-lab (filter) # set filter "logid(0100032001,0100044546,0101039424,0101039425,0107045058,0102043040,0101039947)"

FortiGates support up to 4 syslog server.

bye

.glitchlist crew

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.