Documentation forThreat Monitor

Add FortiGate logs

Before following this procedure, find the devid field in your fortigate log. For example, devid=GHU2LE4028911449.

  1. In Threat Monitor, navigate to Admin > Manage Collectors.
  2. In the sensors list, select a collector, and then click Edit.

  3. Click the Syslog tab.

  4. Click the Log Destinations tab, and then click Add.

  5. In the Destination Setup window, select Both File and Elastic SOC.

  6. Enter a unique name based on the data source (fortigate).

    When entering a name, do not use spaces.

  7. Enter a file storage location on the collector, select the appropriate plugin (fortigate), and then click Save.

    This is typically located in /var/log/<filename>.log. For example, /var/log/fortigate.log. You must specify a log destination for each plugin.

  8. Click the Filters tab, and then click Add.

  9. Enter a unique filter name based on the data source (Fortigate).

    The purpose of this filter is to give Threat Monitor something unique that it can match in the logs so it knows what log it is coming from. The best way to determine what filter to use, is to look at the logs that are being sent over to find something unique and specific.

  10. To set your filter conditions, click Add Row.
  11. From the Condition drop-down list, select n/a.
  12. From the Filter drop-down list, select message.
  13. In the Value field, enter the devid value from your fortigate log.

    The value in the image above is the devid presented at the start of this procedure and should be unique to your Fortigate device. Do not use the example value shown here.

  14. Click the Actions tab, and then click Add.

  15. Add four rows, and then make the following selections from the Type and Value drop-down lists:
    • Source: network
    • Filter: fortigate
    • Destination: fortigate (Elastic SOC)
    • Destination: fortigate (file)
  16. To save your settings, click Apply changes.
  17. Click the Data Sources tab.
  18. Click New Plugin.
  19. From the Active Plugin list, select fortigate.
  20. Click the gear icon next to each Play button under the Parser Workers, Storage workers, and Error Workers, and then click Save.

    Please note that this is necessary to create the queues to process your incoming logs.

  21. For each queue, click Play.
  22. Set Parser Workers to 5 and Storage Workers to 10.
  23. Click Save.