How to Fetch Logs for Fortinet Security Fabric with FortiAnalyzer
In the following post we walk you through how to fetch logs in this platform.
Alexander Nachaj
FortiAnalyzer is a centralized platform for log management, analytics, and reporting for wider suite of Fortinet Security Fabric products. It offers organizations a comprehensive console for management, automation, orchestration, and response for security operations.
In the following post we walk you through how to fetch logs in this platform.
Steps for Fetching Logs
Using the fetch profile you've generated for acquiring logs from the remote device, initiating the process is fairly straightforward. You can choose to receive them with either an existing ADOM on the local device or to create a new one.
To begin:
- Navigate to System Settings -> Fetcher Management, and select the Profiles tab.
- Right-click on the fetch profile you've generated.
- Select Request Fetch.
- Choose the settings in the Fetch Logs dialogue so the request aligns with your requirements.
- Execute the request by clicking Request Fetch.
Below are the fields in a fetch log request:
| Log | Description |
|---|---|
| Devices | This field displays the devices and/or VDOMs from where the logs will be fetch. You can include up to 256 devices in ths field. |
| Enable Filters | You will need to select "enable filters" to filter the logs fetched. Select All or Any of the Following Conditions to decide how the filters are applied to your fetch operation. You can also add filters to the table by selecting Log Field, Match Criteria, and Value for each filter. |
| Index Fetch Logs | If you choose to select this option, any logs fetched will be automatically indexed in the SQL database of the client after the process is complete. |
| Local ADOM | Here you can choose which ADOM on the client will be used for receiving the logs. You can select an existing one from the dropdown or create a new one. |
| Name | This field displays the name of the specified fetch server. |
| Secure Connection | Transfer the fetched logs from the server using an SSL connection. |
| Server ADOM | Here you can choose which ADOM on the server will be used for receiving the logs. |
| Server IP | This displays the IP of the selected server. |
| Time Period | Set the date range for the logs you want to fetch. |
| User | See the username of the server administrator for the operation. |
Optional Step - Ensure synchronization between devices and ADOMs
This step isn't necessary, but can be completed during the fetch process.
Note: Synchronization of devices and ADOMs becomes important when fetching logs from the remote device for the first time or when alterations have been made to devices or ADOMs since the last fetch.
To begin:
- Head to System Settings -> Fetcher Management
- Select the Profiles tab.
- Select the log fetch profile.
- Click Sync Devices.
Considering building an integration with FortiSIEM or any other product within Fortinet? Metron is a Fortinet Technical Alliance partner and has experience building scalable integration with Fortinet’s products.
If you are considering any custom cybersecurity solution that focuses on the resources and needs of your organisation, please send a note to connect@metronlabs.com.
