Overview

We are providing the steps to integrate your Fortianalyzer with Seceon SIEM to have Comprehensive visibility and Proactive Threat Detection in your Environment. There will be a log transfer between your firewall to APE(Analytics and Policy Engine) via CCE (Collection and Control Engine ). In this document, we guide you through the Log and forwarding steps.

Steps of configuration

Login to the Fortianalyzer

Go to System Settings > Advanced > Syslog Server.

Click Create New in the toolbar. The Create New Syslog Server Settings pane opens.

Configure the following settings and then select OK to create the mail server.

Name: Enter a name for the Syslog server like Seceon CCE.
IP address (or FQDN): Enter an IP Address or FQDN for the Seceon CCE - Syslog server.
Enter the Syslog server port number. The default port is 514.

To add a Syslog server:

CLI Configuration for local logs
After adding a Syslog server to FortiAnalyzer, the next step is to enable FortiAnalyzer to send local logs to the Syslog server. You can only enable these settings by using the CLI.

config system local log syslogd setting
set severity debug
set status enable
set syslog-name <syslog server name>
end

Verification Of Configuration

Verification can be done either from CCE Server or from the Seceon GUI.

Log in to the Seceon GUI with Administrator Access and Navigate to System >> Log/Flow Collection Status

Seceon Public Portal > Configuring a Syslog destination on your Fortinet FortiAnalyzer device > image-20220531-082011.png

inside SOURCE DEVICE IP, IP will reflect.

Seceon Public Portal > Configuring a Syslog destination on your Fortinet FortiAnalyzer device > image-20220531-082322.png

Using the Seceon CCE Server

Login into CCE Server with seceon login credentials & following command should be running on the CCE server to check whether or not we are getting logs.

sudo tcpdump -i any host 514 and host <IP address> -s0 -AAA