fortinet/fortigate
Vendor | Fortinet Inc. |
Author | CrowdStrike |
Version | 1.2.0 |
Minimum LogScale Version | 1.142.0 |
Monitor Fortinet™ FortiGate for suspicious activity more efficiently by correlating FortiGate logs with other sources in LogScale. Quickly find early indicators of attack such as failed admin login attempts, changes in firewall policies, higher amount of inbound blocked connections and more.
Breaking Changes
This update includes parser changes, which means that data ingested after upgrade will not be backwards compatible with logs ingested with the previous version.
Updating to version 1.0.0 or newer will therefore result in issues with existing queries in for example dashboards or alerts created prior to this version.
See CrowdStrike Parsing Standard (CPS) 1.0 for more details on the new parser schema.
Follow the CPS Migration to update your queries to use the fields and tags that are available in data parsed with version 1.0.0.
Installing the Package in LogScale
Find the repository where you want to send the FortiGate logs, or create a new one.
Navigate to your repository in the LogScale interface, click Settings and then on the left.
Click
and install the LogScale package for FortiGate (i.e. fortinet/fortigate).When the package has finished installing, click
on the left still under the .In the right panel, click
to create a new token. Give the token an appropriate name (e.g. the name of the server the token is ingesting logs for), and either leave the parser unassigned (instead of setting the parser in the log collector configuration later on), or assign thefortinet-fortigate
parser to it.Figure 22. Ingest Token
Before leaving this page, view the ingest token and copy it to your clipboard — to save it temporarily elsewhere.
Now that you have a repository set up in LogScale along with an ingest token you're ready to send events to LogScale.
Configurations and Sending the logs to LogScale
First you need to configure FortiGate to send all logs types to the syslog server.
Next, configure the Falcon LogScale Collector to ship the logs from your syslog server into LogScale. Follow LogScale Collector Install Falcon Log Collector and Configure Falcon Log Collector. LogScale Collector documentation also provides an example of how you can configure your syslog datasource.
Verify Data is Arriving in LogScale
Once you have completed the above steps the fortinet data should be arriving in your LogScale repository.
You can verify this by doing a simple search for
#event.module = "fortigate" | #Vendor =
"fortinet"
to see the events.
Next steps and use cases
You can get actionable insights from your Fortigate data by hunting for suspicious activity in LogScale using the Searching Data, Dashboards & Widgets or Automation.