SOLVED

Azure Sentinel receiving log from Firewall Fortinet

%3CLINGO-SUB%20id%3D%22lingo-sub-2588957%22%20slang%3D%22pt-BR%22%3EAzure%20Sentinel%20receiving%20log%20from%20Firewall%20Fortinet%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2588957%22%20slang%3D%22pt-BR%22%3E%3CP%3EHi%20Team.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20are%20using%20Azure%20Sentinel%20to%20receive%20logs%20from%20Fortinet%20Firewall%20via%20syslog%2C%20where%20it%20is%20forwarding%20all%20types%20of%20logs%2C%20how%20can%20I%20configure%20the%20syslog%20so%20that%20it%20forwards%20only%20important%20logs%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2594271%22%20slang%3D%22en-US%22%3ERE%3A%20Azure%20Sentinel%20receiving%20log%20from%20Firewall%20Fortinet%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2594271%22%20slang%3D%22en-US%22%3EThere%20is%20an%20option%20in%20Fortinet%20manager%20it%20self%20where%20you%20can%20create%20a%20rue%20by%20going%20to%20-%20System%20Settings%20%26gt%3B%20Log%20Forwarding.%20%26gt%3B%20Create%20New%20and%20click%20%22On%22%20log%20filter%20option%20%26gt%3B%20Log%20message%20that%20math%20%26gt%3Bclick%20on%20Any%20of%20the%20following%20Condition%20And%20create%20your%20own%20rule%20to%20forward%20any%20specific%20rule%20that%20you%20want%20to%20send.%20Thanks.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2693538%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Sentinel%20receiving%20log%20from%20Firewall%20Fortinet%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2693538%22%20slang%3D%22en-US%22%3EI've%20gone%20through%20this%20pain%20and%20collected%2013GB%20logs%20per%20day%20from%20Fortinet%20Firewall.%20Finally%20ended%20up%20getting%20firewall%20engineer%20to%20selectively%20forward%20logs%20for%20syslog%20(linux)%20server.%20Refer%20to%20this%20link.%20You%20can%20opt%20our%20level%206%20%26amp%3B%207%20to%20avoid%20unnecessary%20noise.%3C%2FLINGO-BODY%3E
New Contributor

Hi Team.

 

We are using Azure Sentinel to receive logs from Fortinet Firewall via syslog, where it is forwarding all types of logs, how can I configure the syslog so that it forwards only important logs?

4 Replies
best response confirmed by BrunoFeltrin (New Contributor)
Solution
There is an option in Fortinet manager it self where you can create a rue by going to - System Settings > Log Forwarding. > Create New and click "On" log filter option > Log message that math >click on Any of the following Condition And create your own rule to forward any specific rule that you want to send. Thanks.
I've gone through this pain and collected 13GB logs per day from Fortinet Firewall. Finally ended up getting firewall engineer to selectively forward logs for syslog (linux) server. Refer to this link. You can opt our level 6 & 7 to avoid unnecessary noise.
Hi Susantha Silva, Does not appear the link where you entered, to verify.

@BrunoFeltrin Fortinet firewall logging levels are mentioned here - https://docs.fortinet.com/document/fortimanager/7.0.0/log-message-reference/547625/priority-levels

 

Best is to request your firewall administrator to log into cli mode and forward those logs into your syslog server via pre-configured port number of the syslog server. Normally port number is 514. Please refer to the attached pictue as wlel. Fortinet log forwarding.PNG