Configure Fortinet Log Collector

The Alert Logic Fortinet collector is designed to enable Alert Logic to run our common firewall analytics on data from your Fortinet devices. These analytics identify suspicious communication with internet hosts which Alert Logic considers threat actors. Significant security findings from your Fortinet devices will result in the creation of incidents that can be managed in the Alert Logic console.

You must complete the following to send data from your Fortinet device(s) to Alert Logic:

1. Download and install the remote collector
2. Configure Fortinet device
3. Verify log collection

Download and install the remote collector

To send data from your Fortinet device(s) to Alert Logic, you must first download and install the remote collector in the same network as the Fortinet device(s).

To download and install the remote collector:

1. Review the requirements for the remote collector as outlined in Requirements for the Alert Logic Remote Collector and ensure all requirements are met.
2. Complete the following instructions for Linux or Windows, making sure to choose a host in the same network as the Fortinet device(s).
   • Install the Remote Collector for Linux
   • Install the Remote Collector for Windows
     
3. While installing the remote collector, note the IP of the host where the collector is installed. This IP will be needed when configuring the Fortinet device.

Configure Fortinet device

Once the remote collector is installed, the Fortinet device needs to be configured to send data to the collector. Some customers centralize multiple FortiGate firewall logs into a tool called FortiAnalyzer. Use one of the following processes based on whether you are performing configuration using FortiAnalyzer or FortiGate.

To configure the device using FortiAnalyzer:

1. In the FortiAnalyzer user interface (UI), navigate to System Settings > Log Forwarding.
2. In the toolbar, click Create New. The Create New Log Forwarding window will open.
3. To create the new log forwarding, enter the following information:
   • Name: Enter a name to identify the remote collector; the name does not need to be the actual hostname.
   • Status: Select On.
   • Remote Server Type: Select Syslog.
   • Server IP: Enter the IP of the remote collector.
   • Server Port: Set as 1515 or the port you have configured the remote collector to listen on.

   • Reliable Connection: Set to Off, as Alert Logic requires UDP.

     Due to Fortinet's use of octet-counting, Alert Logic does not support ingesting Fortinet logs over TCP.

   • Configure the remaining options as desired.
4. Click OK.

To configure the device using FortiGate:

To send logs directly from a FortiGate firewall, complete the following steps.

1. In the FortiGate UI, navigate to Log & Report.
2. Select Send logs to syslog.
3. Enter the IP address of your remote collector.
4. Click Apply to save the changes.
5. In the Fortinet CLI, enter the following commands to change the default syslog port to 1515:
   config log syslogd setting set status enable
   set mode udp
   set port 1515
   

Verify log collection

Once you have installed the remote collector and configured the Fortinet device, it is recommended to verify that log collection is successful. It may take up to 15 minutes for Alert Logic to begin receiving logs.

1. Log in to the Alert Logic console and use one of the following links to access the Search console with criteria already entered:
   • Raw messages
   • Grouped by Message Type
2. Uncomment either of the two commented lines with SQL parameters and replace either $COLLECTOR_ID or $COLLECTOR_IP with your preferred identifier for the remote collector.
3. Click Search.
4. Verify logs display for the remote collector.