Skip to content

FortiMail

Overview

Fortinet cybersecurity solutions sells physical products such as firewalls, plus software and services such as anti-virus protection, intrusion prevention systems and endpoint security components.

FortiMail logs

On FortiMail appliances, most of the important hardware and software activities that are relevant for security detection and analysis, are logged into six files.

  • History (statistics): Records all email traffic going through the FortiMail unit.
  • System Event (kevent): Records system management activities, including changes to the system configuration as well as administrator and user log in and log outs.
  • Mail Event (event): Records mail activities.
  • Antispam (spam): Records spam detection events.
  • Antivirus (virus): Records virus intrusion events.
  • Encryption (encrypt): Records detection of IBE-related events.

Transport to the collector

Prerequisites

The following prerequisites are needed in order to setup efficient log concentration:

  • Have administrator privileges on the FortiMail appliance
  • Traffic towards the Rsyslog must be open on UDP 514

Configure FortiMail

Configure logging to a RSYSLOG server

  1. Go to Log and Report > Log Settings > Remote.
  2. Click New to create a new entry OR double-click an existing entry to modify it. A dialog appears.
  3. Select Enable to allow logging to a remote host.
  4. In Profile name, enter a profile name.
  5. In IP, enter the IP address of the Syslog server where the FortiMail unit will store the logs.
  6. In Port, enter the UDP port number on which the Syslog server listens for connections (by default, UDP 514).
  7. From Level, select the severity level that a log message must equal or exceed in order to be recorded to this storage location.
  8. From Facility, select the facility identifier that the FortiMail unit will use to identify itself when sending log messages.

To easily identify log messages from the FortiMail unit when they are stored on a remote logging server, enter a unique facility identifier, and verify that no other network devices use the same facility identifier.

  1. From Log protocol, select Syslog.
  2. In Logging Policy Configuration, enable the types of logs you want to record to this storage location. Click the arrow to review the options.
  3. Click Create.

For detailed information about configuring a log forwarding, see Configure FortiMail Log Forwarding

Transport to SEKOIA.IO

Configure the Rsyslog to forward to SEKOIA.IO

Rsyslog prerequisites

In order to allow the rsyslog to work properly, please ensure the following packages are installed:

sudo apt install rsyslog rsyslog-gnutls wget

Please ensure the UDP incoming events are allows in the /etc/rsyslog.conf

....
# provides UDP syslog reception
module(load="imudp")
input(type="imudp" port="514")
....

Download the certificate

In order to allow the connection of your Rsyslog server to the SEKOIA.IO intake, please download the SEKOIA.IO intake certificate:

$ wget -O /etc/rsyslog.d/SEKOIA-IO-intake.pem https://app.sekoia.io/assets/files/SEKOIA-IO-intake.pem
Configure the Rsyslog server

Open or create a new FortiMail configuration file for Rsyslog:

sudo vim /etc/rsyslog.d/13-fortimail.conf

Paste the following Rsyslog configuration to trigger the emission of FortiMail logs by your Rsyslog server to SEKOIA.IO:

# Define the SEKIOA-IO intake certificate
$DefaultNetstreamDriverCAFile /etc/rsyslog.d/SEKOIA-IO-intake.pem

# Template definition [RFC5424](https://tools.ietf.org/html/rfc5424#section-7.2.2)
# IMPORTANT: don't forget to set your intake key in the template
template(name="SEKOIAIOFortMailTemplate" type="string" string="<%pri%>1 %timestamp:::date-rfc3339% %hostname% %app-name% %procid% LOG [SEKOIA@53288 intake_key=\"YOUR_INTAKE_KEY\"] %msg%\n")


# Send your events to SEKOIA.IO intake servers under SEKOIAIOFortMailTemplate template
if ($hostname == "YOUR_FORTIMAIL_HOSTNAME") then {
    action(
        type="omfwd"
        protocol="tcp"
        target="intake.sekoia.io"
        port="10514"
        TCP_Framing="octet-counted"
        StreamDriver="gtls"
        StreamDriverMode="1"
        StreamDriverAuthMode="x509/name"
        StreamDriverPermittedPeers="intake.sekoia.io"
        Template="SEKOIAIOFortMailTemplate"
    )
}

In the above template instruction, please replace YOUR_INTAKE_KEY variable with your intake key you can find in the Operation Center > Configure > Intakes And change the YOUR_FORTIMAIL_HOSTNAME variable with the correct value.

Restart Rsyslog
$ sudo systemctl restart rsyslog.service

Enjoy your events

Go to the events page to watch your incoming events.