This documentation details one way to collect and send FortiWeb logs to SEKOIA.IO: from the FortiWeb machine to an internal log concentrator (Rsyslog), then forwarded to SEKOIA.IO
The following table lists the data source offered by this integration.
||date_source: "Fortinet WAF"|
On FortiWeb appliances, most of the important hardware and software activities that are relevant for security detection and analysis, are logged into three files.
- Traffic: Displays traffic flow information, such as HTTP/HTTPS requests and responses.
- Event: Displays administrative events, such as downloading a backup copy of the configuration, and hardware failures.
- Attack: Displays attack and intrusion attempt events.
Transport to the concentrator
The following prerequisites are needed in order to setup efficient log concentration:
- Have administrator writes on the FortiWeb (read & write permission)
- Traffic towards the Rsyslog must be open on
Enable logging via trigger mechanism
- Go to
Log&Report > Log Config > Other Log Settings
- Tick the boxes : Enable Attack Log / Enable Traffic Log / Enable Event Log
Configure Syslog policies
- Go to
Log&Report > Log Policy > Syslog Policy.
To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Log & Report category. For details, see Permissions.
If the policy is new, in Policy Name, type the name of the policy as it will be referenced in the configuration.
- Click Create New.
IP Address, enter the address of the remote Syslog server.
Port, enter the listening port number of the Syslog server. The default is 514.
Configure log destinations
- Go to
Log&Report > Log Config > Global Log Settings
- Tick the syslog box
- Select the relevant Syslog Policy, Log Level and Facility
For more information please refer to the official documentation of FortiWeb
Transport to SEKOIA.IO
The reader is invited to consult the Rsyslog Transport documentation to forward these logs to SEKOIA.IO.