Documentation Center
AlienVault® USM Anywhere™

FortiManager VM

When you configure FortiManager VM integration to send log data to USM Anywhere, you can use the FortiManager VM plugin to translate the raw log data into normalized events for analysis.

Device Details
Device vendor Fortinet
Device type Firewall virtual appliance
Connection type syslog
Vendor link https://www.fortinet.com/products-services/products/firewall.html

Integrating FortiManager

Before you configure the integration, you must have the IP Address of the USM AnywhereUSM Appliance Sensor.

UI Configuration

To configure FortiManager to send log data to USM Anywhere

  1. Go to System Settings > Advanced > Syslog Server.
  2. In the toolbar, select Create New.
  3. In the New Syslog Server popup, configure the fields as follows:

    1. Name — Choose any name for the syslog server.
    2. IP address or FQDN — IP address of the USM Anywhere Sensor.
    3. Port — 514
    4. Click OK.

CLI Configuration

To configure FortiManager to send log data to USM Anywhere

  • Enter:

    config system syslog

    edit <Syslog_Server_name>

    set ip <USM_Anywhere_IP_address>

    end

    Example

    config system syslog

    edit "Syslog-serv1"

    set ip "11.11.11.11"

    next

    end

Configuring the Logging Level for Local Log syslogd

To configure logging level for local log syslogd

  • Enter:

    config system locallog syslogd setting

     

    *Syslog_Server_name must be the same name used in the previous procedure.*

    set syslog-name <Syslog_Server_name>

    *Set the minimum severity level to log*

    set severity {emergency | alert | critical | error | warning | notification | information | debug}

    set status {enable | disable}

    *Optionally enable CSV*

    set csv

    *Indicate facility for remote syslog*

    set facility <facility-name>

    set port 514

    end

Example

config system locallog syslogd setting

set severity information

set status enable

set syslog-name "Syslog-serv1"

end

Plugin Enablement

The Fortinet FortiManager plugin will automatically process all messages that contain "devname=" as part of the raw message.

Available Plugin Fields

The following plugin fields are important attributes extracted from the syslog message. USM Anywhere reports use these fields, and you can also reference them when creating custom reports. In addition to reporting, the USM Anywhere correlation rules make use of these fields.

  • access_control_outcome
  • application
  • base_event_count
  • bytes_in
  • bytes_out
  • content_category
  • destination_address
  • destination_port
  • device_direction
  • device_external_id
  • event_category
  • event_description_url
  • event_name
  • event_severity
  • event_subcategory
  • http_hostname
  • policy
  • rep_device_hostname
  • rep_device_inbound_interface
  • rep_device_outbound_interface
  • rep_device_rule_id
  • rep_device_type
  • request_url
  • source_address
  • source_mac
  • source_port
  • source_username
  • timestamp_occured
  • transport_protocol

Troubleshooting

For troubleshooting, refer to the vendor documentation:

http://kb.fortinet.com/kb/viewContent.do?externalId=FD34549