Send logs from non-Fortinet devices to Fortianalyzer via Syslog
Can we send logs from non-Fortinet devices to the Fortianalyzer?
This question pops up from time to time and the short answer is yes, for sure - any device that can send its logs in syslog format (read any device of Enterprise level today), can also send the logs to Fortianalyzer. The long answers yes, but … The but here is that Fortianalyzer does NOT parse such logs for the fields in it. Fortianalyzer will accept such logs, store them, but from its view those logs are just large chunks of text. FAZ will not extract, say source/destination IPs, usernames and the rest of information. We still can search such logs with wildcards. Starting with FAZ 7.4.0 Fortinet actually addeded few custom parsers for Apache/Nginx/Windows logs, but no parsers for Cisco/Juniper etc. And given that Fortinet have FortiSIEM product, that parses all kinds of devices even via Syslog, it is unlikely that they would endanger FortiSIEM sales by adding this functionality to FAZ.
In the video below I show how to configure FAZ to accept logs from Linux host via Syslog, and how it looks in the FAZ.
Follow me on https://www.linkedin.com/in/yurislobodyanyuk/ not to miss what I publish on Linkedin, Github, blog, and more.