LSO : Syslog - Fortinet FortiAnalyzer (Mapping Doc)
This document explains the changes required to apply new Message Processing Engine (MPE) rules developed during the Log Source Optimization (LSO) project for the Syslog - Fortinet FortiAnalyzer log source type.
Vendor Documentation
Prerequisites
Download and apply the Knowledge Base. For more information, see KB Synchronization Settings for LSO.
Enable the new MPE rules in the LogRhythm System Monitor.
Select log source type Syslog - Fortinet FortiAnalyzer.
Enable log processing policy LogRhythm Default v2.0.
For details on how to enable LogRhythm Default v2.0, see Apply LogRhythm Default v2.0 on a Log Source.
Support for Fortinet FortiGate Events
Log Source Stabilization (LSS) does not support Fortinet Fortigate Events with the updated MPE rules and log processing policy (LogRhythm Default v2.0). Fortinet Fortigate Events are supported separately with Syslog - Fortinet FortiGate. If you are using Fortinet Fortigate and streaming Fortinet FortiGate logs through Fortinet FortiAnalyzer log source types, we recommend using log source virtualization to stream Syslog - Fortinet FortiGate.
For more information, see Log Source Virtualization.
Supported Log Messages
The following table lists the log message types supported in the current MPE rules. Each page contains detailed information on parsing changes and new log processing settings.
Log Message Type | Event Type |
|---|---|
Anomaly : Anomaly | General Traffic Other Alert |
Attack : Webattack Messages | General Alert |
Attack Message | General Attack Activity |
Catch All | General Information |
Catch All : Level 3 | General Information |
CFG : Object Change Messages | Object Operation |
DNS : Messages | General DNS Information |
Event : Compliance | General Policy Compliance Information |
Event : Connector | Get Address Information |
Event : DVM | General DVMRP Warning |
Event : Endpoint | General Endpoint Message |
Event : General Information | General Information |
Event : HA | General HA Information |
Event : Link | Link Status |
Event : LogDB | Database Query |
Event : LogDev | Logs Per Day Info Message |
Event : LogFile | Size Of HTTP Logfile Exceeds Maximum Limit |
Event : Logging | VACL Logging Alert |
Event : Router | General Router Information |
Event : Security Rating | General Security Note |
Event : SMTP | CyberCop Scanner SMTP |
Event : Spanning Tree | Spanning Tree Info Msg |
Event : System | General Event Log Information |
Event : User | General User Information |
Event : VPN | General VPN Traffic Event |
Event : Wad | SSL Information-Only Event |
Event : Wireless | General Wireless Management Message |
General Process Messages | General Message Information |
KEvent : Update | System Events |
Spam : Default | Matched Default Rule |
Statistics | Log Statistics |
Traffic : Forward | Network Traffic |
Traffic : Https/Http Mesages | General HTTP Information |
Traffic : Local | General Traffic Log |
Traffic : Multicast | General IP Multicast Information |
Traffic : Sniffer | General Network Traffic Log Message |
Traffic : System | Traffic Information |
Traffic Messages | Traffic Information |
Traffic/UTM Messages | General Traffic Log |
UTM : App | General Application Control Message |
UTM : DLP | General DLP Message |
UTM : IPS | General IPS/IDS Message |
UTM : Virus | General Virus Filename Information |
UTM : Voip | General VOIP Message |
UTM : WAF | Traffic Allowed by WAF |
UTM : WebFilter | General WebFilter Event |
Virus : Fortisandbox | Possible Virus Activity |
Virus : Infected | General Virus Infected Alert |
Virus : Malware - Outbreak | Detected Malware Activity |
Log Processing Policy Updates
This section details log processing policy updates made to AIE Rules, system reports, system investigations, system report templates, and system tails as part of LSO.
Updates to AIE Rules
No changes
Updates to System Reports
No changes
Updates to System Investigations
No changes
Updates to System Report Templates
No changes
Updates to System Tails
No changes