Our Integration guide was accurate at the time of writing but vendors change things frequently! If you find errors or anything is outdated, let us know by raising a request in the Samurai Help Center and we'll get it updated.
This guide describes the steps required to configure a FortiNet FortiAnalyzer to send syslog to the Samurai XDR
1) Configure the Samurai XDR application
- Complete the FortiGate FortiAnalyzer Integration from Samurai XDR Application
2) Configure FortiGate FortiAnalyzer
Complete the configuration from the FortiGate FortiAnalyzer
- Configure log forwarding in Fortinet FortiAnalzer
- Enable FortiGate to send logs to FortiAnalyzer
Configure the Samurai XDR Application
To complete the configuration to receive logs:
- Login to your Samurai XDR application tenant
- Click Telemetry > Integrations from the main menu
- Click Create
- Find and select Fortinet FortiAnalyzer
- Select Secure Syslog Collector. The IP Address and Port will be shown on the screen. Please make note of these, they will be used in the FortiAnalyzer configuration below.
- Click on Finish
Configure FortiGate FortiAnalyzer
Configure log forwarding in Fortinet FortiAnalzer
Follow the steps outlined in the Fortinet documentation:
- Via the Command Line Interface (CLI) - Technical Tip: FortiAnalyzer secure log forwarding
Note: You must complete the configuration via the CLI. The web UI configuration cannot set fwd mode "secure"
Use the following required parameters when completing the steps:
Log forward setting | Value |
Name | Whatever you want, however we suggest "NTT_collector" |
Status | On |
Remote Server Type | Syslog |
Server Address | IP address of your Secure Syslog Collector (captured earlier, step 5) |
Server Port | Port of your Secure Syslog Collector (captured earlier, step 5) |
Compression | Off |
Reliable Connection | On (This is required to enable TCP) |
Secure Connection | On (This is required to enable TLS |
Sending Frequency | Real-time |
Device Filters | Click Select Device, then select the devices whose logs will be forwarded (Note: you may have to come back to this if you are not sending logs from your FortiGate devices yet!) |
Log filters | Off |
Enable exclusions | Off |
Enable Masking | Off |
Table 1: FortiAnalyzer setting Settings
- Complete the confguration from the FortiAnalyzer CLI
config system log-forward edit 1 set mode forwarding set fwd-max-delay realtime set server-name "NTT_collector” set server-addr "Copied from Samurai XDR app" set server-port "Copied from Samurai XDR app" set fwd-server-type syslog set fwd-reliable enable set fwd-secure enable end
Table 2: FortiAnalyzer configutration
Enable FortiGate to send logs to FortiAnalyzer
All FortiGate devices in scope must be connected to the FortiAnalyzer to send logs.
Follow the steps outlined in the Fortinet documentation:
Use the following required parameters when completing the steps:
Remote Logging and Archiving | Value |
Send logs to FortiAnalyzer/FortiManager | Enable |
Server | IP address for your FortiAnalyzer |
Upload option | Real Time |
Table 3: Fortigate settings (send logs to FortiAnalyzer)
If this is the first time remote logging is configured and the FortiGate device was not previously added to FortiAnalyzer, the device needs to be authorized under FortiAnalyzer Device Manger to be able to upload its logs. Perform this on the FortiAnalyzer
Disk backed log buffer is recommended on Fortigates with an SSD disk.
Follow the steps outlined in the Fortinet documentation:
Once you have completed the configuration of your firewall to send logs to Samurai XDR, your integration will automatically be discovered once Samurai XDR starts receiving logs from your firewall.