Cannot Integrate FortiEDR Logs in Elastic SIEM

Hi Elastic Team and Community

I'm a beginner with Elastic and I'm trying to add the "Fortinet FortiEDR Logs" integration to our Elastic setup.

we signed up a Free Trial in your Elastic SIEM Cloud and tried to integrate our FortiEDR logs, but we can't seem to see the logs coming from our FortiEDR logs going to Elastic Dashboard.

We already followed the documentations and add the host and ip run the test and it works fine with our FortiEDR Dashboard/Instance, But when we go to Elasticsearch we cannot see any logs from our FortiEDR instance,

Do we also need to install Elastic agents to our endpoints where our FortiEDR are installed? or not necessary because we just want to forward our FortiEDR logs or events to Elastic SIEM?

I hope you can help and guide on the right process to proceed with Elastic SIEM Integrations, we will start first on our EDR then Firewalls Etc... We are an Start up MSSP and plan to use Elastic SIEM as our Main Service as a Manage SOC.

Thank You and Looking forward on your assistance on this.

Hello and welcome,

Which documentation you followed? The documentation for the Fortinet FortiEDR integration is this one.

I do not use FortiEDR, so I'm not sure how it works, but you need an Elastic Agent running the Fortinet FortiEDR integration to receive your logs via Syslog.

Looking into the documentation it seems that the FortiEDR Central Manager is the tool that will send the logs to the Elastic Agent integration.

You need to run this Elastic Agent on your infrastructure, it is not part of Elastic Cloud.

It is not clear what configuration you already made because you didn't share anything, but basically to receive these logs you need an Elastic Agent with the FortiEDR integration, this agent will then listen on a ip address and port for the logs of your FortiEDR Central Manager.

So, to resume what you need is something like this according to the integration documentation.

  • Install the FortiEDR Integration on an Elastic Agent that you manage, this will make the agent listen for syslog events on the port that you specifies.
  • Configure your FortiEDR Central Manager to send the logs to the IP and Port of the Elastic Agent.

Hi leandrojmp,

Thank you for your immediate response.

Yes, we used this docummentation : [Fortinet FortiEDR Logs | Documentation]

I see, we really need to Install Elastic agent as well in our Endpoints where our FortiEDR is installed, we thought we can just forward the Traffic Logs of FortiEDR in Elastic using the Syslog integrations. It would be an hassle to the IT teams to install Elastic agents to 4 thousand endpoints, it would be much easier if we could just integrate, send or forward the events or logs of our FortiEDR to Elastic SIEM.

We'll try your recommendations and send update here.

Thank You

The syslog integration will receive the logs, but will not parse then, which will not populate the correct dashboards.

Each Elastic Agent Integration uses a specific Ingest Pipeline that will parse the data, and it also stores the data on a specific data stream for that data source.

I don't think you need to do that, the Elastic documentation directs you to a Fortinet documentation.

In the Fortinet documentation you have this mentioned:

The FortiEDR Central Manager server sends the raw data for security event aggregations

So, it seems that this central manager will send your logs, not the individual endpoints in your hosts.

Hi leandrojmp

I already followed both Fortinet and Elastic documentations, still cannot forward the logs from our FortiEDR to Elastic SIEM.

I'm also confused if where to install the Elastic agent that you mentioned, should i install it in FortiEDR Central Manager? or in a separate Operating System/Endpoints?

Should we configure something in Logstash or Data Stream/Data View to make it work?

thank you for your assistance on this.

You choose where to install, normally people spin-up a VM to run the agent in this case as a collector.

You didn't share what you had configured in Elastic side, do you already have an agent running and listening? Without it you will not get the data correctly. It is not clear because you said that you followed both documentations but then asks where to install the Agent, the Agent is a requirement to get the logs.

Please share more context of what you already configured and what is still missing.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.