FortiAnalyzer logs to SIEM

Hello,

I'm new with ELK and I installed Elasticsearch, Kibana and Logstash in the same server.

I followed this procedure to send logs from FortiAnalyzer to ELK.

I tried to send logs to SIEM, but I have to setup Beats first. Even with filebeat installed I can't see the logs coming to Beats.

The logs from FortiAnalyzer is coming in the right way, but I don't know how to appear this logs in SIEM side.

Could you help me, please?

Hi @gabrieltavares_pp

In order to be compatible with SIEM, your logs have to be compatible with the Elastic Common Schema (ECS). See the introductory blog post and official spec.

The setup described by the link you shared is unnecessarily complicated in that it involves Logstash to mutate the logs. In developing SIEM integrations we have taken the path of using ingest node and Beats processors.

I suggest you have a look at any of our vendor-specific modules (cisco ASA, PAN-OS, Zeek, etc.). It'll be easier to use one of them as a base to develop a new module. They're good examples for parsing logs in ingest node and populating ECS fields.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.