Overview
FortiAnalyzer provides centralized log collection, analysis, and compliance reporting for Fortinet Security Fabric devices. This guide covers configuring log forwarding to external SIEMs, creating custom log handlers, and generating compliance reports for PCI DSS, HIPAA, and other frameworks.
Who Should Use This Guide:
- Security administrators centralizing log management
- Compliance officers generating audit reports
- SOC analysts integrating Fortinet logs with SIEM
- Network engineers troubleshooting with log analysis
FortiAnalyzer Capabilities:
| Feature | Description |
|---|---|
| Log Aggregation | Collect logs from FortiGate, FortiWeb, FortiMail, etc. |
| Log Forwarding | Send logs to external SIEM (Splunk, Sentinel, Elastic) |
| Compliance Reports | Pre-built PCI DSS, HIPAA, SOX, GDPR reports |
| Automated Reports | Schedule and email reports to stakeholders |
| Log Correlation | Correlate events across devices |
| Long-term Retention | Archive logs for compliance requirements |
Log Types:
| Log Type | Description |
|---|---|
| Traffic | Firewall session logs (source, dest, action) |
| UTM | Web filter, AV, IPS, app control events |
| Event | System, VPN, user authentication events |
| Security | Threat detection, anomaly detection |
| DNS | DNS query logs |
| SSL | SSL/TLS inspection logs |
Architecture
┌─────────────────────────────────────────────────────────────────────┐
│ Log Aggregation Architecture │
├─────────────────────────────────────────────────────────────────────┤
│ │
│ Log Sources │
│ ┌────────────┐ ┌────────────┐ ┌────────────┐ ┌────────────┐ │
│ │ FortiGate │ │ FortiWeb │ │ FortiMail │ │ FortiClient│ │
│ │ Firewalls │ │ WAF │ │ Email GW │ │ EMS │ │
│ └─────┬──────┘ └─────┬──────┘ └─────┬──────┘ └─────┬──────┘ │
│ │ │ │ │ │
│ └──────────────┴──────┬───────┴──────────────┘ │
│ │ │
│ ▼ │
│ ┌─────────────────┐ │
│ │ FortiAnalyzer │ │
│ │ ┌─────────┐ │ │
│ │ │ Log DB │ │ │
│ │ └─────────┘ │ │
│ │ ┌─────────┐ │ │
│ │ │ Reports │ │ │
│ │ └─────────┘ │ │
│ └────────┬────────┘ │
│ │ │
│ ┌──────────────┼──────────────┐ │
│ │ │ │ │
│ ▼ ▼ ▼ │
│ ┌────────────┐ ┌────────────┐ ┌────────────┐ │
│ │ SIEM │ │ Syslog │ │ Webhook │ │
│ │ (Splunk) │ │ Server │ │ (SOAR) │ │
│ └────────────┘ └────────────┘ └────────────┘ │
│ │
└─────────────────────────────────────────────────────────────────────┘Step 1: Configure FortiGate Log Settings
Ensure FortiGates are sending logs to FortiAnalyzer.
FortiGate CLI Configuration
# Configure FortiAnalyzer logging
config log fortianalyzer setting
set status enable
set server "<FortiAnalyzer-IP>"
set serial "<FortiAnalyzer-Serial>"
set upload-option realtime
set reliable enable
set enc-algorithm high
set ssl-min-proto-ver TLSv1.2
end
# Configure log settings per type
config log fortianalyzer filter
set severity information
set forward-traffic enable
set local-traffic enable
set multicast-traffic enable
set sniffer-traffic enable
set anomaly enable
set voip enable
set dns enable
set ssl enable
end
# Enable logging in firewall policies
config firewall policy
edit 1
set logtraffic all
set logtraffic-start enable
next
endFortiGate GUI Configuration
- Navigate to Log & Report → Log Settings
- Enable Send Logs to FortiAnalyzer/FortiManager
- Configure:
- IP Address: FortiAnalyzer IP
- Upload Option: Real Time
- Reliable Logging: Enable
Verify Connectivity
# On FortiGate - Test FortiAnalyzer connectivity
execute log fortianalyzer test-connectivity
# Check log queue
diagnose log fortianalyzer status
# Expected output: FAZ is upStep 2: Configure Log Forwarding to SIEM
Syslog Forwarding Configuration
CLI Method:
# Configure syslog server
config log syslogd setting
set status enable
set server "<SIEM-IP>"
set port 514
set format cef
set facility local7
set reliable enable
end
# Configure what to forward
config log syslogd filter
set severity information
set forward-traffic enable
set local-traffic enable
set attack enable
set virus enable
set webfilter enable
set ips enable
set anomaly enable
set ssl enable
endGUI Method:
- Navigate to System → Advanced → Log Forwarding
- Click Create New
- Configure:
| Setting | Value |
|---|---|
| Name | SIEM-Splunk |
| Remote Server Type | Syslog |
| Server IP | 10.0.1.100 |
| Port | 514 |
| Format | CEF (Common Event Format) |
| Reliable | Enable |
Syslog Formats
| Format | Use Case | Best For |
|---|---|---|
| CEF | Standard SIEM integration | Splunk, QRadar, ArcSight |
| LEEF | IBM QRadar | QRadar |
| JSON | Modern SIEM platforms | Elastic, Azure Sentinel |
| Raw | Custom parsing | Specific applications |
Configure CEF Format
config log syslogd setting
set format cef
endCEF Sample Log:
CEF:0|Fortinet|FortiGate|7.4.0|00013|traffic:forward close|5|
src=10.0.1.50 spt=54321 dst=93.184.216.34 dpt=443
proto=6 deviceExternalId=FG100ETK12345678
act=accept app=HTTPS cat=trafficConfigure JSON Format
config log syslogd setting
set format json
endJSON Sample Log:
{
"devid": "FG100ETK12345678",
"logid": "0000000013",
"type": "traffic",
"subtype": "forward",
"action": "accept",
"srcip": "10.0.1.50",
"srcport": 54321,
"dstip": "93.184.216.34",
"dstport": 443,
"service": "HTTPS",
"duration": 120
}Step 3: Configure Log Forwarding to Azure Sentinel
Create Data Collection Endpoint
# Azure CLI - Create DCE and DCR for FortiAnalyzer
az monitor data-collection endpoint create \
--name "fortinet-logs-dce" \
--resource-group "security-rg" \
--location "eastus" \
--public-network-access "Enabled"Configure CEF Connector
- In Azure Sentinel, navigate to Data connectors
- Search for Common Event Format (CEF)
- Install the connector
- Deploy the Log Analytics agent on a Linux VM
- Configure FortiAnalyzer to forward to the agent
FortiAnalyzer Syslog Output:
config system log-forward
edit 1
set mode forwarding
set fwd-reliable enable
set fwd-server-type syslog
set server-name "Azure-Sentinel"
set server-addr "<CEF-Collector-IP>"
set server-port 514
set fwd-facility local4
set fwd-log-source-ip enable
next
endStep 4: Create Log Handlers
Log handlers process and filter logs before forwarding or storage.
Create Handler via CLI
# Create a log handler for security events
config system log-fetch client-profile
edit "Security-Events"
set log-filter 'type=utm AND (subtype=virus OR subtype=ips OR subtype=attack)'
set index-fetch enable
set device-filter '{"srcip": "10.0.0.0/8"}'
next
endCreate Handler via GUI
- Navigate to Log View → Log Handler
- Click Create New
- Configure:
- Name: High-Severity-Events
- Log Type: UTM
- Filter: severity >= warning
Common Log Filters
| Filter Purpose | Filter Expression |
|---|---|
| Security events only | type=utm |
| High severity | level>=warning |
| Specific source | srcip=10.0.1.0/24 |
| Denied traffic | action=deny |
| VPN events | type=event AND subtype=vpn |
| Admin changes | type=event AND subtype=system |
Filter Syntax Examples
# Traffic from specific subnet
srcip=10.0.1.0/24 AND dstip!=10.0.0.0/8
# Security events with high severity
type=utm AND level>=warning
# VPN logon failures
type=event AND subtype=vpn AND status=failure
# Admin configuration changes
type=event AND subtype=system AND action="config change"
# Web filtering blocks
type=utm AND subtype=webfilter AND action=blockedStep 5: Configure Compliance Reports
Enable Pre-Built Reports
- Navigate to Reports → Report Definitions
- Select compliance framework
- Configure schedule
Available Compliance Reports
| Framework | Report Name | Key Sections |
|---|---|---|
| PCI DSS | PCI Compliance Report | Req 1,2,5,6,7,8,10,11 |
| HIPAA | HIPAA Security Report | Access controls, audit logs |
| SOX | SOX Audit Report | Change management, access |
| GDPR | GDPR Compliance Report | Data access, consent |
| NIST | NIST CSF Report | Identify, Protect, Detect |
PCI DSS Report Configuration
# CLI - Configure PCI report
config system report
edit "PCI-Monthly"
set title "PCI DSS Compliance Report"
set format pdf
set schedule monthly
set email-server "smtp.company.com"
set email-to "security@company.com"
set template "PCI-Compliance"
next
endCreate Custom Report
- Navigate to Reports → Report Definitions → Create New
- Select Blank Report
- Add sections:
Report: Security Operations Monthly
Sections:
- Top Threats Detected (Chart)
- Blocked Attacks by Type (Table)
- VPN Usage Summary (Chart)
- Policy Violations (Table)
- Admin Activity Log (Table)
- Top Bandwidth Consumers (Chart)Schedule Automated Reports
config system report
edit "Weekly-Security"
set schedule weekly
set day-of-week sunday
set time 06:00
set email-server "smtp.company.com"
set email-to "security-team@company.com"
set email-cc "ciso@company.com"
next
endStep 6: Log Retention and Archiving
Configure Log Storage
# Configure disk allocation
config system sql
set status enable
set database-name "logs"
set database-type postgres
set server "localhost"
set max-days 365
end
# Configure log archiving
config system archive
set status enable
set archive-type s3
set s3-bucket "fortinet-logs-archive"
set s3-region "us-east-1"
set s3-access-key "<access-key>"
set s3-secret-key "<secret-key>"
set compress enable
set archive-days 30
endCompliance Retention Requirements
| Framework | Minimum Retention |
|---|---|
| PCI DSS | 1 year online, 1 year archive |
| HIPAA | 6 years |
| SOX | 7 years |
| GDPR | Per data policy (typically 1-3 years) |
Configure Retention Policies
# Set per-log-type retention
config log setting
set log-type-traffic-retention 180
set log-type-utm-retention 365
set log-type-event-retention 365
set log-type-dns-retention 90
endStep 7: Alert Configuration
Configure Real-Time Alerts
# Create alert handler
config alert-handler
edit "Critical-Security"
set severity critical
set filter-type utm
set action email
set email-to "soc@company.com"
set email-subject "[ALERT] Critical Security Event"
set threshold 1
set time-period 60
next
endAlert Trigger Examples
| Alert Name | Trigger Condition | Action |
|---|---|---|
| Brute Force | 10+ failed logins in 5 min | Email SOC |
| Malware Detected | Any virus detection | Slack webhook |
| High Risk Traffic | IPS critical alert | Email + ticket |
| Admin Change | Config modification | Email security team |
| VPN Anomaly | After-hours VPN access | SIEM alert |
Webhook Alert Integration
# Configure webhook for SOAR integration
config alert-handler
edit "SOAR-Integration"
set action webhook
set webhook-url "https://soar.company.com/api/fortinet/alert"
set webhook-method POST
set webhook-header "Authorization: Bearer <token>"
set webhook-body "{\"alert\": \"$alert\", \"severity\": \"$severity\", \"device\": \"$device\"}"
next
endStep 8: Query and Search Logs
FortiAnalyzer Log Search Syntax
# Basic search
srcip=10.0.1.50 AND dstport=443
# Time-based search
date>=2026-02-01 AND date<=2026-02-03
# Complex query
(type=traffic AND action=deny) OR (type=utm AND level>=warning)
# Regular expression
srcip~"10\.0\.1\.\d+"
# Exclude pattern
type=traffic AND NOT action=acceptCommon Search Queries
# Find all blocked traffic from a host
srcip=10.0.1.100 AND action=deny
# Find malware detections
type=utm AND subtype=virus AND action!=pass
# Find admin logins
type=event AND subtype=system AND logdesc="Admin login"
# Find VPN failures
type=event AND subtype=vpn AND status=failure
# Find web filtering blocks
type=utm AND subtype=webfilter AND action=blocked
# Find IPS alerts
type=utm AND subtype=ips AND severity>=high
# Find after-hours access
type=event AND time>=18:00 AND time<=06:00Export Search Results
# CLI - Export query results
execute log filter device "FG100E"
execute log filter type traffic
execute log filter time-range "2026-02-01 00:00:00" "2026-02-03 23:59:59"
execute log displayGUI Export:
- Run query in Log View
- Click Export
- Select format: CSV, PDF, or XML
Troubleshooting
Common Issues
| Symptom | Possible Cause | Solution |
|---|---|---|
| Logs not arriving | Network connectivity | Check routing and firewall rules |
| Incomplete logs | Filter too restrictive | Review log filter settings |
| Syslog not forwarding | Wrong format/port | Verify syslog settings match SIEM |
| Disk full | Retention too long | Reduce retention or add storage |
| Reports not sending | SMTP misconfigured | Test email settings |
Diagnostic Commands
# Check log receiving status
diagnose debug application logrpt 255
diagnose debug enable
# Check disk usage
get system performance status
# Verify FortiGate connection
diagnose fortigate list
# Check syslog forwarding
diagnose test application syslog 1
# View current log filters
get log filter
# Check report schedule
diagnose sql report-scheduleVerify Log Flow
# On FortiAnalyzer
diagnose sql status
diagnose sql cache-stats
# Check log insert rate
diagnose log device-stats
# View recent logs
execute log filter time-range "2026-02-03 09:00:00" "2026-02-03 10:00:00"
execute log displaySecurity Best Practices
Secure Log Transport
# Enforce TLS for log transmission
config system log-forward
edit 1
set fwd-reliable enable
set fwd-compression enable
set fwd-log-source-ip enable
next
endAccess Control
# Restrict admin access to logs
config system admin
edit "log-viewer"
set accprofile "Log_View_Only"
set trusthost1 10.0.1.0 255.255.255.0
next
end
# Create restricted profile
config system accprofile
edit "Log_View_Only"
set logview read
set report read
set device-manager none
set adom-switch disable
next
endLog Integrity
# Enable log integrity verification
config system log settings
set log-checksum enable
set log-signing enable
set log-signing-key "..."
endVerification Checklist
Log Collection:
- All FortiGates sending logs to FortiAnalyzer
- Log types enabled (traffic, UTM, event)
- Real-time logging configured
- Connection verified from each device
Log Forwarding:
- SIEM receiving logs in expected format
- Syslog/CEF format correctly parsed
- All required log types forwarding
- Reliable transport enabled
Compliance:
- Required reports configured
- Report schedules set
- Email delivery tested
- Retention policies meeting requirements
Operations:
- Alerts configured for critical events
- Storage capacity monitored
- Archive configured for long-term retention
- Access controls in place
Next Steps
After configuring FortiAnalyzer:
- Integrate with SOAR - Automate incident response
- Build Custom Dashboards - Executive security metrics
- Configure FortiSOC - Advanced threat correlation
- Implement ML Analytics - Anomaly detection
References
- FortiAnalyzer Administration Guide
- FortiAnalyzer Log Reference
- FortiGate Logging Configuration
- PCI DSS v4.0 Requirements
- HIPAA Security Rule
Last Updated: February 2026