top of page
Search

Setting up Azure Sentinel Connector for FortiAnalyzer(FAZ)

  • Writer: Vichitra Mohan
    Vichitra Mohan
  • 5 days ago
  • 2 min read
FAZ to Azure Sentinel
FAZ to Azure Sentinel

Architecture Overview


The integration uses a dedicated Linux machine as a proxy server. The data flows as follows:


  1. FortiAnalyzer sends Syslog messages to the Linux machine via TCP/UDP port 514.

  2. A Syslog Daemon (rsyslog or syslog-ng) on the Linux machine listens for these messages and forwards them to the AMA on TCP port 28330.

  3. The Azure Monitor Agent (AMA) parses the data and transmits it to the Microsoft Sentinel Log Analytics workspace over HTTPS 443.

  4. A Data Collection Rule (DCR) governs the process by defining the source Linux VM and the destination Syslog table.

 


Deployment Steps


1. Microsoft Sentinel Configuration


  • Install the Connector: In Microsoft Sentinel, go to Content hub, search for Syslog, and install the solution. This enables the Syslog via AMA data connector.


  • Establish a DCR: Create a Data Collection Rule in the same region as your workspace.

    • Resources: Select your dedicated Linux VM.

    • Collect: Add the LOG_LOCAL7 facility and set the minimum log level (e.g., LOG_NOTICE).


2. Linux Log Forwarder Setup


On your dedicated Linux VM, execute the following command to install and configure the log collector script provided by Microsoft:


sudo wget -O Forwarder_AMA_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Forwarder_AMA_installer.py && sudo python Forwarder_AMA_installer.py


3. FortiAnalyzer Configuration


Configure the FortiAnalyzer CLI to forward logs to the Linux VM's IP address using the following parameters:


Bash


config system log-forward

  edit 1

    set mode forwarding

    set fwd-max-delay realtime

    set server-name "linux syslog"

    set server-addr "<Linux_VM_IP>"

    set fwd-server-type syslog

    set fwd-reliable enable

    set fwd-facility local7

  next

end

 

  1. Validation and Troubleshooting


Verify FortiAnalyzer Forwarding:

Use the command `diagnose test application logfwd 4` to check the status of the forwarding service.

 

Check Linux Services: - Restart the daemon using `sudo systemctl restart rsyslog`.Confirm the daemon is listening on the correct ports with `netstat -lnptv`.


Traffic Capture: - Run `tcpdump -i any port 514 -A -vv` to see live packets arriving from the FortiAnalyzer.


Sentinel Troubleshooting Script: - Run the automated tool to verify the entire connector chain:

    `sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py && sudo python3 Sentinel_AMA_troubleshoot.py --SYSLOG`


Monitor Metrics: - In the Azure Portal, view the DCR's Metrics section and set it to Log Ingestion per Minute to confirm active data flow.

 

 
 
 

Comments

bottom of page