SIEM - FortiSIEM

SIEM - FortiSIEM

FortiSIEM

Alert
Before diving into this documentation, we recommend reading the article Multi-Pass Log Sync Service to give you the foundational knowledge needed to fully understand the elements discussed in this article.
Info
This document explains how to integrate Multi-Pass into your FortiSIEM environment. The integration involves sending JSON-formatted events directly to FortiSIEM via HTTP(S) POST. To achieve this, you must configure the Multi-Pass Log Sync Service. This service can be managed or deployed on-premises.

On-Premises

This option is ideal for environments where FortiSIEM is only accessible via HTTPS by the Multi-Pass Log Sync Service.

Usage: FortiSIEM Setup

Info
This section explains how to configure a FortiSIEM node with an HTTPS credential to receive HTTP(S) POST events. Follow the steps below
  1. Identify the Target Node
    1. Determine which FortiSIEM node will receive the events. In most cases, this is either the Supervisor or the Collector
  2. Establish an SSH Connection and Execute the Command
    1. SSH into the Collector
    2. Run the following command in the terminal
  1. $ htpasswd -b /etc/httpd/accounts/passwds mpas-log-sync 'password'
You should see an output similar to:
  1. > Adding password for user mpas-log-sync
Notes
If the password includes special characters, enclose it in single quotes as shown.
  1. Additional Information
    1. For further details, please refer to the FortiSIEM API documentation: FortiSIEM External Systems Configuration Guide
  2. Example
    1. An example Analytics page demonstrates how MPAS events are ingested into FortiSIEM

MPAS Log Sync Service Setup

Docker Pull Command

To pull the container image, run the following command:
  1. $ docker pull kzpublic.azurecr.io/sso/mpas-event-log-sync:latest
This command downloads the latest image.
To help you get started with creating a container from this image, you can use Docker Compose. For additional details, please refer to the Docker Compose section in the documentatioMulti-Pass Log Sync Service .
Below is an example compose.yml file:
  1. version: '3'
  2. services:
  3.   mpas-log-sync:
  4.     image: kzpublic.azurecr.io/sso/mpas-event-log-sync:latest
  5.     container_name: mpas-log-sync
  6.     environment:
  7.       - MPAS_URL=https://ca.auth.kzero.com
  8.       - MPAS_REALM=<change-me>
  9.       - MPAS_USERNAME=<change-me>
  10.       - MPAS_PASSWORD=<change-me>
  11.       - MPAS_LOG_SYNC_SHOW_EVENT_IP_ADDRESS=false
  12.       - MPAS_LOG_SYNC_SHOW_EVENT_FULL_REPRESENTATION=false
  13.       - MPAS_LOG_SYNC_SHOW_EVENT_USERNAME=false
  14.       - MPAS_LOG_SYNC_START_FROM_EARLIEST_EVENT=false
  15.       - MPAS_LOG_SYNC_POLLING_INTERVAL_MS=5000
  16.       - MPAS_LOG_SYNC_OUTPUT_MODE=fortisiem
  17.       - FORTISIEM_URL=<change-me> # required with output mode = fortisiem
  18.       - FORTISIEM_USERNAME=<change-me> # required with output mode = fortisiem
  19.       - FORTISIEM_PASSWORD=<change-me> # required with output mode = fortisiem
  20.       - FORTISIEM_REPORTING_IP=0.0.0.0 # recommended with output mode = fortisiem
  21.     restart: unless-stopped
Docker Compose Commands
To manage your containers, use the following commands:
  1. $ docker compose up -d # starts all services
  2. $ docker compose stop # stops all services

Docker CLI

To create a container from the image using Docker CLI, execute the following command:
  1. $ docker run -d \
  2.   --name=mpas-log-sync \
  3.   -e MPAS_URL=https://ca.auth.kzero.com \
  4.   -e MPAS_REALM=<change-me> \
  5.   -e MPAS_USERNAME=<change-me> \
  6.   -e MPAS_PASSWORD=<change-me> \
  7.   -e MPAS_LOG_SYNC_SHOW_EVENT_IP_ADDRESS=false \
  8.   -e MPAS_LOG_SYNC_SHOW_EVENT_FULL_REPRESENTATION=false \
  9.   -e MPAS_LOG_SYNC_SHOW_EVENT_USERNAME=false \
  10.   -e MPAS_LOG_SYNC_START_FROM_EARLIEST_EVENT=false \
  11.   -e MPAS_LOG_SYNC_POLLING_INTERVAL_MS=5000 \
  12.   -e MPAS_LOG_SYNC_OUTPUT_MODE=fortisiem \
  13.   -e FORTISIEM_URL=<change-me> \
  14.   -e FORTISIEM_USERNAME=<change-me> \
  15.   -e FORTISIEM_PASSWORD=<change-me> \
  16.   -e FORTISIEM_REPORTING_IP=0.0.0.0 \
  17.   --restart unless-stopped \
  18.   kzpublic.azurecr.io/sso/mpas-event-log-sync:latest
To stop the container, use the following command:
  1. $ docker stop mpas-log-sync

Environment Variables

Config Name
Description
Requirement
Default
MPAS_URL
The URL of MPAS instance
optional
MPAS_REALM
The deployment name to collect the events from
Required
N/A
MPAS_USERNAME
Username with (realm.events.view/view-events) permissionRequired
N/A
MPAS_PASSWORD
Password for the user to authenticate with MPAS Required
N/A
MPAS_LOG_SYNC_SHOW_EVENT_IP_ADDRESSSet to true to show the IP in the JSON events. If set to false, the IP (s) are removed from the  JSON events.OptionalFalse
MPAS_LOG_SYNC_SHOW_EVENT_FULL_REPRESENTATION
Set to true to show the full event representation.OptionalFalse
MPAS_LOG_SYNC_SHOW_EVENT_USERNAME
Set to true to show the username in the JSON events. If set to false, the username is removed from the JSON events.
Optional
False
MPAS_LOG_SYNC_START_FROM_EARLIEST_EVENT
Set to true to start the events collection from the earliest event. This is ideal for the first time collection of all events. Else set to false to only collect new events that are generated after the point the service is launched
Optional
False
MPAS_LOG_SYNC_POLLING_INTERVAL_MS
The interval in millisecond (ms) to poll Multi-Pass authentication service.
Optional
5000
MPAS_LOG_SYNC_OUTPUT_MODE
The SIEM to send events to. Supported output modes are “fortisiem” and “stdout”.  If set to stdout all events are printed directly to the console output.
Required
N/A
FORTISIEM_URL
URL used by the Log Sync Service to forward the events to Fortisiem. It should be the root URL of  the Supervisor node or the Collector node.
Required with Fortisiem
N/A
FORTISIEM_USERNAME
Username used to authenticate with FortiSIEM
Required with Fortisiem
N/A
FORTISIEM_PASSWORD
Password used to authenticate with FortiSIEM
Required with Fortisiem
N/A
FORTISIEM_REPORTING_IP
This is the reporting IP, or the source of the log. The value you specify here will populate the CMDB as a reporting device.
recommended with Fortisiem
0.0.0.0

Managed Deployment

This deployment is suitable for environment where your FortiSIEM is accessible by MPAS over the internet. If you want us to manage the Multi-Pass Log Sync Service deployment, please contact us.


    • Related Articles

    • Multi-Pass Log Sync Service

      Multi-Pass Log Sync Service This document outlines how Multi-Pass Log Service can be integrated with various Security Information and Event Management (SIEM) products. The service is a standalone solution to collect JSON-formatted events from ...