FortiNet FortiAnalyzer is a popular software used for aggregating logs from firewalls. One of the challenges seen in the field is that FortiAnalyzer, when forwarding logs to Unomaly does not leverage the syslog header in order to identify which actual originating system is the source of the logs - Unomaly thus only sees the name of the FortiAnalyzer instance but not which FW/device the logs actually comes from.
There is however a fix to this problem which is to give Unomaly a helping hand by leveraging the built-in fluentd on the Unomaly instance.
The setup will result in the following
- A new port will be set up on the Unomaly instance to listen specifically to logs from FortiAnalyzer (or any other FortiNet product which outputs logs in the same format)
- Fluentd will parse the log message and identify which part of the log message tells us which is the actual source of the message to be analyzed.
Place the following snippet in the file /DATA/fluentd/etc/conf.d/fortianalyzer.conf:
expression /devname=(\"?)(?<devname>.+?['-]?)(\"?) /
After the file is in place, you should be able to execute
sudo unomaly restart fluentd
You would also need to allow access to your desired port in UFW on the Unomaly instance
sudo ufw allow 45514
Last but definitely not least, reconfigure your FortiAnalyzer to forward the logs to port 45514 according to the config above.