Connect Fortinet to Azure Sentinel

This article explains how to connect your Fortinet appliance to Azure Sentinel. The Fortinet data connector allows you to easily connect your Fortinet logs with Azure Sentinel, to view dashboards, create custom alerts, and improve investigation. Using Fortinet on Azure Sentinel will provide you more insights into your organization’s Internet usage, and will enhance its security operation capabilities.​

Forward Fortinet logs to the Syslog agent

Configure Fortinet to forward Syslog messages in CEF format to your Azure workspace via the Syslog agent.

  1. Open the CLI on your Fortinet appliance and run the following commands:

    config log syslogd setting
    set status enable
    set format cef
    set port 514
    set server <ip_address_of_Receiver>
    • Replace the server ip address with the IP address of the agent.
    • Set the syslog port to 514 or the port set on the agent.
    • To enable CEF format in early FortiOS versions, you might need to run the command set csv disable.


    For more information, go to the Fortinet document library. Select your version, and use the Handbook and Log Message Reference.

  2. To use the relevant schema in Azure Monitor Log Analytics for the Fortinet events, search for CommonSecurityLog.

  3. Continue to STEP 3: Validate connectivity.

Next steps

In this article, you learned how to connect Fortinet appliances to Azure Sentinel. To learn more about Azure Sentinel, see the following articles: