Connect Fortinet to Azure Sentinel
This article explains how to connect your Fortinet appliance to Azure Sentinel. The Fortinet data connector allows you to easily connect your Fortinet logs with Azure Sentinel, to view dashboards, create custom alerts, and improve investigation. Using Fortinet on Azure Sentinel will provide you more insights into your organization’s Internet usage, and will enhance its security operation capabilities.
Forward Fortinet logs to the Syslog agent
Configure Fortinet to forward Syslog messages in CEF format to your Azure workspace via the Syslog agent.
Open the CLI on your Fortinet appliance and run the following commands:
config log syslogd setting set status enable set format cef set port 514 set server <ip_address_of_Receiver> end
- Replace the server ip address with the IP address of the agent.
- Set the syslog port to 514 or the port set on the agent.
- To enable CEF format in early FortiOS versions, you might need to run the command set csv disable.
For more information, go to the Fortinet document library. Select your version, and use the Handbook and Log Message Reference.
To use the relevant schema in Azure Monitor Log Analytics for the Fortinet events, search for
Continue to STEP 3: Validate connectivity.
In this article, you learned how to connect Fortinet appliances to Azure Sentinel. To learn more about Azure Sentinel, see the following articles:
- Learn how to get visibility into your data, and potential threats.
- Get started detecting threats with Azure Sentinel.
- Use workbooks to monitor your data.