Fortigate security event searches

Those that monitor their fortigate firewall. What do you search for security events?
search query
gl2_source_input:601e791d92c03962c4dc36f8 AND type: event AND (subtype: system OR subtype: vpn) AND (logdesc: “Configuration changed” OR logdesc: “Authentication error” OR logdesc: “Application crashed”)


Our FortiGate firewalls get monitored by Zabbix and Graylog.
The environment setup on Graylog consist some of the following.

Firewall: Configuration Changed
Firewall: User Logon
Firewall: User Failed Logon 

As for a dashboard we monitor any little changes of traffic. Sorry I had to cut out personall info.

We had to use a few extractor to make this happen.
Create a INPUT just for Fortgate Firewall.
Make new fields from extractors.

This is probably something you may want.

Hope that helps

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.