Collect Fortinet FortiManager logs

Supported in:

Google secops SIEM

This document explains how to ingest Fortinet FortiManager logs to Google Security Operations using Bindplane.

Fortinet FortiManager is a centralized network management platform that provides unified management, best practices compliance, and workflow automation for Fortinet security and networking devices. FortiManager enables administrators to centrally manage configurations, policies, firmware updates, and security services across thousands of FortiGate firewalls and other Fortinet devices in the Security Fabric.

Before you begin

Make sure you have the following prerequisites:

A Google SecOps instance.
A Windows Server 2016 or later, or a Linux host with systemd.
Network connectivity between the Bindplane agent and Fortinet FortiManager.
If running behind a proxy, ensure firewall ports are open per the Bindplane agent requirements.
Privileged access to the Fortinet FortiManager management console with permissions to modify System Settings.
FortiManager version 5.0.7 or later.

Get Google SecOps ingestion authentication file

Sign in to the Google SecOps console.
Go to SIEM Settings > Collection Agent.
Click Downloadto download the ingestion authentication file.
Save the file securely on the system where the Bindplane agent will be installed.

Get Google SecOps customer ID

Sign in to the Google SecOps console.
Go to SIEM Settings > Profile.
Copy and save the Customer IDfrom the Organization Detailssection.

Install the Bindplane agent

Install the Bindplane agent on your Windows or Linux operating system according to the following instructions.

Windows installation

Open Command Promptor PowerShellas an administrator.

Run the following command:

  msiexec 
  
 / 
 i 
  
 "[https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi](https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi)" 
  
 / 
 quiet

Wait for the installation to complete.
Verify the installation by running:
```
 sc query observiq-otel-collector 
```
The service should show as RUNNING.

Linux installation

Open a terminal with root or sudo privileges.

Run the following command:

 sudo  
sh  
-c  
 " 
 $( 
curl  
-fsSlL  
 [ 
https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh ]( 
https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh ) 
 )" 
  
install_unix.sh

Wait for the installation to complete.
Verify the installation by running:
```
 sudo  
systemctl  
status  
observiq-otel-collector 
```
The service should show as active (running).

Additional installation resources

For additional installation options and troubleshooting, see the Bindplane agent installation guide .

Configure the Bindplane agent to ingest syslog and send to Google SecOps

Locate the configuration file

Linux: bash sudo nano /opt/observiq-otel-collector/config.yaml
Windows: cmd notepad "C:\Program Files\observIQ OpenTelemetry Collector\config.yaml"

Edit the configuration file

Replace the entire contents of config.yaml with the following configuration:

  receivers 
 : 
  
 udplog 
 : 
  
 listen_address 
 : 
  
 "0.0.0.0:514" 
 exporters 
 : 
  
 chronicle/fortimanager 
 : 
  
 compression 
 : 
  
 gzip 
  
 creds_file_path 
 : 
  
 '/etc/bindplane-agent/ingestion-auth.json' 
  
 customer_id 
 : 
  
 'your-customer-id-here' 
  
 endpoint 
 : 
  
 malachiteingestion-pa.googleapis.com 
  
 log_type 
 : 
  
 FORTINET_FORTIMANAGER 
  
 raw_log_field 
 : 
  
 body 
  
 ingestion_labels 
 : 
  
 env 
 : 
  
 production 
  
 source 
 : 
  
 fortimanager 
 service 
 : 
  
 pipelines 
 : 
  
 logs/fortimanager_to_chronicle 
 : 
  
 receivers 
 : 
  
 - 
  
 udplog 
  
 exporters 
 : 
  
 - 
  
 chronicle/fortimanager

Configuration parameters

Replace the following placeholders:

Receiver configuration:
- listen_address : IP address and port to listen on. Use 0.0.0.0:514 to listen on all interfaces on port 514. If port 514requires root privileges on Linux, use 0.0.0.0:1514 and configure FortiManager to send to port 1514.
Exporter configuration:
- creds_file_path : Full path to the ingestion authentication file.
  - Linux: /etc/bindplane-agent/ingestion-auth.json
  - Windows: C:\Program Files\observIQ OpenTelemetry Collector\ingestion-auth.json
- customer_id : Your Customer ID (for example, a1b2c3d4-e5f6-g7h8-i9j0-k1l2m3n4o5p6 ).
- endpoint : Regional endpoint URL:
  - US: malachiteingestion-pa.googleapis.com
  - Europe: europe-malachiteingestion-pa.googleapis.com
  - Asia: asia-southeast1-malachiteingestion-pa.googleapis.com
  - See Regional Endpoints for the complete list.
- log_type : Must be exactly FORTINET_FORTIMANAGER .
- ingestion_labels : Optional labels for filtering and organization.

Save the configuration file

After editing, save the file:

Linux: Press Ctrl+O , then Enter , then Ctrl+X .
Windows: Click File > Save.

To restart the Bindplane agent in Linux:

Run the following command:

 sudo  
systemctl  
restart  
observiq-otel-collector

Verify the service is running:

 sudo  
systemctl  
status  
observiq-otel-collector

Check logs for errors:

 sudo  
journalctl  
-u  
observiq-otel-collector  
-f

To restart the Bindplane agent in Windows:

Choose one of the following options:
- Command Prompt or PowerShell as administrator:
```
 net stop observiq-otel-collector && net start observiq-otel-collector 
```
- Services console:
  1. Press Win+R , type services.msc , and press Enter.
  2. Locate observIQ OpenTelemetry Collector.
  3. Right-click and select Restart.
Verify the service is running:
```
 sc query observiq-otel-collector 
```

Check logs for errors:

  type 
  
 "C:\Program Files\observIQ OpenTelemetry Collector\log\collector.log"

Configure Fortinet FortiManager syslog forwarding

FortiManager syslog configuration is a two-step process: first, define the syslog server in the GUI, then enable local log forwarding via CLI.

Step 1: Add syslog server in FortiManager GUI

Sign in to the Fortinet FortiManagerweb interface.
Go to System Settings > Advanced > Syslog Server.
Click Create Newin the toolbar.
Configure the following settings:
- Name: Enter a descriptive name (for example, Chronicle-Bindplane ).
- IP address (or FQDN): Enter the IP address of the Bindplane agent host (for example, 192.168.1.100 ).
- Syslog Server Port: Enter 514 (or 1514 if using a non-privileged port).
- Reliable Connection: Leave disabled for UDP (default), or enable for TCP.
- Secure Connection: Leave disabled unless you have configured TLS certificates.
Click OKto save the syslog server configuration.

Step 2: Enable local log forwarding via CLI

Connect to the FortiManager CLI via SSH or console.

Run the following commands (For FortiManager 5.0.7 and later):

 config system locallog syslogd setting
        set syslog-name Chronicle-Bindplane
        set severity information
        set status enable
end

Configuration parameters:

syslog-name : Must match the Nameyou configured in the GUI.
severity : Set to information to capture all local logs. Options include: emergency , alert , critical , error , warning , notification , information , debug .
status : Set to enable to start forwarding logs.

Verify the configuration: config system locallog syslogd setting show end
Verify logs are being sent:
- Linux: sudo tcpdump -i any port 514 -A
- Windows:Use Wireshark to capture traffic on port 514.

Notes on FortiManager syslog behavior

FortiManager sends its own local event logs(system, configuration changes, administrative actions), not logs from managed FortiGate devices.
By default, Reliable Connectionis disabled (UDP port 514). If enabled, logs use TCP port 514.
Syslog messages use a Fortinet-specific format. The Google SecOps FORTINET_FORTIMANAGER parser is designed for this format.
Ensure system time is synchronized with NTPand configured to UTC. (Go to Dashboard> System Informationwidget to edit).

UDM mapping table

Log Field	UDM Mapping	Logic
`type` , `subtype` , `pri` , `operation` , `performed_on` , `lograte` , `msgrate` , `logratelimit` , `logratepeak` , `action` , `cpuusage` , `memusage` , `diskusage` , `disk2usage` , `userfrom`	`about.resource.attribute.labels`	Labels associated with the resource.
`clearpass-spt` , `allow-routing` , `color` , `comment` , `fabric-object` , `name` , `node-ip-only` , `obj-type` , `sdn-addr-type` , `sub-type` , `adom` , `pkgname` , `_signal-lte-rsrq` , `_signal-lte-rssi` , `performed_on_dev` , `changetype`	`additional.fields`	Additional fields for extended data.
`cache_ttl_label`	`network.dns.answers`	DNS answers mapping.
`changes`	`metadata.description`	Detailed description of the event.
`event_type`	`metadata.event_type`	The category/type of event.
`log_id`	`metadata.product_log_id`	Product-specific identifier.
`session_id`	`network.session_id`	Session identifier.
`adminprof`	`principal.administrative_domain`	Administrative domain of the principal.
`devname`	`principal.hostname`	Hostname of the principal.
`src_ip`	`principal.ip`	IP address of the principal.
`device_id`	`principal.resource.product_object_id`	Resource product ID.
`uuid`	`principal.user.userid`	User ID of the principal.
`action_details`	`security_result.action`	The security action taken.
`wildcard` , `subnet` , `end-ip` , `start-ip`	`security_result.detection_fields`	Fields used for security detection.
`msg`	`security_result.summary`	Summary of the security event.
`target_ip` , `tar_ip` , `remote_ip`	`target.ip`	Target entity IP address.
`tar_port` , `remote_port`	`target.port`	Target entity port.
`user`	`target.user.userid`	User ID of the target.
N/A	`metadata.vendor_name`	Set to Fortinet.
N/A	`metadata.product_name`	Set to FortiManager.

Need more help? Get answers from Community members and Google SecOps professionals.