Log type Traffic logs.

Logs that roll over when the log file reaches a specific size.

Logs that are indexed and stored in the SQL.

Raw logs that are compressed and saved to a log file.

What devices and IP addresses are connecting to FortiAnalyzer

What logs, if any, are reaching FortiAnalyzer

What ADOMs are enabled and configured

What devices are registered and unregistered

Virtual domains

Administrative access profiles

Trusted hosts

Security Fabric

Allows you to manage the entire life cycle of a threat or breach.

Its use of the available disk space is capped at 50%.

It requires a licensed FortiSIEM supervisor.

It can be installed as a dedicated VM.

Mail server

Output profile

SFTP server

Report scheduling

To display statistics about the playbook runtime

To use information from the trigger to filter the action in a task

To provide the trigger information to make the playbook start running

To store the start times of playbooks with On_Schedule triggers

The performance of FortiAnalyzer is below the baseline.

FortiAnalyzer is using its cache to avoid dropping logs.

The log insert lag time is increasing.

The sqlplugind service is caught up with new logs.

You enabled auto-cache with extended log filtering.

The logfiled service has not indexed all the expected logs.

The logs were overwritten by the data retention policy.

The time frame selected in the report is wrong.

The security risk was blocked or dropped.

The security event risk is considered open.

An incident was created from this event.

The risk source is isolated.

To add a unique tag to each log to prove that it came from this FortiAnalyzer

To add the MD5 hash value and authentication code

To add a log file checksum

To encrypt log communications

SELECT devid FROM Slog GROOP BY devid WHERE * user' =* USERl'

SELECT devid WHERE 'u3er'='USERl' FROM $ log GROUP BY devid

SELECT devid FROM Slog- WHERE *user' =' USERl' GROUP BY devid

FROM Slog WHERE 'user* =' USERl' SELECT devid GROUP BY devid

FortiAnalyzer uses log fetching to retrieve the logs when back online

FortiGate uses themiglogdprocess to cache the logs

Thelogfiledprocess stores logs in offline mode

Logs are dropped

They determine what data is retrieved from the database.

They provide the layout used for reports.

They are used to set the data included in templates.

They define the chart types to be used in reports.

Configure local DNS servers on FortiAnalyzer

Resolve IPs on FortiGate

Configure # set resolve-ip enable in the system FortiView settings

Resolve IPs on a per-ADOM basis to reduce delay on FortiView while IPs resolve

To store playbook execution statistics

To use the output of the previous task as the input of the current task

To display details of the connectors used by a playbook

To save all the task settings when a playbook is exported

Management extensions do not require additional licenses.

Management extensions allow FortiAnalyzer to act as a ForbSIEM supervisor.

Management extensions require a dedicated VM for best performance.

Management extensions may require a minimum number of CPU cores to run.

Export to Report Chart

Export to PDF

Export to Chart Builder

Export to Custom Chart

Report size will be optimized to conserve disk space on FortiAnalyzer.

Reports will be cached in the memory.

This feature is automatically enabled for scheduled reports.

Enabling auto-cache reduces report generation time for reports that require a long time to assemble datasets.

Resolve IP addresses on a per-ADOM basis to reduce delay on FortiView while IPs resolve

Configure# set resolve-ip enablein the system FortiView settings

Configure local DNS servers on FortiAnalyzer

Resolve IP addresses on FortiGate

By default, Log Data Sync is disabled on all backup devise.

Log Data Sync provides real-time log synchronization to all backup devices.

With initial Logs Sync, when you add a unit to an HA cluster, the primary device synchronizes its logs with the backup device.

When Logs Data Sync is turned on, the backup device will reboot and then rebuilt the log database with the synchronized logs.

An account that permits access to members of an LDAP group

An account that allows guest access with read-only privileges

An account that requires two-factor authentication

An account that validates against any user account on a FortiAuthenticator

logfiled

oftpd

sqlplugind

miglogd

Custom datasets

Report scheduling

Report settings

Output profiles

FortiAnalyzer distinguishes different devices by their serial number.

FortiAnalyzer receives logs from d devices in a duster.

FortiAnalyzer receives bgs only from the primary device in the cluster.

FortiAnalyzer only needs to know (he serial number of the primary device in the cluster-it automaticaly discovers the other devices.

Use the execute sql-local rebuild-db command to rebuild all ADOM databases.

Use the execute sql-local rebuild-adom ADOM1 command to rebuild the ADOM database.

Use the execute sql-report run ADOM1 command to run a report.

Use the execute sql-local rebuild-adom root command to rebuild the ADOM database.

The log file is stored as a raw log and is available for analytic support.

The log file rolls over and is archived.

The log file is purged from the database.

The log file is overwritten.

New alerts are received by email.

Outbreak alerts are available on the root ADOM only.

An additional license is required.

It automatically downloads new event handlers and reports.

Click FortiView and generate a report for that administrator.

Click Task Monitor and view the tasks performed by that administrator.

Click Log View and generate a report for that administrator.

View the tasks performed by the rogue administrator in Fabric View.

To reduce report generation time

To automatically update the hcache when new logs arrive

To reduce the log insert lag rate

To provide diagnostics on report generation time

All FortiGates can send logs to FortiAnalyzer using the store and upload option.

Only FortiGate models with hard disks can send logs to FortiAnalyzer using the store and upload option.

Both secure communications methods (SSL and IPsec) allow the store and upload option.

Disk logging is enabled on the FortiGate through the CLI only.

Disk logging is enabled by default on the FortiGate.

Standalone

Manager

Analyzer

Collector

operation-login & dstip==10.1.1.210 & user!-admin

operation-login & srcip==10.1.1.100 & dstip==10.1.1.210 & user==admin

operation-login & performed_on=="GUI(10.1.1.210)" & user!=admin

operation-login & performed_on=="GUI(10.1.1.100)" & user!=admin

It creates a wildcard administrator using LDAP and RADIUS servers.

Administrator can log in to FortiAnalyzer using their credentials on remote servers LDAP and RADIUS.

Use remoteadmin from LDAP and RADIUS servers will be able to log in to FortiAnalyzer at anytime.

It allows administrators to use two-factor authentication.

A local wildcard administrator account

A remote LDAP server

A trusted host profile that restricts access to the LDAP group

An administrator group

When in collector mode, FortiAnalyzer collects logs from multiple devices and forwards these logs in the original binary format.

Collector mode is the default operating mode.

When in collector mode. FortiAnalyzer supports event management and reporting features.

By deploying different FortiAnalyzer devices with collector and analyzer mode in a network, you can improve the overall performance of log receiving, analysis, and reporting

From the VM host manager, add an additional virtual disk and use the #execute lvm extend command to expand the storage

From the VM host manager, expand the size of the existing virtual disk

From the VM host manager, expand the size of the existing virtual disk and use the # execute format disk command to reformat the disk

From the VM host manager, add an additional virtual disk and rebuild your RAID array

To list the current SQL processes running

To check what is the database log insertion status

To display the SOL query connections and hcache status

To view the current hcache size

FortiAnalyzer Event Handler

Incoming webhook

FortiOS Event Log

Fabric Connector event