Fortinet Integration with Wazuh

385 views
Skip to first unread message

kamal

unread,
Mar 17, 2025, 7:16:55 AM3/17/25
to Wazuh | Mailing List
Hi all , 
I'm new to Wazuh SIEM and I want to integrate the firewall logs from FortiGate to Wazuh SIEM ,  can anyone there for help to integrate Fortinet firewall on wazuh plz help me 

Bony V John

unread,
Mar 17, 2025, 8:38:33 AM3/17/25
to Wazuh | Mailing List
Hi,

You should be able to achieve this by configuring syslog on both the Wazuh server and the Fortigate device. Please follow the steps below: 
 
    Option 1: - Configure the Wazuh Server to Receive Syslog Messages

    Modify the /var/ossec/etc/ossec.conf file on your Wazuh server and add the following configuration inside the <ossec_config> tags to listen for syslog messages on TCP port 514:

    <remote>
      <connection>syslog</connection>
      <port>514</port>
      <protocol>tcp</protocol>
      <allowed-ips>192.168.2.15/24</allowed-ips>
      <local_ip>192.168.2.10</local_ip>
    </remote>

    • <connection>: Specifies the type of connection. Allowed values: secure or syslog.
    • <port>: The port on which the Wazuh server listens for incoming syslog messages (514 in this example).
    • <protocol>: The communication protocol. Allowed values: tcp or udp.
    • <allowed-ips>: The IP address or subnet of devices sending syslog messages (192.168.2.15/24 in this example).

    • <local_ip>: The IP address of the Wazuh server that listens for syslog messages (192.168.2.10 in this example).

      For more details, refer to the Wazuh remote configuration documentation.

    Run the following command to apply the changes:
    systemctl restart wazuh-manager

    Option 2: -  Configure a Centralized Syslog Server (Rsyslog)

    Instead of sending logs directly to Wazuh, you can configure a centralized syslog server (e.g., rsyslog) on a Linux host with a Wazuh agent. You can refer Wazuh rsyslog configuration documentation for this.

    The below link will be helpful for you for performing the configuration on your fortigate device:

    C. A.

    unread,
    May 7, 2025, 11:09:34 AM5/7/25
    to kamal, Wazuh | Mailing List

    There is already a fortinet decoder in wazuh, configure an agent, send from fortinet to the agent and voila


    kamal <imkam...@gmail.com> schrieb am Mo., 17. März 2025, 12:16:
    Hi all , 
    I'm new to Wazuh SIEM and I want to integrate the firewall logs from FortiGate to Wazuh SIEM ,  can anyone there for help to integrate Fortinet firewall on wazuh plz help me 

    --
    You received this message because you are subscribed to the Google Groups "Wazuh | Mailing List" group.
    To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
    To view this discussion visit https://groups.google.com/d/msgid/wazuh/c39b4929-ba19-4358-bc72-295f3992a642n%40googlegroups.com.

    Luiz Farah

    unread,
    May 7, 2025, 12:34:49 PM5/7/25
    to C. A., kamal, Wazuh | Mailing List

    Fortigate does not use the Wazuh agent. You need to send the logs via syslog to the Wazuh server. You need to change small configs in the server's ossec.conf and you will start capturing the logs.


    To view this discussion visit https://groups.google.com/d/msgid/wazuh/CAJPTtEmx1a%3DPx-OWwbZ8YTZD0E7DS6xP%2BUv_z%3DF8jwPyR6s-6g%40mail.gmail.com.
    Reply all
    Reply to author
    Forward
    0 new messages