SIEM & UEBA

 View Only
Expand all | Collapse all

Correlating Firewall Logs end to end

  • 1.  Correlating Firewall Logs end to end

    Posted 5 days ago

    Hello,

    I would like to know how multiple FortiGate logs for one flow can be traced back. 


    e.g. External IP hits Public NAT IP on Fortigate (log 1), this is then DNat to internal IP, which is then in turn SNat to another external IP (log 2). What unique field can I used to match these two logs (session ID? event time?) within the FortiGate Logs. 

    addtionally, does FortiSIEM support NXlog agent forwarding logs in any format?

    BR,
    Ali



  • 2.  RE: Correlating Firewall Logs end to end

    Posted yesterday
    Hi Ali

    I once did that a long time ago with Splunk, if I remeber correctly there we used the Session ID to match the logs of a WAF to the original IPs masked by the Fortigate in front of it.

    Regards
    Simon