Configuring event forwarding from FortiSIEM
April 11, 2024
ID 181634
This section describes how to configure event forwarding from FortiSIEM to Kaspersky CyberTrace.
To configure event forwarding from FortiSIEM to CyberTrace:
- Open the FortiSIEM web console.
The FortiSIEM account you use must have administrator rights.
- Select Admin > General Settings > Event Handling > Forwarding > New.
Creating a new forwarding rule
The Event Forwarding Rule window opens.
- Specify the event forwarding settings:
- In the Reporting Device field, specify the devices from which the events must be forwarded to Kaspersky CyberTrace. You can select All to indicate that events from every device must be forwarded to Kaspersky CyberTrace.
- For more choices, click the down arrow to open the Event Dropping Rule > Select Reporting Devices window, and make selections in the Folders, Items, and Selections panes.
The Reporting Device field must not be empty.
- In the Event type field, specify the types of events that must be forwarded to Kaspersky CyberTrace. You can select All to indicate that events of every type must be forwarded to Kaspersky CyberTrace.
- For more choices, click the down arrow to open the Event Forwarding Rule > Select Event Types window, and make selections in the Folders, Items, and Selections panes.
Selecting event types
The Event type field must not be empty.
- In the Traffic Type field, select Syslog.
- In the Source IP field, you can specify the value that must be present in all the forwarded events in the corresponding field.
- In the Destination IP field, you can specify the value that must be present in all the forwarded events in the corresponding field.
- In the Severity fields, you can specify the desired severity of events.
- In the Regex Filter field, you can specify the regular expression to which must forwarded events match.
- In the Forwarding Protocol field, select TCP.
- In the Forwarding to IP field, specify the IP address of the computer on which Kaspersky CyberTrace runs.
This IP address is specified in the
InputSettings > ConnectionString
element of the kl_feed_service.conf configuration file. - In the Forwarding to Port field, specify the port of the computer on which Kaspersky CyberTrace runs.
This port is specified in the
InputSettings > ConnectionString
element of the kl_feed_service.conf configuration file. - In the Format field, select CEF.
Event Forwarding Rule window
- In the Reporting Device field, specify the devices from which the events must be forwarded to Kaspersky CyberTrace. You can select All to indicate that events from every device must be forwarded to Kaspersky CyberTrace.
- Click Save.
The Event Forwarding Rule window closes and the Forwarding window displays the new event forwarding rule.
- In the Forwarding window, select Enable for the new event forwarding rule.
Event Forwarding Rule window