Hello Team,
You can check the steps recommended below to configure the forwarding of syslog events using TLS to QRadar.
How to Set Up Syslog over TLS Using Certificates
- Generate Certificates: Generate an SSL/TLS certificate for your Fortigate firewall. You can use a Certificate Authority (CA) trusted by both your QRadar and the firewall, or you can use a self-signed certificate if you trust both environments.
- Configure QRadar to Accept TLS Syslog Traffic: QRadar needs to be configured to accept syslog traffic over TLS. Set up a TLS Syslog log source that opens a listener on your Event Processor or Event Collector configured to use TLS.
- Configure Fortigate to Forward Syslog over TLS: Choose TLS as the protocol. Upload or reference the certificate you have installed on the FortiGate device to match the QRadar certificate configuration.
- Test the Configuration: Generate some traffic or logs on the Fortigate firewall to verify that the logs are correctly forwarded to QRadar. Check the QRadar logs to ensure they are receiving Syslog messages over TLS from the remote Fortigate firewalls.
Let us know if you require further information or any help.
------------------------------
Neel Jotani
------------------------------
Original Message:
Sent: Thu April 18, 2024 07:25 AM
From: John Petersen
Subject: Forward TLS syslog events from Fortigate Firewalls to QRadar
Hi Team
This is the list of servers in my current setup:
- CONSOLE server
- Apphost
- Event Flow Processor - receives events from the customers managed WinCollect servers
- Event Processor - receives events from the customer datacenter firewalls. Syslog, no encryption
- Event Collector - connected to WAN, receives events from unmanaged WinCollect on laptops
Problem:
I have some Fortigate Firewalls at a remote customers site.
How can I forward syslog events using TLS, from theese firewalls to my QRadar?
Is this possible using some kind of a shared secret, or does it have to be done using certificates?
best regards John
------------------------------
John Petersen
------------------------------