Harshad Tuwar

File collection method to be used instead of Syslog collection method

Discussion created by Harshad Tuwar on Feb 6, 2020
Latest reply on Feb 19, 2020 by Harshad Tuwar

Task to accomplish: - Fortinet logs to be sent to log collector through file collection method (currently supported method is syslog). Require it to get parsed properly with file collection method like it is parsing through syslog collection method.


Need to work on:

To create new object under  Logcollector->Config Tab-> Event Source->File-> xxx directory. Then new file need to be created under /etc/netwitness/ng/logcollection/content/collection/file/.

For Testing:

We have created File collection name with “Test Access”, under Logcollector->Config Tab-> Event Source -> Squid Directory.

We have also modified file /etc/netwitness/ng/logcollection/content/collection/file/squid.xml.

Attaching original file and modified files for the reference. [We are modifying the squid.xml file just for testing purpose, and we are sure we are not going to use in production environment].

We have not send any logs to log collector yet but (1) want to double check whether it will be fine for decoder to handle different collection method. (2) In which format we need to send logs from Fortinet to log collector [compressed or uncompressed]. (3) How big file can log collector/decoder can handle when sent by sasftp agent.