To be able to ingest Syslog and CEF logs into Microsoft Sentinel from FortiGate, it will be necessary to configure a Linux machine that will collect the logs from the FortiGate and forward them to the Microsoft sentinel workspace.
This designated machine can be either a physical or Virtual machine in the on-prem, and Azure VM or in different cloud.
–Let’s assume you have already Linux machine that Microsoft Sentinel will use as proxy between the Fortigate and Microsoft Sentinel to collect the logs. If not refer to the article here.
–On the Microsoft Sentinel Page, select the ‘Data Connectors’ under Configuration and choose the ‘Fortinet’ as described below:

– On the same page, select open connector page to see the instructions needed:
– Log in to the Linux machine that is acting as log forwarder using SSH and follow the instructions shown in Fortinet Data connector, see the screen below:

– After successfully performed all steps mentioned in the Fortinet Data connector above, it will possible to receive FortiGate generated CEF message in Microsoft Sentinel.
– To check if the syslog daemon is receiving data on port 514, it is possible to use tcpdump command on the Linux machine:The port 514 must be allowed.
>sudo tcpdump -A -ni any port 514 -vv
– To check if, the agent is receiving data on port 25226, use below command:
>sudo tcpdump -A -ni any port 25226 –vv
– To configure FortiGate to send Syslog messages in CEF format to the proxy machine (Linux), can use the below command:
# config log syslogd setting
set status enable
set port 514
set server “x.x.x.x <—–IP of the Syslog agent’s IP address
set format cef
end
– At this point, the Fortinet Connector should be visible on the Microsoft Sentinel console turning as ‘green’, this means the syslog collector is performing correctly, by storing the syslog logs with the right format into the Log Analytics workspace:
–The Microsoft Sentinel|Overview Page, is showing the events are received:
– The syslog messages sent by FortiGate is categorized as ‘CommonSecurityLog’.
Here is an example of KQL query:
commonsecuritylog |
where DeviceVendor == “Fortinet”