A Windows System Admin's Blog

Covering Server Administration, Endpoint Management, Scripting and Network Management

CrowdStrike Next-Gen SIEM and FortiGate Connector

, ,

So I’m working on getting all of our external systems connected into the CrowdStrike Next-Gen SIEM as part of our internal Falcon Complete tenancy. Following the documentation in the CrowdStrike portal, getting and installing the Log Collector and setting up the connector were a pretty straightforward affair.

I’ve got a Windows VM setup as a collector with the following basic YAML configuration based on the token and URL generated in the connector’s dashboard for the FortiGate connector. It’s important to note that you need to make sure to remove /services/collector from the end of the URL that is generated for you.

dataDirectory: C:\ProgramData\LogScale Collector\
sources:
  syslog_port_514:
    type: syslog
    mode: udp
    port: 514
    sink: humio
sinks:
  humio:
    type: hec
    proxy: none
    token: <your_token>
    url: https://ingest.us-2.crowdstrike.com/<url>

Once the configuration file is saved under Program Files, go into the Services Console and Start the Humio Log Collector service, you should also set this to Automatic (Delayed Start) while you’re there. We can now start getting the devices configured to forward logs.

I’ve deviated from the documentation and instead of configuring the FortiGate device, I’ve cheated a little instead using our FortiAnalyzer as a forwarder.

Logging into the FortiAnalzyer, go into System Settings > Log Forwarding and created a Log Forwarding entry, with the Server IP pointing to the Windows Server running the CrowdStrike Humio Log Collector service and selected the devices I wanted to forward (in this case, everything in our Root ADOM) and hit Save.

I could tell this was working as the network adaptor on the log collector box starting sending and receiving traffic at a much larger rate than it was before. Within a few minutes the connector under the My connectors dashboard showed as active.

With all the pieces working and data being sent to CrowdStrike, we ca finally interrogate the SIEM for FortiGate events with the following query.

#Vendor=fortinet | #event.module=fortigate

Results should come through similar to the below – if you’re not seeing anything you can double-check to see if the connector is running correctly and that the URL you’ve got is right (again, make sure to remove /services/collector from the end of the URL).

Hope that helps as a shortcut if you have a fleet of devices you need to onboard onto the SIEM.

Leave a Reply

More Posts

PowerShell Script to Install Updates Offline in a WIM image using DISM

I’ve been helping out a customer build a new MDT deployment environment and move away from Ghost and the 90’s. As they are not going to be implementing Systems Center Configuration Manager and SUP to automatically maintain their images offline any time soon, we need a way to keep their image up to date with […]

Default printer changes after Terminal Server (or print spooler service) restart

Just a quick post today.  I was troubleshooting an issue where a user would set a default network printer (say Printer01) in their user profile, upon a server restart (which happens nightly) their printer would be set back to the Adobe PDF local printer.  After going through event logs and some basic troubleshooting through Group […]

Power BI Gateway SSL Issues with managed AWS RDS SQL Server instances

I had a customer call up and explain their Power BI reports had stopped working, they’re not managed so after working a few things out we got to work and jumped into their Datawarehouse environment in AWS. After a quick look we could see that their RDS SQL Server instance had TLS turned on and […]