A Windows System Admin's Blog

Covering Server Administration, Endpoint Management, Scripting and Network Management

CrowdStrike Next-Gen SIEM and FortiGate Connector

, ,

So I’m working on getting all of our external systems connected into the CrowdStrike Next-Gen SIEM as part of our internal Falcon Complete tenancy. Following the documentation in the CrowdStrike portal, getting and installing the Log Collector and setting up the connector were a pretty straightforward affair.

I’ve got a Windows VM setup as a collector with the following basic YAML configuration based on the token and URL generated in the connector’s dashboard for the FortiGate connector. It’s important to note that you need to make sure to remove /services/collector from the end of the URL that is generated for you.

dataDirectory: C:\ProgramData\LogScale Collector\
sources:
  syslog_port_514:
    type: syslog
    mode: udp
    port: 514
    sink: humio
sinks:
  humio:
    type: hec
    proxy: none
    token: <your_token>
    url: https://ingest.us-2.crowdstrike.com/<url>

Once the configuration file is saved under Program Files, go into the Services Console and Start the Humio Log Collector service, you should also set this to Automatic (Delayed Start) while you’re there. We can now start getting the devices configured to forward logs.

I’ve deviated from the documentation and instead of configuring the FortiGate device, I’ve cheated a little instead using our FortiAnalyzer as a forwarder.

Logging into the FortiAnalzyer, go into System Settings > Log Forwarding and created a Log Forwarding entry, with the Server IP pointing to the Windows Server running the CrowdStrike Humio Log Collector service and selected the devices I wanted to forward (in this case, everything in our Root ADOM) and hit Save.

I could tell this was working as the network adaptor on the log collector box starting sending and receiving traffic at a much larger rate than it was before. Within a few minutes the connector under the My connectors dashboard showed as active.

With all the pieces working and data being sent to CrowdStrike, we ca finally interrogate the SIEM for FortiGate events with the following query.

#Vendor=fortinet | #event.module=fortigate

Results should come through similar to the below – if you’re not seeing anything you can double-check to see if the connector is running correctly and that the URL you’ve got is right (again, make sure to remove /services/collector from the end of the URL).

Hope that helps as a shortcut if you have a fleet of devices you need to onboard onto the SIEM.

2 responses to “CrowdStrike Next-Gen SIEM and FortiGate Connector”

  1. Mike Siepmann Avatar
    Mike Siepmann

    Thank you for this helpful guide, did you use the fortinet parser that is supplied by crowdstrike?

    Your guide is how we have our logs setup to be shipped, but so far no luck getting into NG Siem. Did you have to modify anything else?

    Reply
    1. John Avatar
      John

      Hi Mike, nope. I just enabled the connector, installed the collected, created the connection on the FAZ and data began to show up in the SIEM.

      From memory it did take a little while before it showed up in the NG SIEM.

      Reply

Leave a Reply

More Posts

How to log into ASDM for a Cisco ASA when you get the Unable to launch device manager error

I like to keep my client’s devices up to date to prevent any issues from arising and have access to the devices latest features. Unfortunately not everyone is happy to pay that little extra to have an on-going support / maintenance agreement.  I was recently out at a customer who had an ASA 5505 which […]

Getting Started with Maester and Entra Security Hardening

So I’ve known about PingCastle and Purple Knight for a little while now and have used them for on-premises audits and Azure AD audits a while back.  I recently stumbled on Maester which is a testing framework that can be used to automate testing for your Entra environment.  I finally had some time to give […]

Configure IIS to allow downloads for file types

I was recently in a bit of a bind and needed to get a large file from a server to another workstation, the server had IIS and was already live on the internet but when I copied across the file and tried to download it but was getting a 404 File not found. The file […]