AlienVault® USM Anywhere™

FortiManager VM

When you configure FortiManager VM integration to send log data to USM Anywhere, you can use the FortiManager VM plugin to translate the raw log data into normalized events for analysis.

Device Details
Device vendor Fortinet
Device type Firewall virtual appliance
Connection type syslog
Vendor link

Integrating FortiManager

Before configuring the log collection, you must have the IP address of the USM Anywhere Sensor.

UI Configuration

To configure FortiManager to send log data to USM Anywhere

  1. Go to System Settings > Advanced > Syslog Server.
  2. In the toolbar, select Create New.
  3. In the New Syslog Server popup, configure the fields as follows:

    1. Name — Choose any name for the syslog server.
    2. IP address or FQDN — IP address of the USM Anywhere Sensor.
    3. Port — 514
    4. Click OK.

CLI Configuration

To configure FortiManager to send log data to USM Anywhere

  • Enter:

    config system syslog

    edit <Syslog_Server_name>

    set ip <USM_Anywhere_IP_address>



    config system syslog

    edit "Syslog-serv1"

    set ip ""



Configuring the Logging Level for Local Log syslogd

To configure logging level for local log syslogd

  • Enter:

    config system locallog syslogd setting


    *Syslog_Server_name must be the same name used in the previous procedure.*

    set syslog-name <Syslog_Server_name>

    *Set the minimum severity level to log*

    set severity {emergency | alert | critical | error | warning | notification | information | debug}

    set status {enable | disable}

    *Optionally enable CSV*

    set csv

    *Indicate facility for remote syslog*

    set facility <facility-name>

    set port 514



config system locallog syslogd setting

set severity information

set status enable

set syslog-name "Syslog-serv1"


Plugin Enablement

The Fortinet FortiManager plugin will automatically process all messages that contain "devname=" as part of the raw message.

Available Plugin Fields

The following plugin fields are important attributes extracted from the syslog message. The USM Anywhere reports use these fields, and you can also reference them when creating custom reports. In addition to reporting, the USM Anywhere correlation rules make use of these fields.

  • access_control_outcome
  • application
  • base_event_count
  • bytes_in
  • bytes_out
  • content_category
  • destination_address
  • destination_port
  • device_direction
  • device_external_id
  • event_category
  • event_description_url
  • event_name
  • event_severity
  • event_subcategory
  • http_hostname
  • policy
  • rep_device_hostname
  • rep_device_inbound_interface
  • rep_device_outbound_interface
  • rep_device_rule_id
  • rep_device_type
  • request_url
  • source_address
  • source_mac
  • source_port
  • source_username
  • timestamp_occured
  • transport_protocol


For troubleshooting, refer to the vendor documentation: