AlienVault® USM Anywhere™

Fortinet FortiClient

When you configure Fortinet FortiClient to send log data to USM Anywhere, you can use the Fortinet FortiClient plugin to translate raw log data into normalized events for analysis. The table below provides some basic information for the plugin:

Plugin Information
Device Details
Vendor Fortinet
Device Type Endpoint Security
Connection Type Syslog

Integrating Fortinet FortiClient

Before you configure the Fortinet FortiClient integration, you must have the IP Address of the USM Anywhere Sensor.

To configure Fortinet FortiClient to send Syslog messages to USM Anywhere

Fortinet FortiClient must be configured to send log data to FortiManager or FortiAnalyzer, which then forwards messages to a USM Anywhere sensor over the syslog protocol.

  1. In the FortClient Console, select File > Settings.
  2. Expand the Logging section to show selections for feature logging and log levels.

  3. First, select the features for which you want to capture log messages. The following table provides a list of available features for which you can enable logging:

    • VPN
    • Application Firewall
    • AntiVirus
    • Update (FortiClient software updates)
    • Sandboxing
    • Telemetry
    • Web Security or Web Filter
    • Vulnerability Scan
  4. Next, select the severity level (for log messages to be captured) from the Log Level dropdown menu. The following table provides a description of the various logging level selections that are available:

    Logging Feature Description
    Emergency The system becomes unstable.
    Alert Immediate action is required.
    Critical Functionality is affected.
    Error An error condition exists and functionality could be affected.
    Warning Functionality could be affected.
    Notice Information about normal events.
    Information General information about system operations.
    Debug FortiClient debugging.

  5. After setting the feature logging and logging level options, click OK.

    To enable log forwarding, FortiClient needs to connect telemetry to FortiManager or FortiClient Enterprise Management System (EMS) where you can add the USM Anywhere Sensor as a new syslog server to which log messages are forwarded through syslog.

  6. Configure the following settings and click OK to create the new syslog server.

    Parameter Description
    Name Entner a name for the syslog server.
    IP Address (or FQDN) Enter the IP address or FQDN of the syslog server.
    Syslog Server Port Enter the syslog server port number. The default port is 514.
  7. Note: For more information on creating a new Syslog server from FortiManager, or using FortiAnalyzer to access the FortiClient Enterprise Management System (EMS), refer to documentation in the Fortinet Document Library available at The documentation also provides information on additional options available from Fortinet web pages and using CLI commands.

Plugin Enablement

The Fortinet FortiClient plugin automatically processes all messages when the raw message contains "clientfeature=\S+\sdevid=\S+\sfgtserial=\S+".

Available Plugin Fields

The following plugin fields are important attributes extracted from the syslog message. The USM Anywhere reports use these fields, and you can also reference them when creating custom reports. In addition to reporting, the USM Anywhere correlation rules make use of these fields.

  • application
  • clientfeature
  • content_category
  • customfield_0
  • customfield_1
  • customheader_0
  • customheader_1
  • destination_address
  • destination_port
  • destination_service_name
  • device_direction
  • device_external_id
  • duration
  • event_action
  • event_category
  • event_name
  • event_severity
  • event_subcategory
  • external_id
  • http_hostname
  • operating_system
  • plugin_device
  • plugin_device_type
  • policy
  • rep_device_version
  • request_url
  • session
  • source_address
  • source_hostname
  • source_ntdomain
  • source_port
  • source_process
  • source_username
  • transport_protocol

Additional Resources and Troubleshooting

For troubleshooting, refer to the vendor documentation: