Event Log Integrity

Validating Event Log Integrity for EventDB

Security auditors can validate that archived event data has not been tampered using the Event Integrity function of event database management.

Note: This setting is not available for Elasticsearch

Viewing EventDB Event Log Integrity Status

  1. Go to ADMIN > Settings > Database > Event Integrity.
  2. Use the following filters to view the event log integrity:
    1. For a specific time using the From and To fields.
    2. Based on the status of event integrity using the Status drop-down:
      • Not Validated - the event integrity has not been validated yet.
      • Successful - the event integrity has been validated and the return was success. This means that the logs in this file were not altered.
      • Failed - the event integrity has been validated and the return was failed. This means that the logs in this file were altered.
      • Archived - the events in this file were archived to offline storage.
      • Purged - the log event is removed from the log.
      • Restored - the event is restored to the log file.
    The event log integrity table is automatically updated with the applied filters.

    ColumnsDescription
    Start TimeThe earliest time of the messages in this file. The file does not contain messages that were received by FortiSIEM before this time.
    End TimeThe latest time of the messages in this file. The file does not contain messages that were received by FortiSIEM after this time.
    Category
    • Internal: these messages were generated by FortiSIEM for its own use. This includes FortiSIEM system logs and monitoring events such as the ones that begin with PH_DEV_MON.
    • External: these messages were received by FortiSIEM from an external system.
    • Incident: these corresponds to incidents generated by FortiSIEM.
    File NameName of the log file.
    EventsNumber of events in the file.
    AlgorithmChecksum algorithm used for computing message integrity.
    ChecksumValue of the checksum.
    Status

    Event log integrity validation status.

    LocationFile location:
    • Local: Local to Supervisor node.
    • External: means external to Supervisor node, for example, on NFS storage.

Validating EventDB Event Log Integrity

  1. Go to ADMIN > Settings > Database > Event Integrity.
  2. To validate the event log integrity of:
    1. Single event log - select the event log and click Validate.
    2. Multiple event logs - use Ctrl/Command keys to select the event logs and click Validate.
    3. All logs at a time - click Validate All.

The validation Status of the event log(s) will be updated in the list. The Validation History of any selected event log can be viewed under Action > Validation History.

Exporting EventDB Event Log Integrity Status

  1. Go to ADMIN > Settings > Database > Event Integrity.
  2. To generate and download the file in PDF or CSV format, select the event log from the list and click Export. Use Ctrl/Command keys to select multiple event logs.

Validating Event Log Integrity for ClickHouse

Security auditors can validate that archived event data has not been tampered using the Event Integrity function of event database management.

Note: This setting is not available for Elasticsearch

Viewing ClickHouse Event Log Integrity Status

  1. Go to ADMIN > Settings > Database > Event Integrity.
  2. Use the following filters to view the event log integrity:
    1. For a specific time using the From and To fields.
    2. Based on the status of event integrity using the Show drop-down:
      • All - All events are shown.
      • Not Validated - the event integrity has not been validated yet.
      • Success - the event integrity has been validated and the return was success. This means that the logs in this file were not altered.
      • Failure - the event integrity has been validated and the return was failed. This means that the logs in this file were altered.
      • Not Found - the log event has been removed or detached.
    The event log integrity table is automatically updated with the applied filters.

    ColumnsDescription
    Start TimeThe earliest time of the messages in this file. The file does not contain messages that were received by FortiSIEM before this time.
    End TimeThe latest time of the messages in this file. The file does not contain messages that were received by FortiSIEM after this time.
    Shard

    		The ID of the shard.
    Partition IDThe partition ID of the shard.
    Partition NameThe partition or "directory" name for ClickHouse logs. Hover the cursor over the name to display the full directory path and name.

    Note: If ClickHouse is unable to consolidate the event data, such as if there is not enough storage space, the Partition Name and Validation Status will appear blank.
    Validation Status

    Event log integrity validation status. The following messages may appear:

    Success - checksum match verified.

    Failure - checksum match failure.

    Not Found - partition issue occurred.

    System Error - shell command or parsing error.

    ChecksumValue of the checksum.

Validating ClickHouse Event Log Integrity

  1. Go to ADMIN > Settings > Database > Event Integrity.
  2. To validate the event log integrity of:

    1. Single event log - select the event log and click Validate.
    2. Multiple event logs - use Ctrl/Command keys to select the event logs and click Validate.
    3. All logs at a time - click Validate All.

The Validation Status of the event log(s) will be updated in the list.

Automating ClickHouse Log Integrity

  1. Go to ADMIN > Settings > Database > Event Integrity.
  2. From the Event Integrity drop-down list select On or Off.

When Event Integrity is On, a ClickHouse log integrity check occurs at the time it consolidates its data. As this is resource intensive, it is off by default.