config : log siem-policy
 
log siem-policy
Use this command to configure a connection to an ArcSight SIEM (security information and event management) server. A unique policy is required for each ArcSight server. The policy is used by the log syslogd configuration to define the specific ArcSight server on which log messages are stored. For more information, see “config log syslogd”.
Currently, because all SIEM policies send logs using ArcSight CEF (common event format), the value of type is always cef.
To use this command, your administrator account’s access control profile must have either w or rw permission to the loggrp area. For more information, see “Permissions”.
Syntax
config log siem-policy
edit <policy_name>
set type cef
set port <port_int>
set server <siem_ipv4>
end
Variable
Description
Default
<policy_name>
Type the name of a new or existing SIEM policy. The maximum length is 35 characters.
To display the list of existing policies, type:
edit ?
No default.
port <port_int>
The port where the ArcSight server listens for log output.
514
server <siem_ipv4>
The IP address of the ArcSight server.
No default.
Example
This example creates SIEM_Policy1. FortiWeb contacts the ArcSight server using its IP address, 192.168.1.10. Communications occur over the standard port number for ArcSight, UDP port 514. The FortiWeb appliance sends log messages to the server in CEF format.
config log siem-policy
edit SIEM_Policy1
set type cef
set port 514
set server 192.168.1.10
next
end
Related topics
config log siem-policy
config system dns
config router static