Configuring SIEM policies
Before you store log messages remotely on an ArcSight server, you create SIEM connection settings and add them to a trigger configuration. Then you select the trigger in a protection profile.
To configure SIEM policies
2. Go to Log&Report > Log Policy > SIEM Policy.
To access this part of the web UI, your administrator’s account access profile must have
Read and
Write permission to items in the
Log & Report category. For details, see
“Permissions”.
3. Click Create New, and then complete the following settings:
Setting name | Description |
Policy Name | Enter a unique name that other parts of the configuration can reference. Do not use spaces or special characters. The maximum length is 35 characters. |
Policy Type | Currently, all SIEM policies send logs using ArcSight CEF (common event format). |
IP Address | Enter the IP address of the ArcSight server. |
Port | Enter the port where the ArcSight server listens for log output. |
4. Click OK.
5. To verify logging connectivity, from the FortiWeb appliance, trigger a log message that matches the types and severity levels that you have chosen to store on the remote host. Then, on the remote host, confirm that it has received that log message.
If the remote host does not receive the log messages, verify the FortiWeb appliance’s network interfaces (see
“Configuring the network interfaces”) and static routes (see
“Adding a gateway”), and the policies on any intermediary firewalls or routers. If ICMP
ECHO_RESPONSE (pong) is enabled on the remote host, try using the
execute traceroute command to determine the point where connectivity fails. For details, see the
FortiWeb CLI Reference.
See also