FCP_FAZ_AD-7.4 Logs and reports management

Logs and Reports Management Detailed Explanation

Logs and reports management is the heart of FortiAnalyzer, enabling administrators to monitor network activity, analyze security events, and create meaningful reports for decision-making. This section covers log collection, storage, analysis, and reporting.

3.1 Log Storage

Log storage ensures that all network activity and security events are systematically collected and stored for analysis and reporting.

Storage Options

1. Local Disk Storage:

   • Logs are stored directly on the FortiAnalyzer's built-in storage.
   • Suitable for small-scale deployments with fewer devices and lower log volume.
   • Example: A small office network with 5-10 devices forwarding logs.

2. Network-Attached Storage (NAS):

   • Logs are stored on external storage devices connected via the network.
   • Ideal for large-scale deployments with high log volumes.
   • Benefits:
     • Greater storage capacity.
     • Centralized storage for multiple FortiAnalyzer units.

Retention Policies

1. Defining Retention Periods:

   • Determine how long logs should be retained based on:

     • Compliance requirements (e.g., GDPR, HIPAA).
     • Storage capacity.
     • Operational needs (e.g., forensic investigations).

   • Example Retention Policy:

     • Critical logs: Retain for 1 year.
     • Routine logs: Retain for 3 months.

2. Automatic Log Cleanup:

   • Configure automatic deletion of old logs to free up space.
   • Example: Set a cleanup schedule to remove logs older than 90 days.

Log Encryption

• Encrypt stored logs to enhance data security and prevent unauthorized access.
• Enable encryption during configuration to protect sensitive information from being compromised.
• Best practices:
  • Use strong encryption algorithms.
  • Secure the encryption keys in a separate, safe location.

3.2 Log Analysis

Log analysis helps administrators identify trends, detect anomalies, and respond to security incidents efficiently.

Real-Time Logs

• Purpose:

  • Monitor real-time events as they occur.
  • Useful for tracking immediate security threats or operational issues.

• Usage:

  • Open the Log View on FortiAnalyzer.
  • Watch logs stream in real-time to identify critical events.

Historical Logs

• Advanced Search:

  • Use search tools to locate specific logs from past events.
  • Example search parameters:
    • Time Period: Logs from the last 7 days.
    • Source IP: Logs generated by 192.168.1.100.
    • Event Type: Only security alerts.

• Filters:

  • Refine log searches with filters like:
    • Usernames.
    • Protocols (e.g., HTTP, HTTPS).
    • Event severity (e.g., critical, warning, informational).

Correlation Analysis

• Purpose:

  • Combine multiple log events to uncover patterns or related incidents.
  • Example: Correlate login failure logs with successful login events to detect brute-force attacks.

• Steps:

  • Use the correlation engine in FortiAnalyzer to create rules.
  • Analyze the output for insights into suspicious activity.

3.3 Report Management

Report management transforms raw log data into structured, visualized insights, helping stakeholders make informed decisions.

Report Types

1. Predefined Reports:

   • Built-in templates for common use cases.
   • Example: Bandwidth usage, application control, or threat reports.

2. Custom Reports:

   • Tailored to specific organizational needs.
   • Example: A report showing only failed login attempts across all devices in a department.

Report Templates

1. Using Built-In Templates:

   • Access FortiAnalyzer’s library of pre-made templates.
   • Templates include charts, tables, and summary sections for common reporting needs.

2. Creating Custom Templates:

   • Add your own charts, tables, and filters.
   • Example: Include only data from a specific time range or device group.

Automated Reporting

1. Scheduling Reports:

   • Automate report generation on a weekly, monthly, or daily basis.
   • Example: Schedule a network activity report to run every Monday.

2. Distribution:

   • Send reports to stakeholders via email.
   • Export reports in formats like PDF, HTML, or CSV for sharing or further analysis.

Conclusion

FortiAnalyzer’s Logs and Reports Management capabilities enable organizations to efficiently store, analyze, and interpret log data. By setting up robust storage policies, using advanced analysis tools, and leveraging automated reporting, you can maintain a secure and well-monitored network environment.

Logs and Reports Management (Additional Content)

1. Log Transmission Optimization

Why is this important?

• In high log throughput environments (such as enterprise-level deployments), optimizing log transmission methods is crucial to minimize latency and packet loss.
• Efficient log transmission ensures accurate and timely event tracking, which is essential for security monitoring and compliance.

Supplementary Details

1.1 Log Transmission Protocols

Different protocols offer varying levels of performance, reliability, and security:

1. UDP (User Datagram Protocol) – Default Port: 514

• Pros:
  • Low latency, suitable for real-time logging.
  • Minimal overhead, reducing network congestion.
• Cons:
  • Unreliable – logs may be lost if the network drops packets.
  • No encryption, making it unsuitable for sensitive logs.
• Best use case: Large-volume log forwarding where speed is more important than reliability (e.g., basic event logging).

2. TCP (Transmission Control Protocol) – Default Port: 601

• Pros:
  • Reliable delivery – ensures logs are transmitted without loss.
  • Provides error correction and retransmission.
• Cons:
  • Increased latency and network overhead compared to UDP.
• Best use case: Security-critical logs, such as compliance audits or forensic investigations.

3. OFTP (Optimized Fortinet Protocol)

• Pros:
  • Fortinet-specific protocol optimized for device-to-device log synchronization.
  • More efficient than standard TCP for large-scale FortiAnalyzer deployments.
• Best use case: Enterprise-scale FortiAnalyzer installations managing multiple FortiGate devices.

4. Encrypted Syslog (TLS)

• Pros:
  • Uses TLS encryption to protect logs from interception and modification.
  • Suitable for sensitive industries (e.g., financial institutions, healthcare).
• Cons:
  • Requires higher processing power for encryption and decryption.
• Best use case: Log transmission over untrusted networks or compliance-driven industries (GDPR, HIPAA).

1.2 Log Transmission Optimization Techniques

To improve log transmission efficiency, consider the following optimizations:

• Batch Transmission

  • Instead of sending individual log entries, batch transmission groups logs to reduce network overhead.
  • This is particularly useful in high-log-volume environments.

• Log Compression

  • Compressing log data reduces bandwidth consumption, making it ideal for low-bandwidth connections.

• Priority-Based Log Transmission

  • Assign priority levels to logs:
    • High-priority logs (security events) → Real-time transmission.
    • Low-priority logs (informational logs) → Batch transmission at scheduled intervals.

2. Log Storage Limitations & Expansion

Why is this important?

• If FortiAnalyzer runs out of storage, logs may fail to be stored, leading to data loss and compliance violations.
• Effective storage management prevents performance degradation and ensures logs are retained for required periods.

Supplementary Details

2.1 Storage Monitoring

To prevent unexpected storage issues, administrators should:

• Regularly check disk usage:

  diagnose system df
  

• Configure storage alerts:

  • Set up notifications when disk usage exceeds 80% capacity.
  • Alerts can be sent via email or syslog to notify administrators before the system reaches critical levels.

2.2 Storage Expansion Methods

If FortiAnalyzer requires additional storage, the following methods can be implemented:

1. External Storage (NAS, SAN)

• NAS (Network-Attached Storage)
  • Provides shared storage over the network, making it suitable for distributed environments.
• SAN (Storage Area Network)
  • Offers high-speed storage connectivity for enterprise-grade logging.
• Best use case: Large-scale deployments needing additional log storage beyond local disk capacity.

2. Tiered Log Storage (Archiving)

• Migrate older logs to lower-cost storage solutions, such as:
  • Cloud storage (AWS S3, FortiCloud) for long-term retention.
  • Cold storage solutions for logs that are rarely accessed.
• Best use case: Organizations with long retention requirements (e.g., financial services storing logs for 5+ years).

3. Log Deletion Policies

• Configure automatic deletion of older, non-critical logs.
• Define retention periods based on log importance:
  • Security logs → 1 year.
  • System event logs → 6 months.
  • Traffic logs → 90 days.

3. Log Auditing & Compliance

Why is this important?

• Many regulations (GDPR, HIPAA, PCI-DSS) mandate proper log retention, protection, and auditing.
• Logs must be tamper-proof, ensuring they are unchanged and accessible for audits.

Supplementary Details

3.1 Log Integrity Protection

• Hash Verification

  • Ensures logs have not been altered.

  • FortiAnalyzer generates a cryptographic hash for each log file.

  • To verify log integrity:

    diagnose log integrity-check
    

• Read-Only Storage

  • Prevents logs from being modified or deleted.
  • Ensures audit trails remain intact.

3.2 Compliance Reporting

FortiAnalyzer supports compliance reports for various industry regulations:

1. GDPR (General Data Protection Regulation)

• Requires logs to track user access and data breaches.
• Reports should include:
  • User login history
  • Access to personal data
  • Security incidents related to data protection

2. PCI-DSS (Payment Card Industry Data Security Standard)

• Focuses on secure logging for payment data.
• Logs must include:
  • Access attempts to payment systems
  • Failed login attempts
  • Any unauthorized file changes

3. ISO 27001 Security Audits

• Requires logs to be retained for a specified period.
• Ensures that only authorized personnel can access logs.

Conclusion

These additional details enhance Logs and Reports Management by covering:

• Log Transmission Optimization (Choosing the right protocol and improving efficiency).
• Storage Management & Expansion (Preventing storage issues and optimizing log retention).
• Log Auditing & Compliance (Ensuring logs meet security and regulatory requirements).