Our FortiGate FWs are configured to feed logs to FortiAnalyzers and also directly as syslog input to our SIEM.
We are experiencing an issue where nearly half our Events Per Second (EPS) licences for our SIEM solution are exhausted by the Fortigate event logs - and of these, >80% are "Close" event types.
"Close" events are categorised as a "notice" event, with severity level=5.
Is there a way we can selectively stop sending the Close event logs to our SIEM as we don't see this data as proving much value for security event correlation (particularly as it is also partly covered by Netflow traffic)?
We can't find any information in the Handbook or Reference guide on how to do this at such a granular level and one potential problem is that if we turn off all notice event types (if possible?) we would lose "Firewall Deny" which is a lot more interesting from a security perspective.
thanks
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.