FortiClient Log Collection Integration

Configuring FortiClient integration for Realm Security

Realm Security collects Forticlient logs via Fortianalyzer. The steps for configuring Forticlient and Fortianalyzer for log collection.

Administrative access to the FortiClient EMS
Administrative access to FortiAnalyzer
Realm collector is setup and running with a Raw TCP Stream. See Realm Collector install guide for setting up a collector.
Realm Security Raw TCP collector IP address or FQDN
Realm Collector receiving port number. In Realm console, go to Collectors > select collector > Copy port number listed for the Stream.

In FortiClient EMS go to Endpoint Profiles > System Settings and edit the desired profile.
In the 'Log' section, Enable 'Upload Logs to FortiAnalyzer/FortiManager' and enter the IP Address/Hostname and port of the configured FortiAnalyzer instance, or if using FortiAnalyzer Cloud, just hit "Auto-config FAZ Cloud"

Enable Administrative Domain(ADOM) in FortiAnalyzer in System Settings > Administrative Domain and then creating or selecting the FortiClient ADOM.
To connect FortiClient EMS to FortiAnalyzer, in FortiAnalyzer, go to Device Manager > Add Device, and enter the FortiClient EMS Serial Number.
To forward logs from FortiAnalyzer to Realm, go to System Settings > Advanced, and click on the Log Forwarding tab and Create New.
Choose Common Event Format(CEF) for the Remote Server Type, and fill in the Realm Collector Server FQDN/IP to forward logs to, and set the Port of the Collector stream.