I found all the official documentation to be confusing at best, or straight up misleading and wrong at worst for this issue. Below are the steps that worked for me.
Get your API Key:
Open your SentinelOne dashboard, go to Policy and Settings, API Keys (Under Singularity AI SIEM), click the Add Key button and choose to make a Write Key. Save this key for later.
Install the Fortigate Parser:
At the top of your dashboard, click Marketplace. Find the Fortigate Firewall option and add that to your account (Top level, or you can choose an individual site. Make sure your API key is from the same level)
Install The agent:
1. Download and install the .msi from
https://app.scalyr.com/scalyr-repo/stable/latest/ScalyrAgentInstaller-2.2.16.msi
2. As administrator, open C:\Program Files (x86)\Scalyr\config\agent.json
3. Set the api_key value to the API key you made before
4. Within the Monitors portion of the agent file, put in the following:
monitors: [
{
module: "scalyr_agent.builtin_monitors.syslog_monitor",
protocols: "tcp:601, udp:514",
accept_remote_connections: true,
message_log: "fortinet.log",
parser: "marketplace-fortinetfortigate-latest"
}
]
Configure for SentinelOne:
1. As administrator, create a new file
C:\Program Files (x86)\Scalyr\config\agent.d\settings_server.json with the following contents:
{
scalyr_server: "https://xdr.us1.sentinelone.net"
}
3. Configure firewall to send syslog to the ip/hostname of the server the agent is running on.
(On 7.4 this is under Log and Report, Log Settings, then the Syslog Logging option)
No comments:
Post a Comment