Hi Everyone,
I have a requirement to send Fortinet Firewall Logs to Google SecOps.
Fortinet Firewall is hosted On-Prem.
I can’t use Bindplane Agent to ingest logs to Google SecOps.
Suggest me a approach?
Hey, ran into something similar a few months back. If BindPlane is off the table, you still have a few solid options to get Fortinet logs into Google SecOps (Chronicle).
One practical route is to forward Fortinet logs via syslog to a lightweight forwarder VM (could be Ubuntu or even Alpine with rsyslog or Fluent Bit). From there:
Use Fluent Bit or Logstash to parse and enrich if needed
Then forward the logs over HTTPS using the Chronicle Forwarder with the UDM format
If you haven’t used it before, Chronicle offers a Linux-based forwarder binary that you can install on that intermediate VM. You’ll need to transform the logs into UDM (Unified Data Model), but there are community parsers out there for FortiGate, or you can write your own plugin if it’s custom.
It takes a bit of setup, but it’s reliable and doesn’t depend on BindPlane.
1 Like
I can’t use Chronicle Forwarder due to some vulnerability.
1 Like
Got it. If both BindPlane and Chronicle Forwarder are off the table, I’d look at using Fluent Bit directly with a custom output plugin or webhook to push the logs to a Google SecOps-compatible endpoint. It’s super lightweight, works well on-prem, and gives you flexibility for transformation and routing.
1 Like