Collector Requirements
What an On-Premise Collector host must provide before installation.
1. Network and Access
- Unproxied outbound HTTPS access to
https://www.secdit.com/configsentry/. - Connectivity to each configured appliance host and SSH port.
- SSH credentials with sufficient privilege to read the full configuration. Recommended role: Read-Only Admin.
1a. Collector Security Model
- Use the lowest practical privilege that still allows full configuration retrieval.
- Where a setting is marked Enter Locally, the secret is intended to remain on the collector host instead of being stored as a website-managed secret value.
- Website communication is designed around outbound HTTPS from the collector host. If you enable syslog-triggered collection, separate inbound syslog traffic to the collector host is also part of that workflow.
- If your review requires current deployment, package-trust, or platform storage-architecture details, contact secdit directly rather than inferring them from this page.
2. Windows Collector (.exe)
- Windows 10 / 11, or Windows Server 2019 or later.
- Permission to create a Windows Task Scheduler entry.
- Permission to allow the collector syslog listener through Windows Firewall if syslog-triggered collection is enabled.
3. Linux / FreeBSD Collector Scripts
php-cliinstalled and available onPATH.- Either
curlorwgetinstalled. - Either
bsdtar,tarwith.tar.gzsupport, or PHP ZIP support as required by the current runtime package. - Permission to install a cron entry for the collector watchdog.
4. Syslog-Triggered Collection
The collector can listen for FortiGate configuration-change syslog messages and trigger a targeted collection run.
- Default listener:
0.0.0.0:514. - The listen IP and UDP port can be configured from the collector page or entered locally.
- If syslog-triggered collection is enabled, the collector service must be left running continuously.
5. FortiGate Syslog Configuration
Apply these commands on your FortiGate to send config-change syslog events to the collector. Replace syslogd with syslogd2, syslogd3, or syslogd4 to use a different syslog server slot.
config log syslogd setting
set status enable
set server "[collector server ip]"
set port [custom port]
end
config log syslogd filter
config free-style
edit 99
set category event
set filter "(logid 0100044546 0100044547)"
next
end
end
The set port line is only required when using a custom port; omit it to use the default port 514. On a multi-vdom firewall, run these commands under the config global context.
6. Operational Notes
- The collector service should remain enabled so scheduled collections and syslog-triggered collections can run automatically.
- If the collector is not running continuously, syslog-triggered collection will not work.
- Collector updates and config updates are downloaded from the secdit website according to the collector settings.
- Collector deployment usually needs internal approval for host placement, FortiGate read-only access, outbound connectivity, and any inbound syslog allowance.
7. Collector Bundle Contents
Each download bundle includes the current Collector Config File (configsentry_collector.json) and a readme.txt file.
To manually import a new collector config after downloading a fresh bundle, run the following command on the collector host:
- Windows (online installer):
configsentry-collector-online.exe --install-config-file="configsentry_collector.json" - Windows (offline installer):
configsentry-collector-offline.exe --install-config-file="configsentry_collector.json" - Linux / FreeBSD:
./configsentry-collector-linux.sh --install-config-file="configsentry_collector.json"
