configure Fortigate firewall rule
76 views
Skip to first unread message
Samson Ojoajogwu
Nov 12, 2022, 3:19:57 PM11/12/22
to Wa...@googlegroups.com
Hello team,
I'm trying to configure Fortigate to send logs to Wazuh in our environment.
Kindly assist.
Anthony Faruna
Nov 12, 2022, 3:31:16 PM11/12/22
to Samson Ojoajogwu, Wa...@googlegroups.com
Hello Samson
For this, you need to configure your firewall to forward the syslog log to the Wazuh Manager. And then configure the Manager to receive these logs with a block similar to this in the ossec.conf file:
<ossec_config>
<remote>
<connection>syslog</connection>
<port>513</port>
<protocol>tcp</protocol>
<allowed-ips>192.168.2.0/24</allowed-ips>
</remote>
</ossec_config>
You can find an example of this configuration in the provided link. And you can check this other reference documentation for more information on the configuration parameters: https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/remote.html
Wazuh comes ready with decoders and rules for processing Fortigate logs, so that is all you should need to do to start processing your logs.
Thanks for using Wazuh!
To receive and analyze the logs from your firewall you can use the Remote syslog capability (https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/how-it-works.html#remote-syslog).
To receive and analyze the logs from your firewall you can use the Remote syslog capability (https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/how-it-works.html#remote-syslog).
For this, you need to configure your firewall to forward the syslog log to the Wazuh Manager. And then configure the Manager to receive these logs with a block similar to this in the ossec.conf file:
<ossec_config>
<remote>
<connection>syslog</connection>
<port>513</port>
<protocol>tcp</protocol>
<allowed-ips>192.168.2.0/24</allowed-ips>
</remote>
</ossec_config>
You can find an example of this configuration in the provided link. And you can check this other reference documentation for more information on the configuration parameters: https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/remote.html
Wazuh comes ready with decoders and rules for processing Fortigate logs, so that is all you should need to do to start processing your logs.
In order to process the Fortinet event logs properly the Wazuh manager contains a Ruleset of decoders and rules and it includes Fortinet decoders and rules. Please check:
https://github.com/wazuh/wazuh/blob/4.3/ruleset/decoders/0100-fortigate_decoders.xml
https://github.com/wazuh/wazuh/blob/4.3/ruleset/rules/0391-fortigate_rules.xml
https://github.com/wazuh/wazuh/blob/4.3/ruleset/decoders/0100-fortigate_decoders.xml
https://github.com/wazuh/wazuh/blob/4.3/ruleset/rules/0391-fortigate_rules.xml
In case that needed you can create Custom rules and decoders
Please let me know if you need further assistance
Best Regards
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/CAF%3D-VD11b6B9w%2Bs6gYKAG8D4Y%2BXpfTxROmZVHc7XnBBLx99Tiw%40mail.gmail.com.
Reply all
Reply to author
Forward
0 new messages