Fortigate

[Ben Whittaker]

Need more information on how to setup FortiGate logs to SO?

[Michael O'Brien]

Step 1. Switch to Palo 

Step 2. Ask for more information on how to setup Palo Alto logs to so. 

😝

On Mon, Jul 23, 2018 at 7:37 PM Ben Whittaker <whitta...@gmail.com> wrote:

Need more information on how to setup FortiGate logs to SO?

--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.

[John Madick]

On Monday, July 23, 2018 at 6:37:47 PM UTC-5, Ben Whittaker wrote:
> Need more information on how to setup FortiGate logs to SO?

I do, Palo advice notwithstanding...

[Tony Butt]

I was able to digest Fortigate 100D logs into SO 16.04 + ELK
It wasn't straightforward, I'll check my config shortly and see what I did.
The default config is almost OK, but not quite right.

[Tony Butt]

To make it work, I went to the logstash config and edited 1004_preprocess_syslog_types.conf and 6200_firewall_fortinet.conf.

The 1004 changes explicitly set the 'type' to 'fortinet', and add a tag of 'firewall'. You will need to set the conditions appropriately so you process the correct messages

if "syslog" in [tags] {
if [syslog-host] == "my.log.forwarder" and [syslog-facility] == "local7" {
mutate {
replace => { "type" => "fortinet" }
add_tag => [ "firewall" ]
}
}
mutate {
add_tag => [ "conf_file_1004"]
}
}

I can't remember what I did with the 6200 file, I know I explicitly set the timezone to match the device. I've attached that file, and a redacted 1004 file as well. There are some debug tags still present, they can be removed.
Tony

[John Madick]

Did you have the fortigate set to send the logs as CSV, or standard fortigate output? This is most helpful, thank you very much.

[Ben Whittaker]

On Monday, July 23, 2018 at 7:37:47 PM UTC-4, Ben Whittaker wrote:
> Need more information on how to setup FortiGate logs to SO?

I do not see the syslog msgs getting to so

I did a tcpdump on SO no logs

I did tcpdump on FGT and see them going

get log syslogd setting
status : enable
server : 192.168.X.XX
mode : udp
port : 514
facility : local7
source-ip :
format : default

[John Madick]

On the dashboard, do you see the host listed under the syslog link in the "Other" category? Looking at your configuration with my fortigate, I notice you tag based on host, but my host shows up as Gateway when the logs make it to logstash.

[John Madick]

I did some testing on my systems, the default pre-processor that creates the field type is not working properly. The Fortinet is put into the event_type field with the default configuration. I tested this by changing the name of the field to manufacturer and now I have a new field manufacturer and Fortinet no longer appears in the event_type field.

[Ben Whittaker]

some logs for the FGT are listed under syslog not firewall

On Tue, Jul 24, 2018 at 2:12 PM, John Madick <jcma...@gmail.com> wrote:

I did some testing on my systems, the default pre-processor that creates the field type is not working properly.  The Fortinet is put into the event_type field with the default configuration.  I tested this by changing the name of the field to manufacturer and now I have a new field manufacturer and Fortinet no longer appears in the event_type field.

--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.

To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.
To post to this group, send email to security-onion@googlegroups.com.

[jcma...@gmail.com]

Some, but not all?  I have no issues receiving the logs, and now they are marked and being parsed by the right parser (albeit not correctly.)  I’d focus on making sure you get them in and tagged first, let the parsing quest start after that.

 

From: securit...@googlegroups.com <securit...@googlegroups.com> On Behalf Of Ben Whittaker
Sent: Tuesday, July 24, 2018 4:26 PM
To: securit...@googlegroups.com
Subject: Re: [security-onion] Re: Fortigate

 

some logs for the FGT are listed under syslog not firewall

On Tue, Jul 24, 2018 at 2:12 PM, John Madick <jcma...@gmail.com> wrote:

I did some testing on my systems, the default pre-processor that creates the field type is not working properly.  The Fortinet is put into the event_type field with the default configuration.  I tested this by changing the name of the field to manufacturer and now I have a new field manufacturer and Fortinet no longer appears in the event_type field.

--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.

To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.

Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.

 

--

Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.

To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.

[Russ Roff]

We found that our Fortigate was by default sending syslogs on a 1514. This had to be adjusted in the CLI and logs started flowing for us.