Integration of fortigate

[R VISHNU]

Hi Sir/Mam,

I am new to wazuh, I'm working with the integration of wazuh with our FortiGate firewall. Our wazuh manger and elastic search are hosted in AWS.

I have created a VPN connection between my firewall and AWS instance and configured the ossec.conf file. Now I'm able to get the logs from my firewall. But I can't parse the logs and unable to see the logs in the dashboard.

I have done the Ossec log test and its result is Phase 2 decoder: No match found. I have attached the firewall log file and the result of my Ossec log test. So please verify those and give me a proper decoder-script for these logs.

Thanks,

Vishnu

[Ranjith Kesavan]

Hi Vishnu, 

If you looks t the logs, you can see some characters "....P....E.......@.....%.....A......." prefixed to the log which does not belong to Fortigate logs. It might have been added to the log be some other application while the logs are being shipped.  Fortinet logs start with "date=". Either you can investigate how the prefix is added and remove it or edit your decoder to take that in to consideration as well. 

So the parent decoder will be link this : 

<decoder name="fortigate-firewall-v5">

    <prematch>\.+date=\S+ time=\.+ devname=\S+ devid="FG\w+" logid="\d+" </prematch>

    <type>syslog</type>

</decoder>

Thank you,

Ranjith Kesavan. 

[R VISHNU]

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/17c358ca-19cb-4f4b-914c-995e343c05f4%40googlegroups.com.

[R VISHNU]

Hi Sir/Mam,

I am new to wazuh, I'm working with the integration of wazuh with our FortiGate firewall. Our wazuh manger and elastic search are hosted in AWS.

I have created a VPN connection between my firewall and AWS instance and configured the ossec.conf file. Now I'm able to get the logs from my firewall. But I can't parse the logs and unable to see the logs in the dashboard.

I have done the Ossec log test and its result is Phase 2 decoder: No match found. I have attached the firewall log file and the result of my Ossec log test. So please verify those and give me a proper decoder-script for these logs.

Thanks in advance.

Thanks,

Vishnu

[Sandra Ocando]

Hi Vishnu,Although you also created another thread for fortigate decoders here: https://groups.google.com/d/msg/wazuh/J7K5csLn1mk/yvlTn8JQAgAJ and that thread was solved, I wanted to answer this one as well so that anyone that reads it can find the right answer.I have verified that the decoder provided by my colleague Jonathan on the other thread is valid for the logs provided on the logs.docx file of this thread.

<decoder name="fortigate">
 <prematch>\d+.\d+.\d+\d+ date=\.*time\.*devname=\.*devid=\.*logid=\.*type=\.*subtype=\.*</prematch>
 <regex>(\d+.\d+.\d+.\d+) date=(\.*) time=(\.*) devname="(\.*)" devid="(\.*)" logid="(\.*)" type="(\.*)" subtype="(\.*)" level="(\.*)" vd="(\.*)" eventtime=(\.*) srcip=(\.*) srcintf=(\.*) srcintfrole="(\.*)" dstip=(\.*) dstintf=(\.*) dstintfrole="(\.*)" sessionid=(\.*) proto=(\.*) action="(\.*)" policyid=(\.*) service="(\.*)" dstcountry="(\.*)" srccountry="(\.*)" trandisp="(\.*)" app="(\.*)" duration=(\.*) sentbyte=(\.*) rcvdbyte=(\.*) sentpkt=(\.*) rcvdpkt=(\.*) appcat="(\.*)"</regex>
 <order>ip,date,time,devname,devid,logid,type,subtype,level,vd,eventtime,srcip,srcintf,srcintfrole,dstip,dstintf,dstintfrole,sessionid,proto,action,policyid,service,dstcountry,srccountry,trandisp,app,duration,sentbyte,rcvdbyte,sentpkt,rcvdpkt,appcat</order>
</decoder>

I notice that the ossec-logtest output you provide is using a different input which includes trailing characters as Ranjith mentions, these characters should not be included when using ossec-logtest.Finally, I wanted to let you know that rules and decoders specific to Fortigate v6 have been developed and are included in Wazuh 4.0 that will be released soon. You may see these decoders and rules in this pull request:
https://www.github.com/wazuh/wazuh-ruleset/pull/578Regards,
Sandra