Fortigate syslog configuration

[Jorge Llamas]

Hi Team!

I was able to config some cisco switches for protocol 514/udp with no issues, here is it's config:

#conf ter
Enter configuration commands, one per line.  End with CNTL/Z.
core-MySwitch(config)#logging host  XX.XXX.XX.XX --> Wazuh IP
core-MySwitch(config)#logging trap 7
core-MySwitch(config)#end
core-MySwitch  #

Nevertheless I'm facing some issues configuring fortigate syslog on Wazuh. Here is the firewall config as follows:

FG200F-MyCompany (setting) # show full-configuration
config log syslogd setting
    set status enable
    set server "XXX.XXX.XXX.XXX" --> Wazuh Server
    set mode udp
    set port 514
    set facility local7
    set source-ip ''
    set format default
    set priority default
    set max-log-rate 0
    set interface-select-method auto
end

Here is the wazuh configuration:

<remote>
    <connection>syslog</connection>
    <port>514</port>
    <protocol>udp</protocol>
    <allowed-ips>XX.XXX.XX.XX/XX</allowed-ips> <!-- Segment for several cisco routers. No issues -->
<allowed-ips>XX.XXX.XX.XX/32</allowed-ips> <!-- Single IP from firewall. No success -->
  </remote>

Also, with tcpdump I have no luck obtaining traffic from Fortigate firewall.

tcpdump -nei any udp 514 -vv.

Any help would be appreciated.

Thanks in advance!

[Christian Borla]

Hi Jorge Llamas
I hope you are well!

It seems like you're having trouble receiving syslog traffic from your Fortigate firewall, this is a network related problem, some firewall or something that is not allowing the message to get through.
However, here are some ideas on how to check it out

• Did you try ping it from the server? 
• Another idea is to validate if the messages from the Cisco switches are going out.  
• Any firewall rule?  sudo iptables -L -n | grep 514
  
• Also a Network Monitoring:  tcpdump -i any host <Fortigate-IP> and port 514

Honestly these are the ways I can think of now to validate the reception of the events, by the way in the wazuh remote configuration I see the allowed-ips field duplicated, maybe when you solve the connection problem, you can try leaving only one field. remote examples.
I hope it helps.
Regards.

[Jorge Llamas]

Hi Christian! Thanks for your response.

Just to mention that this is a dockerized environment.

Regarding the troubleshooting tips, my answers below in red.

• Did you try ping it from the server? -> Yes, ping is OK.
• Another idea is to validate if the messages from the Cisco switches are going out.  -> Config already in place, events are displayed on Wazuh Dashboard.
  
• Any firewall rule? -> Local firewall is disabled (ufw disable), here is the output:
  

ACCEPT    17     --     0.0.0.0     X.X.X.X      udp dpt:514

ACCEPT    6      --     0.0.0.0      X.X.X.X       tcp dpt:1514

X.X.X.X Is the local docker IP

• Also a Network Monitoring:  tcpdump -i any host <Fortigate-IP> and port 514 -> No luck, not receiving any incoming traffic.

[Christian Borla]

Hi!

Thank you for providing detailed information about your setup and the troubleshooting steps you've already undertaken. We can verify Docker Port Mapping for UDP 514, please check current docker port mappings,
 
command: docker ps

Look for the Wazuh container and verify if UDP port 514 is listed under the "PORTS" column,
e.g., 0.0.0.0:514->514/udp.

If UDP 514 Isn’t Mapped try to  Run the Container with UDP Port Mapping, 

docker run -d \
  --name wazuh \
  -p 514:514/udp \
  -p 1514:1514/tcp \
  # ... other necessary flags and configurations ...
  wazuh/wazuh:latest

I you want to confirm Wazuh is Listening on UDP 514 Inside the Container, you can try  netstat -uln | grep 514,  You should see an entry indicating that UDP port 514 is being listened.

Le tme know if that helps.
Regards.