Fortigate 6.4.5 logging
335 views
Skip to first unread message
Tom Powers
Jan 21, 2022, 3:32:39 PM1/21/22
to Wazuh mailing list
Hello.....
We have fotrigate logging in the standard fortigate format (not CEF) and when I do a ruleset test on the messages, it says no decoder match.
Here's a sample of the logging
2022 Jan 21 20:05:19 wazuh->10.2.1.101 date=2022-01-21 time=14:05:19 devname="FW-AB-Main100F-1" devid="FG100FTK20015556" eventtime=1642795519786041250 tz="-0600" logid="1059028704" type="utm" subtype="app-ctrl" eventtype="signature" level="information" vd="root" appid=15895 srcip=47.225.210.2 dstip=10.2.1214 srcport=55391 dstport=443 srcintf="Spectrum" srcintfrole="wan" dstintf="Internal" dstintfrole="lan" proto=6 service="SSL" direction="outgoing" policyid=68 sessionid=33191004 applist="APP-General" action="pass" appcat="Network.Service" app="SSL" hostname="tunnel.directinput.com" incidentserialno=127486555 url="/" msg="Network.Service: SSL," apprisk="elevated" scertcname="*.directinput.com"
All insight is appreciated.
Awwal Ishiaku
Jan 24, 2022, 6:55:27 AM1/24/22
to Wazuh mailing list
Hello Thomas,
2022 Jan 21 20:05:19 wazuh->10.2.1.101 date=2022-01-21 time=14:05:19 devname="FW-AB-Main100F-1" devid="FG100FTK20015556" eventtime=1642795519786041250 tz="-0600" logid="1059028704" type="utm" subtype="app-ctrl" eventtype="signature" level="information" vd="root" appid=15895 srcip=47.225.210.2 dstip=10.2.1214 srcport=55391 dstport=443 srcintf="Spectrum" srcintfrole="wan" dstintf="Internal" dstintfrole="lan" proto=6 service="SSL" direction="outgoing" policyid=68 sessionid=33191004 applist="APP-General" action="pass" appcat="Network.Service" app="SSL" hostname="tunnel.directinput.com" incidentserialno=127486555 url="/" msg="Network.Service: SSL," apprisk="elevated" scertcname="*.directinput.com"
You probably have an older decoder that cannot properly decode this log message.
I have attached a fortigate decoder file.
Replace the fortigate decoder you currently have (/var/ossec/ruleset/decoders/0100-fortigate_decoders.xml) with the decoder file I have attached.
After that, restart the Wazuh manager and run the logtest utility to confirm that Wazuh can properly decode this log.
As you can see from my output, Wazuh decoded the log:
root@wazuh-server:/var/ossec/bin# ./wazuh-logtest
Starting wazuh-logtest v4.3.0
Type one log per line
Starting wazuh-logtest v4.3.0
Type one log per line
2022 Jan 21 20:05:19 wazuh->10.2.1.101 date=2022-01-21 time=14:05:19 devname="FW-AB-Main100F-1" devid="FG100FTK20015556" eventtime=1642795519786041250 tz="-0600" logid="1059028704" type="utm" subtype="app-ctrl" eventtype="signature" level="information" vd="root" appid=15895 srcip=47.225.210.2 dstip=10.2.1214 srcport=55391 dstport=443 srcintf="Spectrum" srcintfrole="wan" dstintf="Internal" dstintfrole="lan" proto=6 service="SSL" direction="outgoing" policyid=68 sessionid=33191004 applist="APP-General" action="pass" appcat="Network.Service" app="SSL" hostname="tunnel.directinput.com" incidentserialno=127486555 url="/" msg="Network.Service: SSL," apprisk="elevated" scertcname="*.directinput.com"
**Phase 1: Completed pre-decoding.
full event: '2022 Jan 21 20:05:19 wazuh->10.2.1.101 date=2022-01-21 time=14:05:19 devname="FW-AB-Main100F-1" devid="FG100FTK20015556" eventtime=1642795519786041250 tz="-0600" logid="1059028704" type="utm" subtype="app-ctrl" eventtype="signature" level="information" vd="root" appid=15895 srcip=47.225.210.2 dstip=10.2.1214 srcport=55391 dstport=443 srcintf="Spectrum" srcintfrole="wan" dstintf="Internal" dstintfrole="lan" proto=6 service="SSL" direction="outgoing" policyid=68 sessionid=33191004 applist="APP-General" action="pass" appcat="Network.Service" app="SSL" hostname="tunnel.directinput.com" incidentserialno=127486555 url="/" msg="Network.Service: SSL," apprisk="elevated" scertcname="*.directinput.com"'
timestamp: '2022 Jan 21 20:05:19'
**Phase 2: Completed decoding.
name: 'fortigate-firewall-v5'
action: 'pass'
app: 'SSL'
appcat: 'Network.Service'
appid: '15895'
applist: 'APP-General'
apprisk: 'elevated'
devid: 'FG100FTK20015556'
devname: 'FW-AB-Main100F-1'
direction: 'outgoing'
dstintf: 'Internal'
dstintfrole: 'lan'
dstip: '10.2.1214'
dstport: '443'
eventtime: '1642795519786041250'
eventtype: 'signature'
hostname: 'tunnel.directinput.com'
incidentserialno: '127486555'
level: 'information'
logid: '1059028704'
msg: 'Network.Service: SSL,'
policyid: '68'
proto: '6'
scertcname: '*.directinput.com'
service: 'SSL'
sessionid: '33191004'
srcintf: 'Spectrum'
srcintfrole: 'wan'
srcip: '47.225.210.2'
srcport: '55391'
subtype: 'app-ctrl'
time: '14:05:19'
type: 'utm'
url: '/'
vd: 'root'
**Phase 3: Completed filtering (rules).
id: '81633'
level: '3'
description: 'Fortigate: App passed by firewall.'
groups: '['fortigate', 'syslog']'
firedtimes: '1'
gdpr: '['IV_35.7.d']'
hipaa: '['164.312.b']'
mail: 'False'
nist_800_53: '['AU.6']'
pci_dss: '['10.6.1']'
**Alert to be generated.
full event: '2022 Jan 21 20:05:19 wazuh->10.2.1.101 date=2022-01-21 time=14:05:19 devname="FW-AB-Main100F-1" devid="FG100FTK20015556" eventtime=1642795519786041250 tz="-0600" logid="1059028704" type="utm" subtype="app-ctrl" eventtype="signature" level="information" vd="root" appid=15895 srcip=47.225.210.2 dstip=10.2.1214 srcport=55391 dstport=443 srcintf="Spectrum" srcintfrole="wan" dstintf="Internal" dstintfrole="lan" proto=6 service="SSL" direction="outgoing" policyid=68 sessionid=33191004 applist="APP-General" action="pass" appcat="Network.Service" app="SSL" hostname="tunnel.directinput.com" incidentserialno=127486555 url="/" msg="Network.Service: SSL," apprisk="elevated" scertcname="*.directinput.com"'
timestamp: '2022 Jan 21 20:05:19'
**Phase 2: Completed decoding.
name: 'fortigate-firewall-v5'
action: 'pass'
app: 'SSL'
appcat: 'Network.Service'
appid: '15895'
applist: 'APP-General'
apprisk: 'elevated'
devid: 'FG100FTK20015556'
devname: 'FW-AB-Main100F-1'
direction: 'outgoing'
dstintf: 'Internal'
dstintfrole: 'lan'
dstip: '10.2.1214'
dstport: '443'
eventtime: '1642795519786041250'
eventtype: 'signature'
hostname: 'tunnel.directinput.com'
incidentserialno: '127486555'
level: 'information'
logid: '1059028704'
msg: 'Network.Service: SSL,'
policyid: '68'
proto: '6'
scertcname: '*.directinput.com'
service: 'SSL'
sessionid: '33191004'
srcintf: 'Spectrum'
srcintfrole: 'wan'
srcip: '47.225.210.2'
srcport: '55391'
subtype: 'app-ctrl'
time: '14:05:19'
type: 'utm'
url: '/'
vd: 'root'
**Phase 3: Completed filtering (rules).
id: '81633'
level: '3'
description: 'Fortigate: App passed by firewall.'
groups: '['fortigate', 'syslog']'
firedtimes: '1'
gdpr: '['IV_35.7.d']'
hipaa: '['164.312.b']'
mail: 'False'
nist_800_53: '['AU.6']'
pci_dss: '['10.6.1']'
**Alert to be generated.
Reply all
Reply to author
Forward
0 new messages