FortiGate FW Syslogs Not showing up in Dashboard.

452 views
Skip to first unread message

spartanash1

unread,
Apr 3, 2024, 6:19:03 AM4/3/24
to Wazuh | Mailing List

Hello,

I am trying to get my FortiGate Syslogs to show up in the Dashboard, Here is what i have done so far and my troubleshooting.

I have followed the instructions at https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/syslog.html and have added the following to my ossec.conf.

<ossec_config> 
    <alerts_log>yes</alerts_log> 
    <logall>yes</logall> 
    <logall_json>yes</logall_json> 
    … 
    <remote> 
        <connection>syslog</connection>
        <port>514</port>
        <protocol>tcp</protocol>
        <allowed-ips>**Fortigate IP/32**</allowed-ips>
        <local_ip>**My-Wazuh-Server-IP</local_ip>
    </remote> 
</ossec_config>

I rebooted the wazuh-manager using the command "systemctl restart wazuh-manager" and ensured that the logs were coming in from the firewall using the command "tcpdump -i any -nn -XX src <FIREWALL IP> and dst <WAZUH SERVER> and dst port 514".

On the Fortigate side I made sure that the Syslogs are going over TCP and port 514 to the wazuh server.

(Can’t show this due to security reasons)

I downloaded the rule and decoder from this repository as Wazuh doesn’t appear to handle the activity from Fortigate by default. https://github.com/alextibor/wazuh-fortigate-rules-decoders

I placed the files from the Repo in /var/ossec/etc/decoders/ and /var/ossec/etc/rules/ as described in the README and rebooted the Wazuh-Manager.

I tested that the rules and decoders work with the syslogs that are coming in. But nothing has still shown up in the dashboard at this point.

I have been looking into the archive.log and I don't see any errors in it but I also do not see any of the syslogs from the tcpdump in it.Any Ideas what I could be doing wrong?

Luis Enrique Chico Capistrano

unread,
Apr 3, 2024, 7:36:11 PM4/3/24
to Wazuh | Mailing List
Hello spartanash1,

Thanks for using Wazuh!

According to your description, if you're seeing packets captured by tcpdump but Wazuh isn't receiving them, there might be a firewall issue. tcpdump operates at a lower level than the firewall and captures packets before they reach the firewall for inspection. This suggests that the firewall on your Wazuh server might be blocking the traffic from your FortiGate.

As a quick test, you can temporarily disable the firewall to see if Wazuh starts receiving the messages. Important: Remember to re-enable the firewall after you're done troubleshooting.

I hope this helps!

Best,
Reply all
Reply to author
Forward
0 new messages