regarding to no alert of fortigate in Dashboard
68 views
Skip to first unread message
neeraj uikey
Aug 1, 2023, 12:18:08 PM8/1/23
to Wazuh mailing list
hii wazuh team
i'm sending lot to wazuh using 514 but i can't see log in dashboard but i can see log in wazuh server usign tcpdump port 514 -A
but log are comming
i have tested decoder but it's fine
**Messages:
WARNING: (7003): '501cd5c6' token expires
WARNING: (7617): Signature ID '101954' was not found and will be ignored in the 'if_sid' option of rule '100004'.
WARNING: (7619): Empty 'if_sid' value. Rule '100004' will be ignored.
WARNING: (7612): Rule ID '64000' is duplicated. Only the first occurrence will be considered.
WARNING: (7600): Invalid value 'Edm.String' for attribute 'type' in rule 101150.
WARNING: (7600): Invalid value 'Edm.String' for attribute 'type' in rule 101151.
WARNING: (7600): Invalid value 'Edm.String' for attribute 'type' in rule 101152.
WARNING: (7600): Invalid value 'Edm.String' for attribute 'type' in rule 101153.
WARNING: (7600): Invalid value 'Edm.String' for attribute 'type' in rule 101154.
WARNING: (7600): Invalid value 'Edm.String' for attribute 'type' in rule 101155.
WARNING: (7600): Invalid value 'Edm.String' for attribute 'type' in rule 101156.
WARNING: (7600): Invalid value 'Edm.String' for attribute 'type' in rule 101157.
WARNING: (7600): Invalid value 'Edm.String' for attribute 'type' in rule 101158.
WARNING: (7600): Invalid value 'Edm.String' for attribute 'type' in rule 101159.
WARNING: (7600): Invalid value 'Edm.String' for attribute 'type' in rule 101160.
WARNING: (7600): Invalid value 'Edm.String' for attribute 'type' in rule 101161.
WARNING: (7612): Rule ID '4800' is duplicated. Only the first occurrence will be considered.
WARNING: (7615): Invalid 'if_matched_sid' value: '101310,101311'. Rule '101312' will be ignored.
WARNING: (7612): Rule ID '100001' is duplicated. Only the first occurrence will be considered.
INFO: (7202): Session initialized with token 'a4739cbc'
**Phase 1: Completed pre-decoding.
full event: 'Aug 1 09:03:59 178-219-96-33.myrepublic.com.sg timestamp=1690880637 devname="dsgg-SG9TdfB-UTM" devid="FG201FT922911695" vd="root" date=2023-08-01 time=17:03:57 eventtime=1690880637133932805 tz="+0800" logid="0000000013" type="traffic" subtype="forward" level="notice" srcip=10.101.1.55 srcport=51316 srcintf="Server VLAN" srcintfrole="lan" dstip=10.101.4.12 dstport=9000 dstintf="port9" dstintfrole="dmz" srccountry="Reserved" dstcountry="Reserved" sessionid=1812914538 proto=6 action="server-rst" policyid=469 policytype="policy" poluuid="fe74d8ca-989d-51ed-a6cd-50d1f6d596e2" service="CRUSHFTP-DMZ" trandisp="snat" transip=10.101.4.1 transport=51316 duration=15 sentbyte=1297 rcvdbyte=3604 sentpkt=16 rcvdpkt=19 appcat="unscanned" srchwvendor="VMware" devtype="Computer" osname="Debian" mastersrcmac="00:50:56:80:fd:35" srcmac="00:50:56:80:fd:35" srcserver=0'
timestamp: 'Aug 1 09:03:59'
hostname: '178-219-96-33.myrepublic.com.sg'
**Phase 2: Completed decoding.
name: 'fortigate-firewall-v6'
action: 'server-rst'
appcat: 'unscanned'
cat: 'unscanned'
devtype: 'Computer'
dstcountry: 'Reserved'
dstintf: 'port9'
dstintfrole: 'dmz'
dstip: '10.101.4.12'
dstport: '9000'
duration: '15'
eventtime: '1690880637133932805'
ip: '10.101.1.55'
level: 'notice'
logid: '0000000013'
mastersrcmac: '00:50:56:80:fd:35'
osname: 'Debian'
policyid: '469'
policytype: 'policy'
poluuid: 'fe74d8ca-989d-51ed-a6cd-50d1f6d596e2'
proto: '6'
rcvdbyte: '3604'
rcvdpkt: '19'
sentbyte: '1297'
sentpkt: '16'
service: 'CRUSHFTP-DMZ'
sessionid: '1812914538'
srccountry: 'Reserved'
srcintf: 'Server VLAN'
srcintfrole: 'lan'
srcip: '10.101.1.55'
srcmac: '00:50:56:80:fd:35'
srcport: '51316'
srcserver: '0'
subtype: 'forward'
time: '17:03:57'
trandisp: 'snat'
transip: '10.101.4.1'
transport: '51316'
type: 'traffic'
vd: 'root'
**Phase 3: Completed filtering (rules).
id: '101001'
level: '0'
description: 'Fortigate messages grouped.'
groups: '["fortigate","syslog"]'
firedtimes: '1'
mail: 'false'
WARNING: (7003): '501cd5c6' token expires
WARNING: (7617): Signature ID '101954' was not found and will be ignored in the 'if_sid' option of rule '100004'.
WARNING: (7619): Empty 'if_sid' value. Rule '100004' will be ignored.
WARNING: (7612): Rule ID '64000' is duplicated. Only the first occurrence will be considered.
WARNING: (7600): Invalid value 'Edm.String' for attribute 'type' in rule 101150.
WARNING: (7600): Invalid value 'Edm.String' for attribute 'type' in rule 101151.
WARNING: (7600): Invalid value 'Edm.String' for attribute 'type' in rule 101152.
WARNING: (7600): Invalid value 'Edm.String' for attribute 'type' in rule 101153.
WARNING: (7600): Invalid value 'Edm.String' for attribute 'type' in rule 101154.
WARNING: (7600): Invalid value 'Edm.String' for attribute 'type' in rule 101155.
WARNING: (7600): Invalid value 'Edm.String' for attribute 'type' in rule 101156.
WARNING: (7600): Invalid value 'Edm.String' for attribute 'type' in rule 101157.
WARNING: (7600): Invalid value 'Edm.String' for attribute 'type' in rule 101158.
WARNING: (7600): Invalid value 'Edm.String' for attribute 'type' in rule 101159.
WARNING: (7600): Invalid value 'Edm.String' for attribute 'type' in rule 101160.
WARNING: (7600): Invalid value 'Edm.String' for attribute 'type' in rule 101161.
WARNING: (7612): Rule ID '4800' is duplicated. Only the first occurrence will be considered.
WARNING: (7615): Invalid 'if_matched_sid' value: '101310,101311'. Rule '101312' will be ignored.
WARNING: (7612): Rule ID '100001' is duplicated. Only the first occurrence will be considered.
INFO: (7202): Session initialized with token 'a4739cbc'
**Phase 1: Completed pre-decoding.
full event: 'Aug 1 09:03:59 178-219-96-33.myrepublic.com.sg timestamp=1690880637 devname="dsgg-SG9TdfB-UTM" devid="FG201FT922911695" vd="root" date=2023-08-01 time=17:03:57 eventtime=1690880637133932805 tz="+0800" logid="0000000013" type="traffic" subtype="forward" level="notice" srcip=10.101.1.55 srcport=51316 srcintf="Server VLAN" srcintfrole="lan" dstip=10.101.4.12 dstport=9000 dstintf="port9" dstintfrole="dmz" srccountry="Reserved" dstcountry="Reserved" sessionid=1812914538 proto=6 action="server-rst" policyid=469 policytype="policy" poluuid="fe74d8ca-989d-51ed-a6cd-50d1f6d596e2" service="CRUSHFTP-DMZ" trandisp="snat" transip=10.101.4.1 transport=51316 duration=15 sentbyte=1297 rcvdbyte=3604 sentpkt=16 rcvdpkt=19 appcat="unscanned" srchwvendor="VMware" devtype="Computer" osname="Debian" mastersrcmac="00:50:56:80:fd:35" srcmac="00:50:56:80:fd:35" srcserver=0'
timestamp: 'Aug 1 09:03:59'
hostname: '178-219-96-33.myrepublic.com.sg'
**Phase 2: Completed decoding.
name: 'fortigate-firewall-v6'
action: 'server-rst'
appcat: 'unscanned'
cat: 'unscanned'
devtype: 'Computer'
dstcountry: 'Reserved'
dstintf: 'port9'
dstintfrole: 'dmz'
dstip: '10.101.4.12'
dstport: '9000'
duration: '15'
eventtime: '1690880637133932805'
ip: '10.101.1.55'
level: 'notice'
logid: '0000000013'
mastersrcmac: '00:50:56:80:fd:35'
osname: 'Debian'
policyid: '469'
policytype: 'policy'
poluuid: 'fe74d8ca-989d-51ed-a6cd-50d1f6d596e2'
proto: '6'
rcvdbyte: '3604'
rcvdpkt: '19'
sentbyte: '1297'
sentpkt: '16'
service: 'CRUSHFTP-DMZ'
sessionid: '1812914538'
srccountry: 'Reserved'
srcintf: 'Server VLAN'
srcintfrole: 'lan'
srcip: '10.101.1.55'
srcmac: '00:50:56:80:fd:35'
srcport: '51316'
srcserver: '0'
subtype: 'forward'
time: '17:03:57'
trandisp: 'snat'
transip: '10.101.4.1'
transport: '51316'
type: 'traffic'
vd: 'root'
**Phase 3: Completed filtering (rules).
id: '101001'
level: '0'
description: 'Fortigate messages grouped.'
groups: '["fortigate","syslog"]'
firedtimes: '1'
mail: 'false'
Emiliano Zorn
Aug 1, 2023, 3:32:50 PM8/1/23
to Wazuh mailing list
Hello team!
The file /var/ossec/logs/archives/archives.json contains all events whether they tripped a rule or not.
The file /var/ossec/logs/alerts/alerts.json contains only events that tripped a rule with high enough priority (the threshold is configurable).
The Wazuh server decodes and rule-checks the received events, utilizing the analysis engine.
Events that trip a rule are augmented with alert data such as rule ID and rule name. Events can be spooled to one or both of the following files, depending on whether or not a rule is tripped:
The file /var/ossec/logs/archives/archives.json contains all events whether they tripped a rule or not.
The file /var/ossec/logs/alerts/alerts.json contains only events that tripped a rule with high enough priority (the threshold is configurable).
Info related: https://documentation.wazuh.com/current/getting-started/architecture.html#wazuh-agent-wazuh-server-communication
As we are seeing here, in your case, de rule of the level is set to 0. This means that although the rule is being executed, the level of the rule does not allow it to be displayed on the Dashboard.
Remember that only rules with a level 3 or higher will be displayed on the Wazuh Dashboard.
To solve this, you can edit the rule level, or create new rules and decoders to suit your needs.
Find more information about Rules and Decoders here:
Custom Rules and Decoders
Rules Classification
Remember that only rules with a level 3 or higher will be displayed on the Wazuh Dashboard.
To solve this, you can edit the rule level, or create new rules and decoders to suit your needs.
Find more information about Rules and Decoders here:
Custom Rules and Decoders
Rules Classification
Creating Rules and Decoders from Scratch
In summary, logs are being ingested, and alerts are being generated, but not of a suitable level to be displayed on the dashboard.
In summary, logs are being ingested, and alerts are being generated, but not of a suitable level to be displayed on the dashboard.
Regards.
Reply all
Reply to author
Forward
0 new messages