Wazuh can't see logs from Fortigate syslog, no events in Dashboard
113 views
Skip to first unread message
hubert hubert
Jul 11, 2024, 9:07:08 AM7/11/24
to Wazuh | Mailing List
Hi
Can someone help me with :
1 receiving logs from Fortigate to Wazuh
2 setup wazuh manager - where to see events from forigate and how to setup decoders / rules default one are enoguht if not what should be changed ?
3 how to setup alerts for ssl_vpn and ipsec site to client brute force attack
I have recent version of Wazuh . I receives events from windows and linux wazuh agents.
Can someone help me with :
1 receiving logs from Fortigate to Wazuh
2 setup wazuh manager - where to see events from forigate and how to setup decoders / rules default one are enoguht if not what should be changed ?
3 how to setup alerts for ssl_vpn and ipsec site to client brute force attack
I have recent version of Wazuh . I receives events from windows and linux wazuh agents.
I have setup fortigate to send logs to wazuh server IP.
I have added to ossec.conf allowed IP of fortigate and all network /24 as syslog udp 514. Allowed and open 514udp/tcp port on Wazuh. And there is no log in /ra
<ossec_config>
<global>
<jsonout_output>yes</jsonout_output>
<alerts_log>yes</alerts_log>
<logall>yes</logall>
<logall_json>no</logall_json>
<email_notification>no</email_notification>
<smtp_server>smtp.example.wazuh.com</smtp_server>
<email_from>wa...@example.wazuh.com</email_from>
<email_to>reci...@example.wazuh.com</email_to>
<email_maxperhour>12</email_maxperhour>
<email_log_source>alerts.log</email_log_source>
<agents_disconnection_time>10m</agents_disconnection_time>
<agents_disconnection_alert_time>0</agents_disconnection_alert_time>
<update_check>yes</update_check>
</global>
<alerts>
<log_alert_level>3</log_alert_level>
<email_alert_level>12</email_alert_level>
</alerts>
<logging>
<log_format>plain</log_format>
</logging>
<remote>
<connection>secure</connection>
<port>1514</port>
<protocol>tcp</protocol>
<queue_size>131072</queue_size>
</remote>
<remote>
<connection>syslog</connection>
<port>514</port>
<protocol>udp</protocol>
<allowed-ips>172.27.0.5/24</allowed-ips>
<local_ip>172.27.10.88</local_ip>
</remote>
<remote>
<connection>syslog</connection>
<allowed-ips>172.27.10.0/24</allowed-ips>
</remote>
why I a can't see logs from fortigate ?
I have added to ossec.conf allowed IP of fortigate and all network /24 as syslog udp 514. Allowed and open 514udp/tcp port on Wazuh. And there is no log in /ra
<ossec_config>
<global>
<jsonout_output>yes</jsonout_output>
<alerts_log>yes</alerts_log>
<logall>yes</logall>
<logall_json>no</logall_json>
<email_notification>no</email_notification>
<smtp_server>smtp.example.wazuh.com</smtp_server>
<email_from>wa...@example.wazuh.com</email_from>
<email_to>reci...@example.wazuh.com</email_to>
<email_maxperhour>12</email_maxperhour>
<email_log_source>alerts.log</email_log_source>
<agents_disconnection_time>10m</agents_disconnection_time>
<agents_disconnection_alert_time>0</agents_disconnection_alert_time>
<update_check>yes</update_check>
</global>
<alerts>
<log_alert_level>3</log_alert_level>
<email_alert_level>12</email_alert_level>
</alerts>
<logging>
<log_format>plain</log_format>
</logging>
<remote>
<connection>secure</connection>
<port>1514</port>
<protocol>tcp</protocol>
<queue_size>131072</queue_size>
</remote>
<remote>
<connection>syslog</connection>
<port>514</port>
<protocol>udp</protocol>
<allowed-ips>172.27.0.5/24</allowed-ips>
<local_ip>172.27.10.88</local_ip>
</remote>
<remote>
<connection>syslog</connection>
<allowed-ips>172.27.10.0/24</allowed-ips>
</remote>
why I a can't see logs from fortigate ?
Javier Medeot
Jul 11, 2024, 10:20:57 AM7/11/24
to Wazuh | Mailing List
Hi hubert.
Wazuh does indeed include decoders and rules to decode and alert about Fortigate logs. Take a look at these files to check some sample logs considered for decoding, and to see the kind of alerts that are implemented by default.
- https://github.com/wazuh/wazuh/blob/v4.8.0/ruleset/decoders/0100-fortigate_decoders.xml
- https://github.com/wazuh/wazuh/blob/v4.8.0/ruleset/rules/0391-fortigate_rules.xml
Take a look at this short
configuration
guide on log collection via syslog
in case you've missed it:
To find out why you don't see events from Fortigate in your dashboard, check the IP addresses in your <remote> configuration blocks. Check that no firewalls are blocking the connection with Fortigate.
In addition, you can enable the Wazuh archives to check whether Wazuh is receiving the events despite not alerting about them. Set logall to yes as explained in the following docs sub-section:
Check the
/var/ossec/logs/archives/archives.log file and look for your fortigate events. If they're present you can use some of them as samples to specifically test the Wazuh rules with them. If no alerts get triggered in your tests, it might mean you need to implement custom decoders or rules for your specific logs. To test some of your sample logs, follow this guide:
If you don't find logs in the Wazuh archives, it means there's something wrong with the connectiopn. In this case make sure
Fortigate is correctly configured to send logs to Wazuh.
Let me know what you find.Thanks.
Javier Medeot
Jul 25, 2024, 9:12:50 AM7/25/24
to Wazuh | Mailing List
Hi hubert.
If your connection is via UDP 514 port, just use
<protocol>udp</protocol> as you are doing already. No need to add tcp as a parameter.
Once you've set
<logall>yes</logall> (or
<logall_json>yes</logall_json>)
and restarted the Wazuh manager you're ready to check the
/var/ossec/logs/archives/archives.log file (or the /var/ossec/logs/archives/archives.json) file. You don't need to visualize the events in the dashboard, you only need to look for them in the archive using for example a text editor. (No need to set up filebeat configurations nor create any indices).
Let me know if your fortigate events are present in the archives.log (or archives.json). Also look for them in the
/var/ossec/logs/alerts/alerts.json file. If they are present in alerts.json it means they're being correctly decoded and alerted but not indexed. If they're present in archives.log (or archives.json), it means they're monitored correctly but not analyzed as expected. And if they're missing
completely, it means there might be some connection problem or similar issue.
Thank you.
Reply all
Reply to author
Forward
0 new messages