Fortigate logs to Wazuh
3,927 views
Skip to first unread message
shabajda
Aug 7, 2023, 7:26:27 AM8/7/23
to Wazuh mailing list
Hello Wazuh team,
I need help with set up Fortigate logs to Wazuh interface.
So far I did all needed steps, but I can´t see the logs.
1) Configred Fortigate to forward logs to Wazuh manager
2) Configured Wazuh to receive logs from Fortigate
3) Checked logs:
tail -n 1000 /var/ossec/logs/archives/archives.json | grep "192.168.36.1"
4) Checked if port 514 is listening:
root@wazuh:/etc# netstat -ln | grep 514
tcp 0 0 0.0.0.0:1514 0.0.0.0:* LISTEN
tcp 0 0 192.168.40.54:514 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:1514 0.0.0.0:* LISTEN
tcp 0 0 192.168.40.54:514 0.0.0.0:* LISTEN
Can you please help me?
Thank you!
Chantal Belen Kelm
Aug 7, 2023, 8:40:41 AM8/7/23
to Wazuh mailing list
Hello, how is your environment set up, what versions are you using?
shabajda
Aug 7, 2023, 9:06:13 AM8/7/23
to Wazuh mailing list
Hello,
Fortigate v7.2.5 build1517
Ubuntu 22.04.2 LTS
Configuration on Fortigate:
config log syslogd3 setting
set status enable
set server "192.168.40.54"
set source-ip "192.168.40.1"
set status enable
set server "192.168.40.54"
set source-ip "192.168.40.1"
Configuration on Wazuh:
<remote>
<connection>syslog</connection>
<port>514</port>
<protocol>udp, tcp</protocol>
<allowed-ips>192.168.36.1</allowed-ips>
<local_ip>192.168.40.54</local_ip>
</remote>
<connection>syslog</connection>
<port>514</port>
<protocol>udp, tcp</protocol>
<allowed-ips>192.168.36.1</allowed-ips>
<local_ip>192.168.40.54</local_ip>
</remote>
Dne pondělí 7. srpna 2023 v 14:40:41 UTC+2 uživatel Chantal Belen Kelm napsal:
Chantal Belen Kelm
Aug 7, 2023, 11:31:10 AM8/7/23
to Wazuh mailing list
What you would need to do first is make sure that the Fortigate logs are being received and parsed by the manager, you can enable the archives that store the events in archives.log and archives.json. Once you see that Fortigate logs are being written to those files, it is assumed that the handler should be parsing them.
So the next step is to take one of the Fortigate logs and with the wazuh-logtest tool see if the log is decoded by the decoders you have and then see if any of the rules match.
If there is any rule that is matched and its level is equal or higher than the minimum level configured in the manager to generate alerts, then the alert will be generated.
If the Fortigate log is received and no decoder is able to decode it, you will have to add a custom decoder.
If the Fortigate log is received and decoded correctly, you may not be matching any of the rules. In case you want to be alerted about some circumstance, and there is no rule for it, you would have to create one.
The log has to be received by the manager so that it can be analyzed by it, if it is not being received due to a bad configuration, it will be impossible to see any alert.
If there is any rule that is matched and its level is equal or higher than the minimum level configured in the manager to generate alerts, then the alert will be generated.
If the Fortigate log is received and no decoder is able to decode it, you will have to add a custom decoder.
If the Fortigate log is received and decoded correctly, you may not be matching any of the rules. In case you want to be alerted about some circumstance, and there is no rule for it, you would have to create one.
The log has to be received by the manager so that it can be analyzed by it, if it is not being received due to a bad configuration, it will be impossible to see any alert.
shabajda
Aug 8, 2023, 1:19:17 AM8/8/23
to Wazuh mailing list
Is it possible provide me step by step quide please?
Dne pondělí 7. srpna 2023 v 17:31:10 UTC+2 uživatel Chantal Belen Kelm napsal:
Chantal Belen Kelm
Aug 8, 2023, 2:53:19 PM8/8/23
to Wazuh mailing list
What you would need to do first is make sure that the Fortigate logs are being received and parsed by the manager, you can enable the archives that store the events in archives.log and archives.json. What archives does is to save all the logs that the manager received regardless of whether they triggered an alert or not.
To enable the archives storing the events in archives.log and archives.json you should follow this guide
Once they are enabled, you should look in the archives.json or archives.log to see if you are receiving those logs. Once you see that Fortigate logs are being written to those files, it is assumed that the handler should be parsing them. Something VERY IMPORTANT is that once you don't need it, deactivate it, since it generates a high amount of data and can occupy a large part of your storage space, even bringing problems in the future.
So the next step is to take one of the Fortigate logs and with the wazuh-logtest tool see if the log is decoded by the decoders you have and then see if any of the rules match. You can follow this guide
Once they are enabled, you should look in the archives.json or archives.log to see if you are receiving those logs. Once you see that Fortigate logs are being written to those files, it is assumed that the handler should be parsing them. Something VERY IMPORTANT is that once you don't need it, deactivate it, since it generates a high amount of data and can occupy a large part of your storage space, even bringing problems in the future.
So the next step is to take one of the Fortigate logs and with the wazuh-logtest tool see if the log is decoded by the decoders you have and then see if any of the rules match. You can follow this guide
If there is any rule that is matched and its level is equal or higher than the minimum level configured in the manager to generate alerts, then the alert will be generated.
If the Fortigate log is received and no decoder is able to decode it, you will have to add a custom decoder. You can follow this guide
If the Fortigate log is received and decoded correctly, you may not be matching any of the rules. In case you want to be alerted about some circumstance, and there is no rule for it, you would have to create one. You can follow this guide
See this example for more information on how to create custom rules and decoders.
If the Fortigate log is received and decoded correctly, you may not be matching any of the rules. In case you want to be alerted about some circumstance, and there is no rule for it, you would have to create one. You can follow this guide
See this example for more information on how to create custom rules and decoders.
The log has to be received by the manager so that it can be analyzed by it, if it is not being received due to a bad configuration, it will be impossible to see any alert.
shabajda
Aug 9, 2023, 5:50:57 AM8/9/23
to Wazuh mailing list
>>>>
What you would need to do first is make sure that the Fortigate
logs are being received and parsed by the manager, you can enable the
archives that store the events in archives.log and archives.json. What
archives does is to save all the logs that the manager received
regardless of whether they triggered an alert or not.
To enable the archives storing the events in archives.log and archives.json you should follow this guide
Once they are enabled, you should look in the archives.json or archives.log to see if you are receiving those logs. Once you see that Fortigate logs are being written to those files, it is assumed that the handler should be parsing them. Something VERY IMPORTANT is that once you don't need it, deactivate it, since it generates a high amount of data and can occupy a large part of your storage space, even bringing problems in the future.
Once they are enabled, you should look in the archives.json or archives.log to see if you are receiving those logs. Once you see that Fortigate logs are being written to those files, it is assumed that the handler should be parsing them. Something VERY IMPORTANT is that once you don't need it, deactivate it, since it generates a high amount of data and can occupy a large part of your storage space, even bringing problems in the future.
>>>>
I do not se any FW log in archives.json/log, so to configuration is probably wrong?
Fortigate IP: 192.168.36.1
Wazuh IP: 192.168.40.54
Fortigate configuration:
config log syslogd3 setting
set status enable
set server "192.168.40.54"
set source-ip "192.168.40.1"
set status enable
set server "192.168.40.54"
set source-ip "192.168.40.1"
Wazuh configuration:
<remote>
<connection>syslog</connection>
<port>514</port>
<protocol>udp, tcp</protocol>
<allowed-ips>192.168.36.1</allowed-ips>
<local_ip>192.168.40.54</local_ip>
</remote>
<connection>syslog</connection>
<port>514</port>
<protocol>udp, tcp</protocol>
<allowed-ips>192.168.36.1</allowed-ips>
<local_ip>192.168.40.54</local_ip>
</remote>
This is what I configured, is anything missing or is anything wrong?
Thank you.
Dne úterý 8. srpna 2023 v 20:53:19 UTC+2 uživatel Chantal Belen Kelm napsal:
Chantal Belen Kelm
Aug 9, 2023, 8:11:05 AM8/9/23
to Wazuh mailing list
Have you made the configurations following any guide?
shabajda
Aug 9, 2023, 9:40:19 AM8/9/23
to Wazuh mailing list
Yes I did, for example this:
I followed also some hints from forum.
Dne středa 9. srpna 2023 v 14:11:05 UTC+2 uživatel Chantal Belen Kelm napsal:
Chantal Belen Kelm
Aug 9, 2023, 12:34:05 PM8/9/23
to Wazuh mailing list
According to the documentation you have to write the IP followed by the network submask
For example:
Note that the manager should be on the same subnet as the device or have communication between them to be able to see each other
For example:
<ossec_config>
<remote>
<connection>syslog</connection>
<port>513</port>
<protocol>tcp</protocol>
<allowed-ips>192.168.2.0/24</allowed-ips>
</remote>
</ossec_config>
<remote>
<connection>syslog</connection>
<port>513</port>
<protocol>tcp</protocol>
<allowed-ips>192.168.2.0/24</allowed-ips>
</remote>
</ossec_config>
Note that the manager should be on the same subnet as the device or have communication between them to be able to see each other
shabajda
Aug 10, 2023, 7:24:44 AM8/10/23
to Wazuh mailing list
I changed from direct IP to network submask, also changed FW IP so it has the same subnet as manager.
Still no logs visible
Dne středa 9. srpna 2023 v 18:34:05 UTC+2 uživatel Chantal Belen Kelm napsal:
Chantal Belen Kelm
Aug 10, 2023, 11:48:16 AM8/10/23
to Wazuh mailing list
Could you show me the changes you made?. Verify that you have communication between the two machines, also could you verify that you don't have any firewall blocking port 514?
shabajda
Aug 11, 2023, 1:06:50 AM8/11/23
to Wazuh mailing list
I changed configuration on manager side:
<remote>
<connection>syslog</connection>
<port>514</port>
<protocol>udp, tcp</protocol>
<connection>syslog</connection>
<port>514</port>
<protocol>udp, tcp</protocol>
<allowed-ips>192.168.40.0/24</allowed-ips>
</remote>
</remote>
Removed this <local_ip>192.168.40.54</local_ip>
This is probably why I do not see local IP in netstat output for port 514 anymore?
tcp 0 0 0.0.0.0:514 0.0.0.0:* LISTEN
I've checked FW logs for source IP:
192.168.40.1 to destination IP: 192.168.40.54 and destination port: 514
Traffic is visible and accepted.
Is there another way how to verify the communication between?
Dne čtvrtek 10. srpna 2023 v 17:48:16 UTC+2 uživatel Chantal Belen Kelm napsal:
Rudy Gevaert
Aug 11, 2023, 4:02:55 AM8/11/23
to Wazuh mailing list
U can use nc to check if you can connect:
root@myclient:~# nc -znv mywazuh 1514 1515 514
(UNKNOWN) [mywazuh] 1514 (?) open
(UNKNOWN) [mywazuh] 1515 (?) open
(UNKNOWN) [mywazuh] 514 (shell) open
on the cli pass the hostname/ip and the ports you want to check:
root@myclient:~# nc -znv mywazuh 1514 1515 514
(UNKNOWN) [mywazuh] 1514 (?) open
(UNKNOWN) [mywazuh] 1515 (?) open
(UNKNOWN) [mywazuh] 514 (shell) open
shabajda
Aug 11, 2023, 6:16:37 AM8/11/23
to Wazuh mailing list
root@wazuh:/var/ossec/etc# nc -zv 192.168.40.54 514 1515 1514
Connection to 192.168.40.54 514 port [tcp/shell] succeeded!
Connection to 192.168.40.54 1515 port [tcp/*] succeeded!
Connection to 192.168.40.54 1514 port [tcp/*] succeeded!
Connection to 192.168.40.54 514 port [tcp/shell] succeeded!
Connection to 192.168.40.54 1515 port [tcp/*] succeeded!
Connection to 192.168.40.54 1514 port [tcp/*] succeeded!
Dne pátek 11. srpna 2023 v 10:02:55 UTC+2 uživatel Rudy Gevaert napsal:
Chantal Belen Kelm
Aug 11, 2023, 10:40:08 AM8/11/23
to Wazuh mailing list
Let's check step 1 again:
What you would need to do first is make sure that the Fortigate logs are being received and parsed by the manager, you can enable the archives that store the events in archives.log and archives.json. What archives does is to save all the logs that the manager received regardless of whether they triggered an alert or not.
To enable the archives storing the events in archives.log and archives.json you should follow this guide
Once they are enabled, you should look in the archives.json or archives.log to see if you are receiving those logs. Once you see that Fortigate logs are being written to those files, it is assumed that the handler should be parsing them. Something VERY IMPORTANT is that once you don't need it, deactivate it, since it generates a high amount of data and can occupy a large part of your storage space, even bringing problems in the future.
Once they are enabled, you should look in the archives.json or archives.log to see if you are receiving those logs. Once you see that Fortigate logs are being written to those files, it is assumed that the handler should be parsing them. Something VERY IMPORTANT is that once you don't need it, deactivate it, since it generates a high amount of data and can occupy a large part of your storage space, even bringing problems in the future.
and check for error logs with: cat /var/ossec/logs/ossec.log | grep -iE 'WARN|ERR'
shabajda
Aug 16, 2023, 3:13:02 AM8/16/23
to Wazuh mailing list
So I did enable the archvie logs, no FW log visible.
This is the only output from:
root@wazuh:/var/ossec/etc# cat /var/ossec/logs/ossec.log | grep -iE 'WARN|ERR'2023/08/16 02:01:27 wazuh-modulesd:vulnerability-detector: WARNING: (5575): Unavailable vulnerability data for the agent '000' OS. Skipping it.
I don´t know what I´m doing wrong..
Dne pátek 11. srpna 2023 v 16:40:08 UTC+2 uživatel Chantal Belen Kelm napsal:
Chantal Belen Kelm
Aug 17, 2023, 9:16:35 AM8/17/23
to Wazuh mailing list
Try disabling the Ubuntu firewall:
sudo systemctl stop ufw
sudo systemctl stop ufw
shabajda
Aug 18, 2023, 2:25:13 AM8/18/23
to Wazuh mailing list
FW is disabled, but still no logs from FW.
Dne čtvrtek 17. srpna 2023 v 15:16:35 UTC+2 uživatel Chantal Belen Kelm napsal:
Chantal Belen Kelm
Aug 18, 2023, 8:52:10 AM8/18/23
to Wazuh mailing list
Check if you have logs in logs/firewall/firewall.log
Chantal Belen Kelm
Aug 18, 2023, 8:58:28 AM8/18/23
to Wazuh mailing list
Check if you have logs in logs/firewall/firewall.log
and I also wanted to ask if you have actual sample logs.Remember to cover all sensitive information
shabajda
Aug 22, 2023, 1:49:31 AM8/22/23
to Wazuh mailing list
No logs in
logs/firewall/firewall.log
>>>
and I also wanted to ask if you have actual sample logs.
What exactly you need?
Dne pátek 18. srpna 2023 v 14:58:28 UTC+2 uživatel Chantal Belen Kelm napsal:
Chantal Belen Kelm
Aug 22, 2023, 10:24:58 AM8/22/23
to Wazuh mailing list
Can you extract any actual logs, directly from the firewall, so I can analyze them?
shabajda
Aug 23, 2023, 1:26:22 AM8/23/23
to Wazuh mailing list
You mean directly from Fortigate?
Here it is:
Message meets Alert condition
date=2023-08-23 time=07:24:10 devname=PBS_VelkaBites-FG200F_no1 devid=FG200FT921906200 eventtime=1692768249528924235 tz="+0200" logid="0100032001" type="event" subtype="system" level="information" vd="root" logdesc="Admin login successful" sn="1692768249" user="user" ui="https(x.x.x.x)" method="https" srcip=192.168.X.X dstip=192.168.X.X action="login" status="success" reason="none" profile="super_admin" msg="Administrator sabacky logged in successfully from https(192.168.X.X)"
date=2023-08-23 time=07:24:10 devname=PBS_VelkaBites-FG200F_no1 devid=FG200FT921906200 eventtime=1692768249528924235 tz="+0200" logid="0100032001" type="event" subtype="system" level="information" vd="root" logdesc="Admin login successful" sn="1692768249" user="user" ui="https(x.x.x.x)" method="https" srcip=192.168.X.X dstip=192.168.X.X action="login" status="success" reason="none" profile="super_admin" msg="Administrator sabacky logged in successfully from https(192.168.X.X)"
Dne úterý 22. srpna 2023 v 16:24:58 UTC+2 uživatel Chantal Belen Kelm napsal:
Chantal Belen Kelm
Aug 24, 2023, 9:36:14 AM8/24/23
to Wazuh | Mailing List
According to the issue: Decoders: add mandatory fields when using firewall type #3231 are missing srcport, dstport and protocol, so this could be the reason why the alerts are not being generated (and the event is being dropped).
A workaround would be to disable the statistics in case you don't need them.
A workaround would be to disable the statistics in case you don't need them.
shabajda
Aug 28, 2023, 6:35:55 AM8/28/23
to Wazuh | Mailing List
>>> A workaround would be to disable the statistics in case you don't need them.
How can I disable it please ?Dne čtvrtek 24. srpna 2023 v 15:36:14 UTC+2 uživatel Chantal Belen Kelm napsal:
Message has been deleted
Chantal Belen Kelm
Aug 28, 2023, 9:03:34 AM8/28/23
to Wazuh | Mailing List
shabajda
Oct 9, 2023, 6:52:37 AM10/9/23
to Wazuh | Mailing List
I do not know which value should I modify.
Dne pondělí 28. srpna 2023 v 15:03:34 UTC+2 uživatel Chantal Belen Kelm napsal:
Reply all
Reply to author
Forward
0 new messages