Fortigate syslog error
89 views
Skip to first unread message
David Martinez
Jan 15, 2025, 10:57:41 AM1/15/25
to Wazuh | Mailing List
I have enabled wazuh syslog to receive information from fortigate, but after configuring everything, I don't see any forti information displayed in wazuh. There are no errors in the logs.
What could be happening?
I use wazuh 4.7.5
What could be happening?
I use wazuh 4.7.5
Sławomir Sęk
Jan 15, 2025, 11:00:25 AM1/15/25
to David Martinez, Wazuh | Mailing List
Have you configured syslog? Have you configured your wazuh agent? how did you configure it, did you provide the path with the syslog fg logs?
Wysłano z Gmaila na IPad
--
You received this message because you are subscribed to the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/wazuh/dd1f2a5c-fdb4-40b9-8746-a780daaf3d59n%40googlegroups.com.
David Martinez
Jan 15, 2025, 11:07:06 AM1/15/25
to Wazuh | Mailing List
In wazuh-server, I put:
<remote>
<connection>syslog</connection>
<port>514</port>
<protocol>tcp</protocol>
<allowed-ips>XXXXXX</allowed-ips>
<local_ip>YYYYYYY</local_ip>
</remote>
<connection>syslog</connection>
<port>514</port>
<protocol>tcp</protocol>
<allowed-ips>XXXXXX</allowed-ips>
<local_ip>YYYYYYY</local_ip>
</remote>
Then, in fortigate I activated syslog send
Olamilekan Abdullateef Ajani
Jan 15, 2025, 11:34:31 AM1/15/25
to Wazuh | Mailing List
Hello David,
<ossec_config>
<global>
----
<logall>no</logall>
<logall_json>yes</logall_json>
-----
</global>
-----
</ossec_config>
Then restart the Wazuh-manager.
systemctl restart wazuh-manager
cat /var/ossec/logs/archives/archives.json | grep -i -E "part of your log"
Verify that you have the logs, then disable archiving by setting the values to no.
Once the above steps are completed, you can examine the sample logs to verify it has all you need then proceed to writing decoders and rules, I have shared some documentation guides below.
Please reach out if you have an question.
Ref:
https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/syslog.html
https://wazuh.com/blog/how-to-configure-rsyslog-client-to-send-events-to-wazuh/
https://documentation.wazuh.com/current/user-manual/ruleset/decoders/custom.html
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/decoders.html
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html
Could you please confirm network reachability between the fortigate appliance and the wazuh server on port 514.
Once you forward the logs to wazuh, you need to create custom decoders and rules to decode and trigger the rules configured to alerts.
You can enable the archive log by editing the /var/ossec/etc/ossec.conf file to confirm the logs are reaching wazuh
You can enable the archive log by editing the /var/ossec/etc/ossec.conf file to confirm the logs are reaching wazuh
<ossec_config>
<global>
----
<logall>no</logall>
<logall_json>yes</logall_json>
-----
</global>
-----
</ossec_config>
Then restart the Wazuh-manager.
systemctl restart wazuh-manager
cat /var/ossec/logs/archives/archives.json | grep -i -E "part of your log"
Verify that you have the logs, then disable archiving by setting the values to no.
Once the above steps are completed, you can examine the sample logs to verify it has all you need then proceed to writing decoders and rules, I have shared some documentation guides below.
Please reach out if you have an question.
Ref:
https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/syslog.html
https://wazuh.com/blog/how-to-configure-rsyslog-client-to-send-events-to-wazuh/
https://documentation.wazuh.com/current/user-manual/ruleset/decoders/custom.html
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/decoders.html
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html
Sławomir Sęk
Jan 15, 2025, 12:27:56 PM1/15/25
to David Martinez, Wazuh | Mailing List
agent, copy the last copy and provide the location of your logs, fwg in syslog, enable udp and add the address of your fwg gateway. make a template for their collection, you can find a description on google
Wiadomość napisana przez David Martinez <seda...@gmail.com> w dniu 15.01.2025, o godz. 17:07:
In wazuh-server, I put:
To view this discussion visit https://groups.google.com/d/msgid/wazuh/45351c64-c408-4077-9e7e-a0e387062c3an%40googlegroups.com.
David Martinez
Jan 15, 2025, 12:31:23 PM1/15/25
to Wazuh | Mailing List
doing the indicated steps, this rule appears to me:
{"timestamp":"2025-01-15T13:16:01.963+0000","rule":{"level":4,"description":"Fortigate: SSL VPN user failed login attempt.","id":"81614","firedtimes":3,"mail":false,"groups":["fortigate","syslog","authentication_failed","invalid_login"],"gdpr":["IV_32.2","IV_35.7.d"],"gpg13":["7.1"],"hipaa":["164.312.b"],"nist_800_53":["AC.7","AU.14"],"pci_dss":["10.2.4","10.2.5"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"000","name":"wazuhsiem"},"manager":{"name":"wazuhsiem"},"id":"1736946961.202043626","full_log":"date=2025-01-15 time=14:16:01 devname=\"NAME\" devid=\"ID\" eventtime=1736946961953605170 tz=\"+0100\" logid=\"0101039426\" type=\"event\" subtype=\"vpn\" level=\"alert\" vd=\"root\" logdesc=\"SSL VPN login fail\" action=\"ssl-login-fail\" tunneltype=\"ssl-web\" tunnelid=0 remip=IP user=\"XXXX\" group=\"N/A\" dst_host=\"N/A\" reason=\"sslvpn_login_permission_denied\" msg=\"SSL user failed to logged in\"","decoder":{"name":"fortigate-firewall-v6"},"data":{"action":"ssl-login-fail","dstuser":"XXXX","eventtime":"1736946961953605170","ip":"IP","level":"alert","logdesc":"SSL VPN login fail","logid":"0101039426","msg":"SSL user failed to logged in","reason":"sslvpn_login_permission_denied","subtype":"vpn","time":"14:16:01","type":"event","vd":"root"},"location":"IP"}
{"timestamp":"2025-01-15T13:16:01.963+0000","rule":{"level":4,"description":"Fortigate: SSL VPN user failed login attempt.","id":"81614","firedtimes":3,"mail":false,"groups":["fortigate","syslog","authentication_failed","invalid_login"],"gdpr":["IV_32.2","IV_35.7.d"],"gpg13":["7.1"],"hipaa":["164.312.b"],"nist_800_53":["AC.7","AU.14"],"pci_dss":["10.2.4","10.2.5"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"000","name":"wazuhsiem"},"manager":{"name":"wazuhsiem"},"id":"1736946961.202043626","full_log":"date=2025-01-15 time=14:16:01 devname=\"NAME\" devid=\"ID\" eventtime=1736946961953605170 tz=\"+0100\" logid=\"0101039426\" type=\"event\" subtype=\"vpn\" level=\"alert\" vd=\"root\" logdesc=\"SSL VPN login fail\" action=\"ssl-login-fail\" tunneltype=\"ssl-web\" tunnelid=0 remip=IP user=\"XXXX\" group=\"N/A\" dst_host=\"N/A\" reason=\"sslvpn_login_permission_denied\" msg=\"SSL user failed to logged in\"","decoder":{"name":"fortigate-firewall-v6"},"data":{"action":"ssl-login-fail","dstuser":"XXXX","eventtime":"1736946961953605170","ip":"IP","level":"alert","logdesc":"SSL VPN login fail","logid":"0101039426","msg":"SSL user failed to logged in","reason":"sslvpn_login_permission_denied","subtype":"vpn","time":"14:16:01","type":"event","vd":"root"},"location":"IP"}
This is the information I'm looking for, but it doesn't appear on the web. However, here you can see how the information arrives and Wazuh processes it correctly (because it can be seen that it has passed through the decoder and rule).
Sławomir Sęk
Jan 15, 2025, 12:38:42 PM1/15/25
to David Martinez, Wazuh | Mailing List
OK, you're collecting the logs. see ossec.cong /var/ossec/etc/ossec.conf <localfile> <location>/var/log/log_fgw\*</location> <log_format>syslog</log_format> </localfile. what is your vera forios? if it's higher than 7.0, you'll probably need a new decoder and parser, but you can find it in the group
Wiadomość napisana przez David Martinez <seda...@gmail.com> w dniu 15.01.2025, o godz. 18:31:
Sławomir Sęk
Jan 15, 2025, 12:40:32 PM1/15/25
to David Martinez, Wazuh | Mailing List
David Martinez
Jan 15, 2025, 1:03:28 PM1/15/25
to Wazuh | Mailing List
Thanks but they are not necessary, it is version 6, as you can see in the event: "decoder":{"name":"fortigate-firewall-v6" and the rule "id":"81614"
David Martinez
Jan 15, 2025, 2:08:40 PM1/15/25
to Wazuh | Mailing List
It seems that everything is fine but the alerts are not displayed in wazuh
Olamilekan Abdullateef Ajani
Jan 17, 2025, 3:22:09 AM1/17/25
to Wazuh | Mailing List
Hello David,
From what you have mentioned, you can see the alerts in the archive.json file and it has been decoded.
Let try and run some checks.
- Check the status if filebeat if working correctly, out should be OK.
- Verify the wazuh Indexer health, please share output
(IP address is the IP of your indexer if running distributed architecture. password is the password of your indexer retrieved from wazuh-install-files/wazuh-passwords.txt initially while deploying)
- Also check the Wazuh indices by running the command below.
- Lets also check for errors in the indexer cluster
- Lastly, We need to check filebeat logs of the same day the fortigate logs are forwarded
Please share the outputs of all these commands to help isolate the issue.
David Martinez
Jan 18, 2025, 8:45:11 PM1/18/25
to Wazuh | Mailing List
We finally set up an intermediate server with an rsyslog and the wazuh agent and this is how it works.
Thanks to everyone for the help!
Thanks to everyone for the help!
Reply all
Reply to author
Forward
0 new messages