Putting Fortigate log into Wazuh

5,833 views
Skip to first unread message

KevinK Leung

unread,
Jul 12, 2022, 6:09:13 AM7/12/22
to Wazuh mailing list

Hello Team

 

I have configured Fortigate sending syslog to Wazuh server. I have made these configuration. But looks no logs were sent to Wazuh server. What can I try further?

 

I have done these part of things.

<remote>

<connection>syslog</connection>

<port>514</port>

<protocol>udp</protocol>

<allowed-ips>LAN_IP_RANGE</allowed-ips>

<local_ip>WAZUH SERVER IP</local_ip>

</remote>

 

The log has below logs   (/var/log/messages)

 

 

Jul 12 17:58:10 wazuh opensearch-dashboards: {"type":"response","@timestamp":"2022-07-12T09:58:10Z","tags":[],"pid":24958,"method":"get","statusCode":200,"req":{"url":"/hosts/apis","method":"get","headers":{"host":"WAZUH_IP","connecti

on":"keep-alive","sec-ch-ua":"\".Not/A)Brand\";v=\"99\", \"Google Chrome\";v=\"103\", \"Chromium\";v=\"103\"","sec-ch-ua-mobile":"?0","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/1

03.0.0.0 Safari/537.36","id":"default","pattern":"wazuh-alerts-*","accept":"application/json, text/plain, */*","osd-xsrf":"kibana","sec-ch-ua-platform":"\"Windows\"","sec-fetch-site":"same-origin","sec-fetch-mode":"cors","sec-fetch-dest"

:"empty","referer":"https://WAZUH_IP/app/wazuh","accept-encoding":"gzip, deflate, br","accept-language":"en-US,en;q=0.9"},"remoteAddress":"PC_IP","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,

like Gecko) Chrome/103.0.0.0 Safari/537.36","referer":"https://WAZUH_IP/app/wazuh"},"res":{"statusCode":200,"responseTime":67,"contentLength":9},"message":"GET /hosts/apis 200 67ms - 9.0B"}

Jul 12 17:58:10 wazuh opensearch-dashboards: {"type":"response","@timestamp":"2022-07-12T09:58:10Z","tags":[],"pid":24958,"method":"get","statusCode":200,"req":{"url":"/api/saved_objects/_find?type=index-pattern&fields=title&fields=field

s&per_page=9999","method":"get","headers":{"host":"WAZUH_IP","connection":"keep-alive","sec-ch-ua":"\".Not/A)Brand\";v=\"99\", \"Google Chrome\";v=\"103\", \"Chromium\";v=\"103\"","sec-ch-ua-mobile":"?0","user-agent":"Mozilla/5.0 (Win

dows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36","id":"default","pattern":"wazuh-alerts-*","accept":"application/json, text/plain, */*","osd-xsrf":"kibana","sec-ch-ua-platform":"\"Windows\"

","sec-fetch-site":"same-origin","sec-fetch-mode":"cors","sec-fetch-dest":"empty","referer":"https://WAZUH_IP/app/wazuh","accept-encoding":"gzip, deflate, br","accept-language":"en-US,en;q=0.9"},"remoteAddress":"PC_IP","userAge

nt":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36","referer":"https://WAZUH_IP/app/wazuh"},"res":{"statusCode":200,"responseTime":71,"contentLength":9},"message":"GET

/api/saved_objects/_find?type=index-pattern&fields=title&fields=fields&per_page=9999 200 71ms - 9.0B"}

Jul 12 18:01:02 wazuh systemd: Created slice User Slice of root.

Jul 12 18:01:02 wazuh systemd: Started Session 958 of user root.

 

[root@wazuh decoders]# cat fortigate_custom.xml

<decoder name="fortigate-firewall-v3">

    <prematch>^date=\S+ time=\.+ devname=\S+ devid=\S+ logid=\S+ type=\S+ subtype=\S+ </prematch>

</decoder>

<decoder name="fortigate-firewall-v3-child">

    <parent>fortigate-firewall-v3</parent>

    <regex>^date=(\S+) time=(\.+) devname="(\S+)" devid="(\S+)" logid="(\S+)" type="(\S+)" subtype="(\S+)" </regex>

    <order>date, time, devname, devid, logid, type, subtype</order>

</decoder>

<decoder name="fortigate-firewall-v3-child">

    <parent>fortigate-firewall-v3</parent>

    <regex offset="after_parent"> srcip=(\S+) </regex>

    <order>srcip</order>

</decoder>

<decoder name="fortigate-firewall-v3-child">

    <parent>fortigate-firewall-v3</parent>

    <regex offset="after_parent"> proto=(\d+) </regex>

    <order>protocol</order>

</decoder>

<decoder name="fortigate-firewall-v3-child">

    <parent>fortigate-firewall-v3</parent>

    <regex offset="after_regex"> msg="(\.+)" </regex>

    <order>message</order>

</decoder>

[root@wazuh decoders]# pwd

/var/ossec/etc/decoders

 

 

Kevin Leung

IT Security Specialist

Easy Great Technology Limited

https://www.ecg-tech.com/

+852 5483 2178

 

Javier Bejar

unread,
Jul 12, 2022, 8:47:07 AM7/12/22
to Wazuh mailing list
Hello Kevin,

You can verify if the Wazuh manager is listening on port 514 with:
netstat -tunap | grep :514

If you do see it there then it could be that the message being transmitted isn't triggering any alert.

You may see the message with
tcpdump -i any port 514 -AA

The output of this will contain trailing characters, mostly dots. For example:
........'_v.....E..F..@.@.#...G...G..@...2..<187>Feb 14 08:31:23 agent programname: test................

You may take the message after syslog priority (<187>) and paste it into the ossec-logtest utility on the manager:
echo "Feb 14 08:31:23 agent programname: test" | /var/ossec/bin/ossec-logtest
And this will explain the behavior the manager will take with such a message.

Best Regards,
Javier Bejar.

Jonathan José Levy Gil

unread,
Aug 22, 2022, 1:30:44 PM8/22/22
to Wazuh mailing list
Hi Kevin !

Let me try to help a bit here. I see you are using a customized decoder?, Wazuh already has Decoders and rules for Fortigate up to version 6.2, so it is able to parse these logs by default, do you need anything specific?

Regarding to your question, there are two ways you can use to send syslog events to Wazuh, the first one is exactly as you are saying, using a custom port (remote syslog), in this case it is important to ensure that Wazuh Manager is receiving connections from port 514, I recommend installing "net-tools" and "tcpdump" to ease these admin tasks.  After that, you should be able to see something like this:

Checking the wazuh-remoted process is listening from port 514:

# netstat -tulnp | grep 514 
tcp 0 0 0.0.0.0:514 0.0.0.0:* LISTEN 11396/wazuh-remoted

Checking packages are reaching the Manager:

# tcpdump -i any <protocol> -nn port 514 -AA

There should be some output if the packages are reaching the Manager through that port. Make sure your Firewall is allowing connections from that port, protocol refers to tcp or udp, use the same you set in the remote section:

<remote> 
     <connection>syslog</connection> 
     <port>514</port> 
     <protocol>tcp</protocol> 
     <allowed-ips>firewall_ip</allowed-ips> 
</remote>

The other way, is using an Rsyslog (Linux) or Logstash (Windows) server to dump the syslog events into a file and then have Wazuh to read the file that will be generated. 

Furthermore, like I mentioned at the beginning regarding log parsing, Wazuh's rules have been designed to identify security issues in your endpoints. Out of the box Wazuh is going to alert you about events that it identifies to have security relevance, and these alerts are the ones you are going to see in your Dashboard under Security Events tab, other events are going to be ignored by default based of Wazuh's ruleset classification.  You can modify the alert level threshold in order to ingest events with lower level rule classification, or,  you can also ingest all logs whether they trip a rule or not by enabling "logall_json" option in the Manager, this will allow Wazuh to ingest all events and it is specially useful if you want to design new decoders by checking the logs as they are coming in raw.

First, to ingest all logs you will need to:
  • Go to /var/ossec/etc/ossec.conf in your manager  (Or from the User Interface )
  • Set  <logall_json> to yes.  <logall_json>yes</logall_json>
  • Save the changes and restart the "wazuh-manager" service
  • Monitor the output in the archive file in order to make sure that you are receiving the events:
tail -f /var/ossec/logs/archives/archives.json

If the events are reaching to your Manager, you will be able to see them by doing the above.  You can filter only the events from your Firewall by applying some filter to the query, for example:

tail -f /var/ossec/logs/archives/archives.json | grep firewall_ip

Alerts will be stored in: /var/ossec/logs/alerts/alerts.(json|log)

Events of any kind will be stored in: /var/ossec/logs/archives/archives.(json|log)

Finally, in tune with Wazuh's ability to parse logs and identify security issues, by default it has over 4000 rules and over 1000 decoders and more are being added frequently with each new release,  however is important to test if the existing ones can parse the logs successfully as they may not cover all versions and type of logs. You can use Wazuh’s “log test” tool in order to test any log sample and check if it can be parsed by default, like I said Wazuh has several rules for Fortigate up to v6, however, if you have a higher version, you can always customize the current ones or design your own decoders and rules from scratch following the documentation:

Custom rules and decoders:
https://documentation.wazuh.com/current/user-manual/ruleset/custom.html
Creating rules and decoders from scratch:
https://wazuh.com/blog/creating-decoders-and-rules-from-scratch/

To access the “logtest” tool from the Dashboard you can go to:  Wazuh / Tools / Ruleset Test.

I hope this helps,
On Tuesday, July 12, 2022 at 12:09:13 PM UTC+2 kevin....@ecg-tech.com wrote:
Reply all
Reply to author
Forward
0 new messages