Fortigate wazuh
100 views
Skip to first unread message
Jules Pigeau
Feb 7, 2023, 9:19:47 AM2/7/23
to Wazuh mailing list
Hi,
I am in the process of integrating the fortigates and fortianalyser in wazuh.
Nevertheless at the level of security events. I still have the same message popping up.
As in the picture.
only this rules works...
Francisco Tuduri
Feb 7, 2023, 12:35:17 PM2/7/23
to Wazuh mailing list
Hello Jules!
The first thing we should do is check if there are other events from Fortigate that are reaching the manager.
Keep in mind that to generate alerts, the logs have to reach the manager and then these logs have to be decoded and trigger any of the available rules.
To know if these logs are reaching the manager, please enable the logall-json setting in the manager ossec.conf file, and then restart the manager.
<global>
...
<logall>yes</logall>
<logall_json>yes</logall_json>
...
</global>
After that, please verify that the expected logs are coming to the manager checking the /var/ossec/logs/archives/archives.json.
The first thing we should do is check if there are other events from Fortigate that are reaching the manager.
Keep in mind that to generate alerts, the logs have to reach the manager and then these logs have to be decoded and trigger any of the available rules.
To know if these logs are reaching the manager, please enable the logall-json setting in the manager ossec.conf file, and then restart the manager.
<global>
...
<logall>yes</logall>
<logall_json>yes</logall_json>
...
</global>
After that, please verify that the expected logs are coming to the manager checking the /var/ossec/logs/archives/archives.json.
If there are other events related to Fortigate you need to check if they are being decoded properly and triggering rules or not. You can do it using the wazuh-logtest feature in Wazuh manager. You will find more information about this here.
Let me know if you need any help with these steps.
Regards!
Muhammad Farash P
Feb 23, 2023, 1:18:42 AM2/23/23
to Wazuh mailing list
hai,
I have a wazuh environment with 3 servers (1 master and 2 worker). I use nginx load balancer and use the following configuration in load balancer.
stream {
upstream cluster {
hash $remote_addr consistent;
server 192.168.40.51:1514;
server 192.168.40.75:1514;
server 192.168.40.65:1514;
}
upstream master {
server 192.168.40.51:1515;
}
server {
listen 1514;
proxy_pass cluster;
}
server {
listen 1515;
proxy_pass master;
}
}
upstream cluster {
hash $remote_addr consistent;
server 192.168.40.51:1514;
server 192.168.40.75:1514;
server 192.168.40.65:1514;
}
upstream master {
server 192.168.40.51:1515;
}
server {
listen 1514;
proxy_pass cluster;
}
server {
listen 1515;
proxy_pass master;
}
}
i have been trying to sent my firewall logs but it is not showing in the wazuh dashboard. I used ip adress of the load balancer and port 1514 and tcp protocol to push logs from firewall.
Help me to sort this out
Thanks and regards,
Muhammad Farash P
Reply all
Reply to author
Forward
0 new messages