CEF Fortigate version v7.2.11

53 views
Skip to first unread message

Celeste B.

unread,
Oct 13, 2025, 4:46:16 AMOct 13
to wa...@googlegroups.com

Hi,

I have a question.

I am receiving Fortigate logs under CEF Format, and the logs are being saved in archives.json in wazuh but not in alerts.json. I run, grep "IP address" /var/ossec/logs/archives/archives.log | head and the sample logs shows like this, 

2025 Oct 13 00:00:02 BAE-NR1F-FW01->/var/log/syslog Oct 13 08:00:00 DeviceName CEF: 0|Fortinet|Fortigate|v7.2.11|000xx|traffic:forward server-rst|x|deviceExternalId=FGT61FTK000xx FTNTFGTeventtime=1760313600099144439 FTNTFGTtz=+0800 FTNTFGTlogid=0000xx cat=traffic:forward FTNTFGTsubtype=forward FTNTFGTlevel=notice FTNTFGTvd=root src=xx.xx.xxx.xx shost=xx spt=xx deviceInboundInterface=internal FTNTFGTsrcintfrole=lan dst=xx.xxx.xxx.xxx dpt=xx deviceOutboundInterface=wan1 FTNTFGTdstintfrole=wan FTNTFGTsrccountry=Reserved FTNTFGTdstinetsvc=Microsoft-Web FTNTFGTdstcountry=United Kingdom FTNTFGTdstregion=England FTNTFGTdstcity=London FTNTFGTdstreputation=x externalId=xxxxxxxx proto=x act=server-rst FTNTFGTpolicyid=1 FTNTFGTpolicytype=policy FTNTFGTpoluuid=xxxxxxdx-xxex-xxeb-xxfc-xfaxdfxaxxxb FTNTFGTpolicyname=LAN-to-WAN app=Microsoft-Web FTNTFGTtrandisp=snat sourceTranslatedAddress=xxx.xxx.xxx.xx sourceTranslatedPort=xxxxx FTNTFGTappid=xxxxx FTNTFGTapp=Microsoft.Portal FTNTFGTappcat=Collaboration FTNTFGTapprisk=elevated FTNTFGTapplist=block-wuapp FTNTFGTduration=x out=xxx in=xxx FTNTFGTsentpkt=x FTNTFGTrcvdpkt=x FTNTFGTvwlid=0 FTNTFGTutmaction=allow FTNTFGTcountapp=x FTNTFGTsrchwvendor=Dell FTNTFGTdevtype=Computer FTNTFGTosname=Windows FTNTFGTsrcswversion=xx FTNTFGTmastersrcmac=xx:bx:ex:xx:xx:xa FTNTFGTsrcmac=xx:bx:ex:xx:xx:xa FTNTFGTsrcserver=x

Can you help me with this? thanks!

hasitha.u...@wazuh.com

unread,
Oct 13, 2025, 5:25:23 AMOct 13
to Wazuh | Mailing List
Hi Celeste B.

I have tested this log with wazuh-logtest and could not find any decoder or rule that matches, which is why it's not available on alerts.json file.
Also, you need to use the log from here:  Oct 13 08:00:00 DeviceName CEF: 0|Fortinet|Fortigate|v7.2.11|000xx|traffic:forward server-rst|x|deviceExternalId=FGT61FTK000xx FTNTFGTeventtime................
Because in archives.log it has an extra header, due to this confusion, I really suggest you always capture logs from archives.json logs, because in these logs we can see the field full_log, which is the one being parsed by analysis. One of the archives.json events should look like this (the field of interest is in bold):
{"timestamp":"2023-09-05T02:47:40.074+0000","agent":{"id":"001","name":"abc","ip":"10.0.2.29},"manager":{"name":"Server85"},"id":"1693882060.373586","full_log ":"Sep 5 03:10:19 Server91 dbus-daemon[676]: [system] Successfully activated service 'org.freedesktop.UPower","predecoder":{"program_name":"dbus-daemon","timestamp":"Sep 5 03:10:19","hostname":"Server91"},"decoder":{},"location":"/var/log/syslog"}
Ref: https://wazuh.com/blog/creating-decoders-and-rules-from-scratch/

I have attached the file that includes the decoders for the FortiGate logs.
You can copy these decoders and add them to a new custom decoder file in this location /var/ossec/etc/decoders/
nano /var/ossec/etc/decoders/local_fortigate.xml

After adding and saving the file you need to provide the permissions to the decoder file by following these commands
chmod 660 /var/ossec/etc/decoders/local_fortigate.xml
chown wazuh:wazuh /var/ossec/etc/decoders/local_fortigate.xml

Check these documents to learn more about regex and decoder syntax
Decoders Syntax
Regular Expression Syntax

To generate an alert, you need to create custom rules for FortiGate logs.
Add the below custom rule into this file: /var/ossec/etc/rules/local_rules.xml 

  1. <group name="local,fortigate">
  2.  
  3. <rule id="100502" level="3">
  4. <decoded_as>Fortigate</decoded_as>
  5. <description>Fortigate alert detected.</description>
  6. </rule>
  7.  
  8. </group>

After adding decoders and rules, try restarting the Wazuh manager
systemctl restart wazuh-manager

To learn more about rules, you can refer to these guides.
Rules
Rules Syntax
Regular Expression Syntax

Screenshot 2025-10-13 145447.png

If the issue persists, please share the sample logs from archives.json logs as mentioned above.
local_fortigate.xml

Celeste B.

unread,
Nov 2, 2025, 11:30:52 PM (2 days ago) Nov 2
to Wazuh | Mailing List
hi, I updated the configuration, though the path i have avaible for the decoder is in path, 

/var/ossec/etc/decoders/local_decoder.xml, and changes the rules based on the command you sent. It is now showing in Discover Field, but not in the dashboard.

in the Discover Field, the details shows the devicename as predecoder.hostname. So I am trying to add the precoder.hostname in a separate table.

Can you help me with that?

Thanks!

hasitha.u...@wazuh.com

unread,
Nov 3, 2025, 3:51:02 AM (2 days ago) Nov 3
to Wazuh | Mailing List
Hi Celeste,

Please let me know if you’ve already created a custom dashboard and are not seeing the predecoder.hostname values displayed.

If you haven’t created a visualization for that specific field, it won’t appear on your dashboard. You’ll need to create a custom visualization to include it.

If you haven’t yet created a custom dashboard, follow these steps:

  1. Go to Explore → Dashboards → Create new dashboard → Add → Create new → Visualization → Data table → wazuh-alerts-*.

  2. In the Bucket section, click Add, select Aggregation: Terms, and choose Field: predecoder.hostname.

  3. Click Update → Save, provide a title, then click Save and return.

  4. Finally, make sure to Save the custom dashboard (top-right corner) and give it a name.

For more details, refer to the official guide:
🔗 Creating Custom Dashboards - Wazuh Documentation

Additionally, I’ve attached a sample table visualization for predecoder.hostname data, which you can import via Dashboard Management → Saved Objects → Import.

Let me know the update on this.
export (9).ndjson
Reply all
Reply to author
Forward
0 new messages