Inquiry: FortiGate/FortiWeb Log Collection and Configuration with Wazuh
97 views
Skip to first unread message
Le Sok
May 20, 2025, 9:49:54 PM5/20/25
to Wazuh | Mailing List
Dear Wazuh Team,
I hope this message finds you well.
I would like to ask if Wazuh is able to collect logs from Fortinet devices, specifically FortiGate and FortiWeb. If so, could you please guide me on:
-
How to configure FortiGate/FortiWeb to send logs to Wazuh
-
How to configure Wazuh to receive and parse those logs properly
-
How to verify that the log collection is working, and if there are any built-in rules, decoders, or dashboards available to monitor Fortinet logs in Wazuh
Our organization is currently evaluating Wazuh for SIEM and log correlation, and we would really appreciate your guidance on this integration.
Thank you very much for your support!
Best regards,
Federico Gustavo Caffieri
May 20, 2025, 11:08:32 PM5/20/25
to Wazuh | Mailing List
Wazuh can collect logs from Fortinet devices, including both FortiGate and FortiWeb, via syslog.
To do this, you must configure FortiGate to send logs to Wazuh via syslog.
I have found the following information about FortiGate to configure log sending:
Navigate to Log & Report > Log Settings through the web interface. You can enable sending logs to syslog. Alternatively, you should be able to configure this using the FortiGate CLI. However, this will depend on your environment and installation; please take a look at the official documentation.
Regarding Wazuh, you must configure your Wazuh server as follows:
Edit the `/var/ossec/etc/ossec.conf` file with the following:
```xml
<ossec_config>
<remote>
<connection>syslog</connection>
<port>514</port>
<protocol>udp</protocol> <!-- o tcp, debe coincidir con la configuración de Fortinet -->
<allowed-ips>IP_DISPOSITIVO_FORTINET</allowed-ips>
</remote>
</ossec_config>
```
Then, restart the Wazuh server to apply the changes:
```
systemctl restart wazuh-manager
```
I'm sharing the following documentation on log data collection: https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/how-it-works.html#remote-syslog
To validate that the logs are arriving correctly, you can perform the following checks:
Verify that the logs are being stored:
```
tail -f /var/ossec/logs/archives/archives.json | grep <FORTINET_IP>
```
You can run a test with wazuh-logtest:
```
/var/ossec/bin/wazuh-logtest
```
Then paste an example log to see if it is being decoded correctly.
Or you can validate it from the Wazuh dashboard:
- Enter the Wazuh dashboard
- Navigate to Security Events
- Filter the logs from your Fortinet device
Then, to generate alerts, you must configure custom rules and decoders. You can also use the ones provided by Wazuh, which you can find at:
- Decoders: `/var/ossec/ruleset/decoders/0100-fortigate_decoders.xml` https://github.com/wazuh/wazuh/blob/v4.12.0/ruleset/decoders/0100-fortigate_decoders.xml
- Rules: `/var/ossec/ruleset/rules/0391-fortigate_rules.xml` https://github.com/wazuh/wazuh/blob/v4.12.0/ruleset/rules/0391-fortigate_rules.xml
In case you want to parse information not provided by the provided decoders and rules, you can use the following guide to create your own:
To create your decoders, you can use this documentation: https://documentation.wazuh.com/current/user-manual/ruleset/decoders/index.html.
As an example, here's the following decoder:
```xml
<decoder name="fortiweb-custom">
<prematch>^date=\d\d\d\d-\d\d-\d\d time=\d\d:\d\d:\d\d devname="FW\S+"</prematch>
</decoder>
<decoder name="fortiweb-attack">
<parent>fortiweb-custom</parent>
<prematch offset="after_parent">type=attack</prematch>
<regex offset="after_parent">subtype="(\S+)" src="(\S+)" dst="(\S+)" action="(\S+)"</regex>
<order>attack.type,srcip,dstip,action</order>
</decoder>
```
Then, to create your rules, you can use this other documentation: https://documentation.wazuh.com/current/user-manual/ruleset/rules/index.html
I share another example of rules:
```xml
<group name="fortiweb,">
<rule id="100100" level="0">
<decoded_as>fortiweb-custom</decoded_as>
<description>FortiWeb events</description>
</rule>
<rule id="100101" level="7">
<if_sid>100100</if_sid>
<field name="attack.type">.*</field>
<description>FortiWeb: Attack detected - $(attack.type)</description>
</rule>
</group>
```
Remember that for the changes to take effect, you must restart your Wazuh server.
```
systemctl restart wazuh-manager
```
Finally, regarding the Wazuh dashboard display, there are no preconfigured dashboards for viewing these logs, but you can create your own.
As an example, you could:
1. Go to Management > Discover
2. Search your FortiGate/FortiWeb logs
3. Create custom visualizations based on relevant fields
4. Add these visualizations to a custom dashboard
To do this, you must configure FortiGate to send logs to Wazuh via syslog.
I have found the following information about FortiGate to configure log sending:
Navigate to Log & Report > Log Settings through the web interface. You can enable sending logs to syslog. Alternatively, you should be able to configure this using the FortiGate CLI. However, this will depend on your environment and installation; please take a look at the official documentation.
Regarding Wazuh, you must configure your Wazuh server as follows:
Edit the `/var/ossec/etc/ossec.conf` file with the following:
```xml
<ossec_config>
<remote>
<connection>syslog</connection>
<port>514</port>
<protocol>udp</protocol> <!-- o tcp, debe coincidir con la configuración de Fortinet -->
<allowed-ips>IP_DISPOSITIVO_FORTINET</allowed-ips>
</remote>
</ossec_config>
```
Then, restart the Wazuh server to apply the changes:
```
systemctl restart wazuh-manager
```
I'm sharing the following documentation on log data collection: https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/how-it-works.html#remote-syslog
To validate that the logs are arriving correctly, you can perform the following checks:
Verify that the logs are being stored:
```
tail -f /var/ossec/logs/archives/archives.json | grep <FORTINET_IP>
```
You can run a test with wazuh-logtest:
```
/var/ossec/bin/wazuh-logtest
```
Then paste an example log to see if it is being decoded correctly.
Or you can validate it from the Wazuh dashboard:
- Enter the Wazuh dashboard
- Navigate to Security Events
- Filter the logs from your Fortinet device
Then, to generate alerts, you must configure custom rules and decoders. You can also use the ones provided by Wazuh, which you can find at:
- Decoders: `/var/ossec/ruleset/decoders/0100-fortigate_decoders.xml` https://github.com/wazuh/wazuh/blob/v4.12.0/ruleset/decoders/0100-fortigate_decoders.xml
- Rules: `/var/ossec/ruleset/rules/0391-fortigate_rules.xml` https://github.com/wazuh/wazuh/blob/v4.12.0/ruleset/rules/0391-fortigate_rules.xml
In case you want to parse information not provided by the provided decoders and rules, you can use the following guide to create your own:
To create your decoders, you can use this documentation: https://documentation.wazuh.com/current/user-manual/ruleset/decoders/index.html.
As an example, here's the following decoder:
```xml
<decoder name="fortiweb-custom">
<prematch>^date=\d\d\d\d-\d\d-\d\d time=\d\d:\d\d:\d\d devname="FW\S+"</prematch>
</decoder>
<decoder name="fortiweb-attack">
<parent>fortiweb-custom</parent>
<prematch offset="after_parent">type=attack</prematch>
<regex offset="after_parent">subtype="(\S+)" src="(\S+)" dst="(\S+)" action="(\S+)"</regex>
<order>attack.type,srcip,dstip,action</order>
</decoder>
```
Then, to create your rules, you can use this other documentation: https://documentation.wazuh.com/current/user-manual/ruleset/rules/index.html
I share another example of rules:
```xml
<group name="fortiweb,">
<rule id="100100" level="0">
<decoded_as>fortiweb-custom</decoded_as>
<description>FortiWeb events</description>
</rule>
<rule id="100101" level="7">
<if_sid>100100</if_sid>
<field name="attack.type">.*</field>
<description>FortiWeb: Attack detected - $(attack.type)</description>
</rule>
</group>
```
Remember that for the changes to take effect, you must restart your Wazuh server.
```
systemctl restart wazuh-manager
```
Finally, regarding the Wazuh dashboard display, there are no preconfigured dashboards for viewing these logs, but you can create your own.
As an example, you could:
1. Go to Management > Discover
2. Search your FortiGate/FortiWeb logs
3. Create custom visualizations based on relevant fields
4. Add these visualizations to a custom dashboard
Reply all
Reply to author
Forward
0 new messages