Wazuh Fortigate Integration

[Akshay]

Hi Trying to integrate fortigate firewall logs to wazuh, but no logs are being recived in wazuh. Can someone please provide step by step procedure or name the tools like syslog server and provide necessary setup and docs to do it.

[hasitha.u...@wazuh.com]

Hi Akshay,

Please allow me some time; I’m currently looking into this and will get back to you with an update as soon as possible.

[hasitha.u...@wazuh.com]

Hi Akshay,

First of all, verify the FortiGate alerts are generating on the alerts.json file: /var/ossec/logs/alerts/alerts.json file, if you have already set up. If not, follow the instructions below to capture FortiGate logs.

There are two ways to collect remote syslog: one is capturing the logs using tools like rsyslog, and forwarding the logs using the Wazuh agent localfile config. The second option is the remote syslog monitoring capability of Wazuh. If you followed the remote syslog monitoring from Wazuh, then you need to follow this. Add the following configuration in between the <ossec_config> tags of the Wazuh server /var/ossec/etc/ossec.conf file to listen for syslog messages on TCP port 514:

1. <remote>
2. <connection>syslog</connection>
3. <port>514</port>
4. <protocol>tcp</protocol>
5. <allowed-ips>192.168.2.15/24</allowed-ips> <local_ip>192.168.2.10</local_ip>
6. </remote>

For more details, check the above-mentioned document for tag usage and further configuration details. Make sure to restart the manager if you configured the remote syslog on the manager side: systemctl restart wazuh-manager

By default, Wazuh has FortiGate decoders and rules. If your logs match the default decoders and rules, then you do not need to create custom decoders and rules to extract the relevant fields and to generate alerts.

FortiGate:

Decoders: /var/ossec/ruleset/decoders/0100-fortigate_decoders.xml

Rules: /var/ossec/ruleset/decoders/0391-fortigate_rules.xml

You can check the sample logs from the FortiGate with /var/ossec/bin/wazuh-logtest.  

However, if the sample log you are testing is match with Wazuh rule level below 3, it won't show up on the dashboard. The Wazuh dashboard shows level 3 or above alerts by default. In case your logs do not match with them, you need to create custom decoders and rules.

Ref:
Decoders Syntax - Ruleset XML syntax
Custom Decoders
Wazuh Regex
Custom rules
Rule syntax

You can enable archives.json logging on the Wazuh manager, then simulate FortiGate-related events and capture the logs directly from archives.json. By default, archive logs are disabled due to high storage consumption. Edit the /var/ossec/etc/ossec.conf file and add this:

1. <ossec_config>
2. <global>
3. <logall_json>yes</logall_json>
4. </global>
5. </ossec_config>

Save the file, then restart the manager again: systemctl restart wazuh-manager

This will log all events to /var/ossec/logs/archives/archives.json, so you can see everything your manager is picking up.

Check the Archive Logs: Now, let’s look for Fortigate-related logs in the archive: cat /var/ossec/logs/archives/archives.json | grep keyword

Replace keyword with sample log unique content.

Warning Keeping <logall_json>yes</logall_json> on can fill up your disk fast! Once you’re done troubleshooting, set it back to no in /var/ossec/etc/ossec.conf and restart the manager: systemctl restart wazuh-manager

Once you verify logs receiving to the archives.json logs, which means logs reaching the manager, but not showing in the dashboard, can be a common issue if the decoders and rules are not matched by default, therefore you can share sample logs from the archives.json logs so then I can replicate on my end and share the sample decoders and rules based on the logs.

Because in the archives.json logs we can see the field full_log: "actual log sample", which is the one being parsed by analysis. Therefore, please share the sample logs so we can assist further.

Let me know the update on this to check further.