Need help on Fortinet Decoder And Rules
871 views
Skip to first unread message
Odelon
Apr 5, 2019, 2:37:09 AM4/5/19
to Wazuh mailing list
Hi Everyone!
I need help on how to create decoders & Rules for Fortinet Logs.
Here's a sample logs of my fortinet forwarded to my wazuh-manager:
2019 Apr 05 12:00:13 mon01->10.10.24.2 date=2019-04-05 time=12:00:13 devname="HQ-Fortinet" devid="FG100DXXXXXX" logid="0100032021" type="event" subtype="system" level="alert" vd="root" eventtime=1554436813 logdesc="Admin login disabled" ui="10.88.80.3" action="login" status="failed" reason="exceed_limit" msg="Login disabled from IP 10.88.XX.X for 60 seconds because of 3 bad attempts"
2019 Apr 05 12:16:42 mon01->10.10.X.X date=2019-04-05 time=12:16:42 devname="HQ-Fortinet" devid="FG100DXXXXXX" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" eventtime=1554437802 srcip=10.XX.XX.XX srcname="SourceName" srcport=43038 srcintf="SourceInfo" srcintfrole="dmz" dstip=10.XX.XX.XX dstport=5568 dstintf="LEASED LINE GW" dstintfrole="lan" poluuid="89a17098-33f8-51e9-cf3e-ab88917d33c2" sessionid=24147783 proto=6 action="server-rst" policyid=31 policytype="policy" service="p5568" dstcountry="Reserved" srccountry="Reserved" trandisp="noop" duration=6 sentbyte=88 rcvdbyte=84 sentpkt=2 rcvdpkt=2 appcat="unscanned" devtype="Linux PC" devcategory="None" mastersrcmac="80:c1:6e:79:xx:xx" srcmac="80:c1:6e:79:xx.xx" srcserver=1 dstdevtype="Router/NAT Device" dstdevcategory="None" masterdstmac="ec:1d:8b:5a:xx:xx" dstmac="ec:1d:8b:5a:xx.xx" dstserver=0
Thank You and appreciate your help..
eva....@wazuh.com
Apr 5, 2019, 12:44:21 PM4/5/19
to Wazuh mailing list
Hi Odelon,
Here is an example of decoder for Fortinet:
<decoder name="fortinet"><prematch>\S+->\S+ date=\S+ time=\S+ devname=\S+</prematch>
</decoder>
<decoder name="fortinet-default">
<parent>fortinet</parent>
<regex>devname=(\S+) devid=(\S+) logid=(\S+) type=(\S+) subtype=(\S+) level=(\S+)</regex>
<order>name, devid, logid, type, subtype, level</order>
</decoder>
And the rules could be the following:
<group name="fortinet"><rule id="100002" level="0">
<decoded_as>fortinet</decoded_as>
<description>Grouping of Fortinet rules.</description>
</rule>
<rule id="100003" level="7">
<if_sid>100002</if_sid>>
<field name="level">alert</field>
<description>Alert in Fortinet</description>
</rule>
</group>
You can find out more about the rules syntax following link: https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/index.html
To check if everything is working, you can use ossec-logtest. ossec-logtest allows to test and verify the decoders and rules using a provided log example in a way that simulates the action of ossec-analysisd. The ossec-logtest's output with the above examples will be:
2019 Apr 05 12:00:13 mon01->10.10.24.2 date=2019-04-05 time=12:00:13 devname="HQ-Fortinet" devid="FG100DXXXXXX" logid="0100032021" type="event" subtype="system" level="alert" vd="root" eventtime=1554436813 logdesc="Admin login disabled" ui="10.88.80.3" action="login" status="failed" reason="exceed_limit" msg="Login disabled from IP 10.88.XX.X for 60 seconds because of 3 bad attempts"
**Phase 1: Completed pre-decoding.
full event: '2019 Apr 05 12:00:13 mon01->10.10.24.2 date=2019-04-05 time=12:00:13 devname="HQ-Fortinet" devid="FG100DXXXXXX" logid="0100032021" type="event" subtype="system" level="alert" vd="root" eventtime=1554436813 logdesc="Admin login disabled" ui="10.88.80.3" action="login" status="failed" reason="exceed_limit" msg="Login disabled from IP 10.88.XX.X for 60 seconds because of 3 bad attempts"'
timestamp: '2019 Apr 05 12:00:13'
hostname: 'lopezziur-S551LN'
program_name: '(null)'
log: 'mon01->10.10.24.2 date=2019-04-05 time=12:00:13 devname="HQ-Fortinet" devid="FG100DXXXXXX" logid="0100032021" type="event" subtype="system" level="alert" vd="root" eventtime=1554436813 logdesc="Admin login disabled" ui="10.88.80.3" action="login" status="failed" reason="exceed_limit" msg="Login disabled from IP 10.88.XX.X for 60 seconds because of 3 bad attempts"'
**Phase 2: Completed decoding.
decoder: 'fortinet'
name: '"HQ-Fortinet"'
devid: '"FG100DXXXXXX"'
logid: '"0100032021"'
type: '"event"'
subtype: '"system"'
level: '"alert"'
**Phase 3: Completed filtering (rules).
Rule id: '9091'
Level: '7'
Description: 'Alert in Fortinet'
**Alert to be generated.
Best regard, Eva.
full event: '2019 Apr 05 12:00:13 mon01->10.10.24.2 date=2019-04-05 time=12:00:13 devname="HQ-Fortinet" devid="FG100DXXXXXX" logid="0100032021" type="event" subtype="system" level="alert" vd="root" eventtime=1554436813 logdesc="Admin login disabled" ui="10.88.80.3" action="login" status="failed" reason="exceed_limit" msg="Login disabled from IP 10.88.XX.X for 60 seconds because of 3 bad attempts"'
timestamp: '2019 Apr 05 12:00:13'
hostname: 'lopezziur-S551LN'
program_name: '(null)'
log: 'mon01->10.10.24.2 date=2019-04-05 time=12:00:13 devname="HQ-Fortinet" devid="FG100DXXXXXX" logid="0100032021" type="event" subtype="system" level="alert" vd="root" eventtime=1554436813 logdesc="Admin login disabled" ui="10.88.80.3" action="login" status="failed" reason="exceed_limit" msg="Login disabled from IP 10.88.XX.X for 60 seconds because of 3 bad attempts"'
**Phase 2: Completed decoding.
decoder: 'fortinet'
name: '"HQ-Fortinet"'
devid: '"FG100DXXXXXX"'
logid: '"0100032021"'
type: '"event"'
subtype: '"system"'
level: '"alert"'
**Phase 3: Completed filtering (rules).
Rule id: '9091'
Level: '7'
Description: 'Alert in Fortinet'
**Alert to be generated.
More information about ossec-logtest can be found in the following link: https://documentation.wazuh.com/current/user-manual/reference/tools/ossec-logtest.html
I hope this example helps you. If you have further questions, please let us know and we will help you.
You can also contribute to our ruleset repository: https://documentation.wazuh.com/current/user-manual/ruleset/contribute.html
Odelon
Apr 6, 2019, 4:42:23 AM4/6/19
to Wazuh mailing list
Hi Eva,
Thank you very much! Appreciate your help and example. Will test this one and will let you know if it will be displayed on my Kibana dashboard.
Regards,
Odelon
Odie
Apr 8, 2019, 12:14:43 AM4/8/19
to Wazuh mailing list
Hi Eva and wazuh Team,
Test this decoder and rules it's working but can't see logs on my Kibana Dashboard.
Heres my actual logs from /var/ossec/logs/archives/archives.log and /var/ossec/logs/alerts/alerts.json
# grep FG100D /var/ossec/logs/alerts/alerts.json
{"timestamp":"2019-04-08T11:33:13+0800","rule":{"level":5,"description":"syslog: User authentication failure.","id":"2501","firedtimes":1,"mail":false,"groups":["syslog","access_control","authentication_failed","gpg13_7.8"],"pci_dss":["10.2.4","10.2.5"]},"agent":{"id":"000","name":"mon01.prd.ubp"},"manager":{"name":"mon01.prd.ubp"},"id":"1554694393.XXXXXX","full_log":"date=2019-04-08 time=11:33:12 devname=\"HQ-Internal-Primary-FW\" devid=\"FG100D\" logid=\"0100032002\" type=\"event\" subtype=\"system\" level=\"alert\" vd=\"root\" eventtime=1554694392 logdesc=\"Admin login failed\" sn=\"0\" user=\"admin\" ui=\"https(10.XX.XX.XX)\" method=\"https\" srcip=10.XX.XX.XX dstip=10.10.XX.X action=\"login\" status=\"failed\" reason=\"passwd_invalid\" msg=\"Administrator admin login failed from https(10.XX.XX.XX) because of invalid password\"","decoder":{},"predecoder":{"hostname":"mon01"},"location":"10.10.XX.X"}
{"timestamp":"2019-04-08T11:33:30+0800","rule":{"level":5,"description":"syslog: User authentication failure.","id":"2501","firedtimes":2,"mail":false,"groups":["syslog","access_control","authentication_failed","gpg13_7.8"],"pci_dss":["10.2.4","10.2.5"]},"agent":{"id":"000","name":"mon01.prd.ubp"},"manager":{"name":"mon01.prd.ubp"},"id":"1554694410.499171","full_log":"date=2019-04-08 time=11:33:29 devname=\"HQ-Internal-Primary-FW\" devid=\"FG100D3G15824196\" logid=\"0100032002\" type=\"event\" subtype=\"system\" level=\"alert\" vd=\"root\" eventtime=1554694409 logdesc=\"Admin login failed\" sn=\"0\" user=\"admin\" ui=\"https(10.XX.XX.XX)\" method=\"https\" srcip=10.XX.XX.XX dstip=10.10.XX.X action=\"login\" status=\"failed\" reason=\"passwd_invalid\" msg=\"Administrator admin login failed from https(10.XX.XX.XX) because of invalid password\"","decoder":{},"predecoder":{"hostname":"mon01"},"location":"10.10.XX.X"}
# grep FG100D /var/ossec/logs/archives/archives.log
2019 Apr 08 11:55:07 mon01->10.10.XX.X date=2019-04-08 time=11:55:07 devname="HQ-Internal-Primary-FW" devid="FG100D3G15824196" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" eventtime=1554695707 srcip=10.XX.XX.XX srcport=59506 srcintf="TEST Zone" srcintfrole="dmz" dstip=10.XXX.XX.XX dstport=8014 dstintf="FF_SF" dstintfrole="lan" sessionid=27717107 proto=6 action="deny" policyid=0 policytype="policy" service="tcp/8014" dstcountry="Reserved" srccountry="Reserved" trandisp="noop" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 appcat="unscanned" crscore=30 craction=131072 crlevel="high" devtype="Windows PC" devcategory="Windows Device" osname="Windows" osversion="2008" mastersrcmac="78:f2:9e:ff:94:87" srcmac="78:f2:9e:ff:94:87" srcserver=0
2019 Apr 08 11:55:08 mon01->10.10.XX.X date=2019-04-08 time=11:55:07 devname="HQ-Internal-Primary-FW" devid="FG100D3G15824196" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" eventtime=1554695707 srcip=10.88.XX.XX srcname="linux" srcport=36280 srcintf="PROD Zone" srcintfrole="dmz" dstip=172.XXX.X.X dstport=3200 dstintf="LEASED LINE" dstintfrole="lan" poluuid="6f27fc8c-4915-51e9-6938-4c20e6c21aee" sessionid=27716923 proto=6 action="timeout" policyid=23 policytype="policy" service="P3200" dstcountry="United States" srccountry="Reserved" trandisp="noop" duration=11 sentbyte=48 rcvdbyte=0 sentpkt=1 rcvdpkt=0 vpn="VPN" vpntype="ipsec-static" appcat="unscanned" crscore=5 craction=262144 crlevel="low" devtype="Linux PC" devcategory="None" mastersrcmac="28:XX:XX:XX:XX:XX"
{"timestamp":"2019-04-08T11:33:13+0800","rule":{"level":5,"description":"syslog: User authentication failure.","id":"2501","firedtimes":1,"mail":false,"groups":["syslog","access_control","authentication_failed","gpg13_7.8"],"pci_dss":["10.2.4","10.2.5"]},"agent":{"id":"000","name":"mon01.prd.ubp"},"manager":{"name":"mon01.prd.ubp"},"id":"1554694393.XXXXXX","full_log":"date=2019-04-08 time=11:33:12 devname=\"HQ-Internal-Primary-FW\" devid=\"FG100D\" logid=\"0100032002\" type=\"event\" subtype=\"system\" level=\"alert\" vd=\"root\" eventtime=1554694392 logdesc=\"Admin login failed\" sn=\"0\" user=\"admin\" ui=\"https(10.XX.XX.XX)\" method=\"https\" srcip=10.XX.XX.XX dstip=10.10.XX.X action=\"login\" status=\"failed\" reason=\"passwd_invalid\" msg=\"Administrator admin login failed from https(10.XX.XX.XX) because of invalid password\"","decoder":{},"predecoder":{"hostname":"mon01"},"location":"10.10.XX.X"}
{"timestamp":"2019-04-08T11:33:30+0800","rule":{"level":5,"description":"syslog: User authentication failure.","id":"2501","firedtimes":2,"mail":false,"groups":["syslog","access_control","authentication_failed","gpg13_7.8"],"pci_dss":["10.2.4","10.2.5"]},"agent":{"id":"000","name":"mon01.prd.ubp"},"manager":{"name":"mon01.prd.ubp"},"id":"1554694410.499171","full_log":"date=2019-04-08 time=11:33:29 devname=\"HQ-Internal-Primary-FW\" devid=\"FG100D3G15824196\" logid=\"0100032002\" type=\"event\" subtype=\"system\" level=\"alert\" vd=\"root\" eventtime=1554694409 logdesc=\"Admin login failed\" sn=\"0\" user=\"admin\" ui=\"https(10.XX.XX.XX)\" method=\"https\" srcip=10.XX.XX.XX dstip=10.10.XX.X action=\"login\" status=\"failed\" reason=\"passwd_invalid\" msg=\"Administrator admin login failed from https(10.XX.XX.XX) because of invalid password\"","decoder":{},"predecoder":{"hostname":"mon01"},"location":"10.10.XX.X"}
# grep FG100D /var/ossec/logs/archives/archives.log
2019 Apr 08 11:55:07 mon01->10.10.XX.X date=2019-04-08 time=11:55:07 devname="HQ-Internal-Primary-FW" devid="FG100D3G15824196" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" eventtime=1554695707 srcip=10.XX.XX.XX srcport=59506 srcintf="TEST Zone" srcintfrole="dmz" dstip=10.XXX.XX.XX dstport=8014 dstintf="FF_SF" dstintfrole="lan" sessionid=27717107 proto=6 action="deny" policyid=0 policytype="policy" service="tcp/8014" dstcountry="Reserved" srccountry="Reserved" trandisp="noop" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 appcat="unscanned" crscore=30 craction=131072 crlevel="high" devtype="Windows PC" devcategory="Windows Device" osname="Windows" osversion="2008" mastersrcmac="78:f2:9e:ff:94:87" srcmac="78:f2:9e:ff:94:87" srcserver=0
2019 Apr 08 11:55:08 mon01->10.10.XX.X date=2019-04-08 time=11:55:07 devname="HQ-Internal-Primary-FW" devid="FG100D3G15824196" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" eventtime=1554695707 srcip=10.88.XX.XX srcname="linux" srcport=36280 srcintf="PROD Zone" srcintfrole="dmz" dstip=172.XXX.X.X dstport=3200 dstintf="LEASED LINE" dstintfrole="lan" poluuid="6f27fc8c-4915-51e9-6938-4c20e6c21aee" sessionid=27716923 proto=6 action="timeout" policyid=23 policytype="policy" service="P3200" dstcountry="United States" srccountry="Reserved" trandisp="noop" duration=11 sentbyte=48 rcvdbyte=0 sentpkt=1 rcvdpkt=0 vpn="VPN" vpntype="ipsec-static" appcat="unscanned" crscore=5 craction=262144 crlevel="low" devtype="Linux PC" devcategory="None" mastersrcmac="28:XX:XX:XX:XX:XX"
eva....@wazuh.com
Apr 9, 2019, 5:38:44 AM4/9/19
to Wazuh mailing list
Hi Odie,
In Kibana dashboard only can see alerts. You can generate alert creating rule with level greater than 2. If level's rule is 2 or lower it generate a event.
In Kibana dashboard only can see alerts. You can generate alert creating rule with level greater than 2. If level's rule is 2 or lower it generate a event.
Best regard, Eva
eva....@wazuh.com
Apr 9, 2019, 3:46:49 PM4/9/19
to Wazuh mailing list
Hi Odie,
sorry for the last mail I think it was not adequately explained.
The file alerts.json save all alerts generated, and archives.log save all agent's events. Not all the events will produce an alert. If a decoded log matchs a rule with level greater than or equal 3, it will generate an alert. This value can be modified as explained here: https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/alerts.html
To check if the log generates an alert, you can use ossec-logtest:
sorry for the last mail I think it was not adequately explained.
The file alerts.json save all alerts generated, and archives.log save all agent's events. Not all the events will produce an alert. If a decoded log matchs a rule with level greater than or equal 3, it will generate an alert. This value can be modified as explained here: https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/alerts.html
To check if the log generates an alert, you can use ossec-logtest:
**Phase 3: Completed filtering (rules).
Rule id: '100003'
Level: '3'
Level: '3'
Description: 'Alert in Fortinet'
**Alert to be generated.
Kibana dashboard only manages alerts. Therefore, if the alert is not in the alerts.json file, it will not be displayed in Kibana.
Best regard, Eva
Best regard, Eva
Odie
Apr 24, 2019, 1:42:12 AM4/24/19
to Wazuh mailing list
Hi Eva,
As per logtest it will generates alerts.. I tried to login to my fortinet web mamagement console with a wrong password but I still can't see alerts in my Kibana Dashboard.
/var/ossec/bin/ossec-logtest
\2019/04/24 13:40:35 ossec-testrule: INFO: Started (pid: 16118).
ossec-testrule: Type one log per line.
\2019/04/24 13:40:35 ossec-testrule: INFO: Started (pid: 16118).
ossec-testrule: Type one log per line.
2019 Apr 05 12:00:13 mon01->10.10.24.2 date=2019-04-05 time=12:00:13 devname="HQ-Fortinet" devid="FG100DXXXXXX" logid="0100032021" type="event" subtype="system" level="alert" vd="root" eventtime=1554436813 logdesc="Admin login disabled" ui="10.88.80.3" action="login" status="failed" reason="exceed_limit" msg="Login disabled from IP 10.88.XX.X for 60 seconds because of 3 bad attempts"
**Phase 1: Completed pre-decoding.
full event: '\2019 Apr 05 12:00:13 mon01->10.10.24.2 date=2019-04-05 time=12:00:13 devname="HQ-Fortinet" devid="FG100DXXXXXX" logid="0100032021" type="event" subtype="system" level="alert" vd="root" eventtime=1554436813 logdesc="Admin login disabled" ui="10.88.80.3" action="login" status="failed" reason="exceed_limit" msg="Login disabled from IP 10.88.XX.X for 60 seconds because of 3 bad attempts"'
timestamp: '(null)'
hostname: 'mon01'
program_name: '(null)'
log: '\2019 Apr 05 12:00:13 mon01->10.10.24.2 date=2019-04-05 time=12:00:13 devname="HQ-Fortinet" devid="FG100DXXXXXX" logid="0100032021" type="event" subtype="system" level="alert" vd="root" eventtime=1554436813 logdesc="Admin login disabled" ui="10.88.80.3" action="login" status="failed" reason="exceed_limit" msg="Login disabled from IP 10.88.XX.X for 60 seconds because of 3 bad attempts"'
hostname: 'mon01'
program_name: '(null)'
log: '\2019 Apr 05 12:00:13 mon01->10.10.24.2 date=2019-04-05 time=12:00:13 devname="HQ-Fortinet" devid="FG100DXXXXXX" logid="0100032021" type="event" subtype="system" level="alert" vd="root" eventtime=1554436813 logdesc="Admin login disabled" ui="10.88.80.3" action="login" status="failed" reason="exceed_limit" msg="Login disabled from IP 10.88.XX.X for 60 seconds because of 3 bad attempts"'
**Phase 2: Completed decoding.
decoder: 'fortinet'
name: '"HQ-Fortinet"'
devid: '"FG100DXXXXXX"'
logid: '"0100032021"'
type: '"event"'
subtype: '"system"'
level: '"alert"'
**Phase 3: Completed filtering (rules).
Rule id: '100033'
Level: '7'
Level: '7'
Description: 'Alert in Fortinet'
**Alert to be generated.
Thank You!
eva....@wazuh.com
Apr 25, 2019, 6:21:23 AM4/25/19
to Wazuh mailing list
Hello Odie,
Here is an example of a configuration:
<remote>
<connection>syslog</connection>
<port>514</port>
<protocol>udp</protocol>
<allowed-ips>10.0.0.16</allowed-ips>
<local_ip>10.0.0.1</local_ip>
</remote>
If this is already done just configure syslog in the agent. There are many ways to configure. I've simulated your case with rsyslog, and in rsyslog.conf i've added following configuration:
$ModLoad imfile
$InputFileName /var/log/fortinet.log
$InputFileTag fortinet
$InputFileStateFile fortinet-error
$InputFileSeverity info
$InputRunFileMonitor
*.* @10.0.0.1:514
where fortinet.log is the log's file and 10.0.0.1 is my manager.
To check it works you can activate file archives.log modifing ossec.conf. Change <logall>no</logall> to <logall>yes</logall>. For more information visit https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/global.html
2019 Apr 25 11:36:04 vm-ubuntu16->10.0.0.16 Apr 25 09:35:51 vm-ubuntu16 fortinet 019 Apr 05 12:00:13 mon01->10.10.24.2 date=2019-04-05 time=12:00:13 devname="HQ-Fortinet" devid="FG100DXXXXXX" logid="0100032021" type="event" subtype="system" level="alert" vd="root" eventtime=1554436813 logdesc="Admin login disabled" ui="10.88.80.3" action="login" status="failed" reason="exceed_limit" msg="Login disabled from IP 10.88.XX.X for 60 seconds because of 3 bad attempts"
And the alert is the following:
** Alert 1556184964.6293: - fortinet
2019 Apr 25 11:36:04 vm-ubuntu16->10.0.0.16
Rule: 100003 (level 7) -> 'Alert in Fortinet'
Apr 25 09:35:51 vm-ubuntu16 fortinet 019 Apr 05 12:00:13 mon01->10.10.24.2 date=2019-04-05 time=12:00:13 devname="HQ-Fortinet" devid="FG100DXXXXXX" logid="0100032021" type="event" subtype="system" level="alert" vd="root" eventtime=1554436813 logdesc="Admin login disabled" ui="10.88.80.3" action="login" status="failed" reason="exceed_limit" msg="Login disabled from IP 10.88.XX.X for 60 seconds because of 3 bad attempts"
name: "HQ-Fortinet"
Fortinet products usually communicate Wazuh's manager by syslog. The manager should be configurated to receive logs from an agent as described in our documentation:
Here is an example of a configuration:
<remote>
<connection>syslog</connection>
<port>514</port>
<protocol>udp</protocol>
<allowed-ips>10.0.0.16</allowed-ips>
<local_ip>10.0.0.1</local_ip>
</remote>
If this is already done just configure syslog in the agent. There are many ways to configure. I've simulated your case with rsyslog, and in rsyslog.conf i've added following configuration:
$ModLoad imfile
$InputFileName /var/log/fortinet.log
$InputFileTag fortinet
$InputFileStateFile fortinet-error
$InputFileSeverity info
$InputRunFileMonitor
*.* @10.0.0.1:514
where fortinet.log is the log's file and 10.0.0.1 is my manager.
To check it works you can activate file archives.log modifing ossec.conf. Change <logall>no</logall> to <logall>yes</logall>. For more information visit https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/global.html
If it works you can see Fortinet's logs in /var/ossec/logs/archives/archives.log. And Fortinet's alerts in/var/ossec/logs/alerts/alerts.log.
Here is an example of the logs:
2019 Apr 25 11:36:04 vm-ubuntu16->10.0.0.16 Apr 25 09:35:51 vm-ubuntu16 fortinet 019 Apr 05 12:00:13 mon01->10.10.24.2 date=2019-04-05 time=12:00:13 devname="HQ-Fortinet" devid="FG100DXXXXXX" logid="0100032021" type="event" subtype="system" level="alert" vd="root" eventtime=1554436813 logdesc="Admin login disabled" ui="10.88.80.3" action="login" status="failed" reason="exceed_limit" msg="Login disabled from IP 10.88.XX.X for 60 seconds because of 3 bad attempts"
And the alert is the following:
** Alert 1556184964.6293: - fortinet
2019 Apr 25 11:36:04 vm-ubuntu16->10.0.0.16
Rule: 100003 (level 7) -> 'Alert in Fortinet'
Apr 25 09:35:51 vm-ubuntu16 fortinet 019 Apr 05 12:00:13 mon01->10.10.24.2 date=2019-04-05 time=12:00:13 devname="HQ-Fortinet" devid="FG100DXXXXXX" logid="0100032021" type="event" subtype="system" level="alert" vd="root" eventtime=1554436813 logdesc="Admin login disabled" ui="10.88.80.3" action="login" status="failed" reason="exceed_limit" msg="Login disabled from IP 10.88.XX.X for 60 seconds because of 3 bad attempts"
name: "HQ-Fortinet"
type: "event"
subtype: "system"
level: "alert"
Can you check if there are fortinet's log in the archive.log and alerts.log?
Kind regards, Eva
Kind regards, Eva
Reply all
Reply to author
Forward
0 new messages