Fortigate not send syslog
859 views
Skip to first unread message
Sidclei Lima
Jul 27, 2022, 9:10:50 AM7/27/22
to Wazuh mailing list
Good morning guys, I have wazuh manager in a private cloud, my agents connecting and working correctly,
however I'm trying to send syslog from my fortigate to wazuh manager and I'm not getting it...
My wazuh manager is on version 4.3.5, installed on a Ubuntu Server 22.04 lts vm.
If I run a tcpdump I see the dump below coming to my wazuh manager
<45>date=2022-07-26 time=19:02:21 devname="FGT-SITE1-A" devid="FG100FTK21009164" eventtime=1658872942126463590 tz="-0300" logid="0000000020" type="traffic" subtype="forward" level="notice" vd="root" srcip=172.16.4.95 srcport=1967 srcintf="PORT-CHANNEL-11" srcintfrole="lan" dstip=34.151.236.119 dstport=1251 dstintf="wan1" dstintfrole="wan" srccountry="Reserved" dstcountry="Brazil" sessionid=260957484 proto=17 action="accept" policyid=1 policytype="policy" poluuid="dfc1da1e-8a74-51ec-689b-321789ffb96c" policyname="WEB_GERAL" service="udp/1251" trandisp="snat" transip="my Public IP" transport=62383 duration=63819 sentbyte=221850 rcvdbyte=197200 sentpkt=2465 rcvdpkt=2465 vwlid=1 vwlquality="Seq_num(3 wan1), alive, latency: 2.356, selected" vwlname="DEFAULT" appcat="unscanned" sentdelta=360 rcvddelta=480 mastersrcmac="18:0d:2c:19:93:f0" srcmac="18:0d:2c:19:93:f0" srcserver=0.
I already enabled the logall_json in the ossec.conf and there is no log of my fortigate there, windows log only.
My ossec.conf:
<!-- Envio de Syslogs para o Wazuh -->
<remote>
<connection>syslog</connection>
<port>514</port>
<protocol>tcp</protocol>
<allowed-ips>Public IP</allowed-ips>
<remote>
<connection>syslog</connection>
<port>514</port>
<protocol>tcp</protocol>
<allowed-ips>Public IP</allowed-ips>
<allowed-ips>
Public IP </allowed-ips>
<allowed-ips> Public IP </allowed-ips>
<allowed-ips> Public IP </allowed-ips>
<allowed-ips>172.16.0.0/16</allowed-ips>
</remote>
<allowed-ips> Public IP </allowed-ips>
<allowed-ips> Public IP </allowed-ips>
<allowed-ips>172.16.0.0/16</allowed-ips>
</remote>
I really appreciate your help
Christian Borla
Jul 27, 2022, 9:33:18 AM7/27/22
to Wazuh mailing list
Hello!
I hope you are doing fine!
I'm digging for more information about this., I will come back as soon as I have more information.
Regards!
I hope you are doing fine!
I'm digging for more information about this., I will come back as soon as I have more information.
Regards!
Christian Borla
Jul 27, 2022, 3:31:16 PM7/27/22
to Wazuh mailing list
Hi!
Sorry for the dealy! I have been looking for some information, also I did a simple test with following config:
I assume that you are already testing with following configuration,
<remote>
<connection>syslog</connection>
<port>514</port>
<protocol>tcp</protocol>
<allowed-ips>172.16.0.0/16</allowed-ips>
</remote>
Wazuh admits multiple remote blocks and included all of them, so if it's possible try with following configuration:
<remote>
<connection>syslog</connection>
<port>5050</port>
<protocol>tcp</protocol>
<allowed-ips>any</allowed-ips>
</remote>
It will be necessary change the Fortigate Remote Syslog configuration, I found this link.
Also it try with any ip, as part of the test.
Please let me know if you find some events into archive.log or alert.json files.
Regards.
Sorry for the dealy! I have been looking for some information, also I did a simple test with following config:
I assume that you are already testing with following configuration,
<remote>
<connection>syslog</connection>
<port>514</port>
<protocol>tcp</protocol>
</remote>
Wazuh admits multiple remote blocks and included all of them, so if it's possible try with following configuration:
<remote>
<connection>syslog</connection>
<port>5050</port>
<protocol>tcp</protocol>
<allowed-ips>any</allowed-ips>
</remote>
It will be necessary change the Fortigate Remote Syslog configuration, I found this link.
Also it try with any ip, as part of the test.
Please let me know if you find some events into archive.log or alert.json files.
Regards.
Reply all
Reply to author
Forward
0 new messages