Re: How tag "devname" present in "full_log" field of Fortigate log so that it shows up in the dashboard
173 views
Skip to first unread message
Message has been deleted
Henadence Anyam
Jun 3, 2024, 2:35:09 AM6/3/24
to Wazuh | Mailing List
Hello Simona Vittori,
You can add the following decoders to the /var/ossec/etc/decoders/local_decoder.xml file on your Wazuh manager:
Then, restart the Wazuh manager to apply the changes:
# systemctl restart wazuh-manager
Testing the log with the logtest-tool, we get the following result:
You can learn more about decoders using the Decoders Syntax - Ruleset XML syntax guide.
Let me know if you find this information helpful.
You can add the following decoders to the /var/ossec/etc/decoders/local_decoder.xml file on your Wazuh manager:
<decoder name="fortigate-firewall-v6">
<parent>fortigate-firewall-v6</parent>
<regex>devid="(\.*)"|devid=(\.*)\s|devid=(\.*)$</regex>
<order>devid</order>
</decoder>
<decoder name="fortigate-firewall-v6">
<parent>fortigate-firewall-v6</parent>
<regex>devname="(\.*)"|devname=(\.*)\s|devname=(\.*)$</regex>
<order>devname</order>
</decoder>
Then, restart the Wazuh manager to apply the changes:
# systemctl restart wazuh-manager
Testing the log with the logtest-tool, we get the following result:
[root@wazuh-server ossec]# /var/ossec/bin/wazuh-logtest
Starting wazuh-logtest v4.7.5
Type one log per line
logver=702081639 timestamp=1717177487 devname="FW-TO-01" devid="FGT61ETK20007969" vd="root" date=2024-05-31 time=17:44:47 eventtime=1717170288246533168 tz="+0200" logid="0101039426" type="event" subtype="vpn" level="alert" logdesc="SSL VPN login fail" action="ssl-login-fail" tunneltype="ssl-web" tunnelid=0 remip=xxx.xxx.xxx.xxx user="dUNnLiccEjln1Yq8wU+Uug==" group="+7vbEj4oPL7FNHEE+0RkeQ==" dst_host="N/A" reason="sslvpn_login_permission_denied" msg="SSL user failed to logged in"
**Phase 1: Completed pre-decoding.
full event: 'logver=702081639 timestamp=1717177487 devname="FW-TO-01" devid="FGT61ETK20007969" vd="root" date=2024-05-31 time=17:44:47 eventtime=1717170288246533168 tz="+0200" logid="0101039426" type="event" subtype="vpn" level="alert" logdesc="SSL VPN login fail" action="ssl-login-fail" tunneltype="ssl-web" tunnelid=0 remip=xxx.xxx.xxx.xxx user="dUNnLiccEjln1Yq8wU+Uug==" group="+7vbEj4oPL7FNHEE+0RkeQ==" dst_host="N/A" reason="sslvpn_login_permission_denied" msg="SSL user failed to logged in"'
**Phase 2: Completed decoding.
name: 'fortigate-firewall-v6'
action: 'ssl-login-fail'
devid: 'FGT61ETK20007969'
devname: 'FW-TO-01'
dstuser: 'dUNnLiccEjln1Yq8wU+Uug=='
eventtime: '1717170288246533168'
ip: 'xxx.xxx.xxx.xxx'
level: 'alert'
logdesc: 'SSL VPN login fail'
logid: '0101039426'
msg: 'SSL user failed to logged in'
reason: 'sslvpn_login_permission_denied'
subtype: 'vpn'
time: '17:44:47'
type: 'event'
vd: 'root'
**Phase 3: Completed filtering (rules).
id: '81614'
level: '4'
description: 'Fortigate: SSL VPN user failed login attempt.'
groups: '['fortigate', 'syslog', 'authentication_failed', 'invalid_login']'
firedtimes: '1'
gdpr: '['IV_32.2', 'IV_35.7.d']'
gpg13: '['7.1']'
hipaa: '['164.312.b']'
mail: 'False'
nist_800_53: '['AC.7', 'AU.14']'
pci_dss: '['10.2.4', '10.2.5']'
tsc: '['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3']'
**Alert to be generated.
Starting wazuh-logtest v4.7.5
Type one log per line
logver=702081639 timestamp=1717177487 devname="FW-TO-01" devid="FGT61ETK20007969" vd="root" date=2024-05-31 time=17:44:47 eventtime=1717170288246533168 tz="+0200" logid="0101039426" type="event" subtype="vpn" level="alert" logdesc="SSL VPN login fail" action="ssl-login-fail" tunneltype="ssl-web" tunnelid=0 remip=xxx.xxx.xxx.xxx user="dUNnLiccEjln1Yq8wU+Uug==" group="+7vbEj4oPL7FNHEE+0RkeQ==" dst_host="N/A" reason="sslvpn_login_permission_denied" msg="SSL user failed to logged in"
**Phase 1: Completed pre-decoding.
full event: 'logver=702081639 timestamp=1717177487 devname="FW-TO-01" devid="FGT61ETK20007969" vd="root" date=2024-05-31 time=17:44:47 eventtime=1717170288246533168 tz="+0200" logid="0101039426" type="event" subtype="vpn" level="alert" logdesc="SSL VPN login fail" action="ssl-login-fail" tunneltype="ssl-web" tunnelid=0 remip=xxx.xxx.xxx.xxx user="dUNnLiccEjln1Yq8wU+Uug==" group="+7vbEj4oPL7FNHEE+0RkeQ==" dst_host="N/A" reason="sslvpn_login_permission_denied" msg="SSL user failed to logged in"'
**Phase 2: Completed decoding.
name: 'fortigate-firewall-v6'
action: 'ssl-login-fail'
devid: 'FGT61ETK20007969'
devname: 'FW-TO-01'
dstuser: 'dUNnLiccEjln1Yq8wU+Uug=='
eventtime: '1717170288246533168'
ip: 'xxx.xxx.xxx.xxx'
level: 'alert'
logdesc: 'SSL VPN login fail'
logid: '0101039426'
msg: 'SSL user failed to logged in'
reason: 'sslvpn_login_permission_denied'
subtype: 'vpn'
time: '17:44:47'
type: 'event'
vd: 'root'
**Phase 3: Completed filtering (rules).
id: '81614'
level: '4'
description: 'Fortigate: SSL VPN user failed login attempt.'
groups: '['fortigate', 'syslog', 'authentication_failed', 'invalid_login']'
firedtimes: '1'
gdpr: '['IV_32.2', 'IV_35.7.d']'
gpg13: '['7.1']'
hipaa: '['164.312.b']'
mail: 'False'
nist_800_53: '['AC.7', 'AU.14']'
pci_dss: '['10.2.4', '10.2.5']'
tsc: '['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3']'
**Alert to be generated.
You can learn more about decoders using the Decoders Syntax - Ruleset XML syntax guide.
Let me know if you find this information helpful.
On Monday, June 3, 2024 at 7:00:51 AM UTC+1 simona vittori wrote:
Hello,How can I tag the "devname" info present in "full_log" field of Fortigate log so that it shows up on the dashboard?
In attach the log as it appears in dashboardThanks in advancebyeSimona
simona vittori
Jun 4, 2024, 5:31:19 AM6/4/24
to Wazuh | Mailing List
####THIS MESSAGE IS FOR GOOGLE ADMINISTRATOR WAZUH GROUP#####
COULD YOU REMOVE FROM MY MESSAGE THE ATTACHED FILE PLEASE?
THANKS A LOT
Henadence Anyam
Jun 4, 2024, 8:21:35 AM6/4/24
to Wazuh | Mailing List
I'm happy to hear that we were able to resolve your issue.
Reply all
Reply to author
Forward
0 new messages