remote_syslog fortigate configuration - Not enough logs arrive.
175 views
Skip to first unread message
Pablo Bolivar Bustamante
Jan 21, 2023, 7:18:16 AM1/21/23
to Wazuh mailing list
Hello
I am currently configuring the sending of syslog from fortigate to wazuh, in the test environment it worked perfectly but at the time of taking it to production it does not work well.
This is the configuration in the firewall:
FORTIGATE-DVWS45 (setting) # show full-configuration
config log syslogd setting
set status enable
set server "10.179.34.12"
set mode udp
set port 514
set facility user
set source-ip "10.179.34.1"
set format default
end
Jan 21, 2023 @ 01:46:24.158
I am currently configuring the sending of syslog from fortigate to wazuh, in the test environment it worked perfectly but at the time of taking it to production it does not work well.
This is the configuration in the firewall:
FORTIGATE-DVWS45 (setting) # show full-configuration
config log syslogd setting
set status enable
set server "10.179.34.12"
set mode udp
set port 514
set facility user
set source-ip "10.179.34.1"
set format default
end
TESTING....
FORTIGATE-DVWS45# diagnose sniffer packet any udp and port 514
14.328787 10.179.34.1.1217 -> 10.179.34.12.514: udp 836
14.340042 10.179.34.1.1217 -> 10.179.34.12.514: udp 606
14.340098 10.179.34.1.1217 -> 10.179.34.12.514: udp 606
14.340670 10.179.34.1.1217 -> 10.179.34.12.514: udp 850
14.340708 10.179.34.1.1217 -> 10.179.34.12.514: udp 850
14.341165 10.179.34.1.1217 -> 10.179.34.12.514: udp 846
14.341200 10.179.34.1.1217 -> 10.179.34.12.514: udp 846
14.341579 10.179.34.1.1217 -> 10.179.34.12.514: udp 836
14.341611 10.179.34.1.1217 -> 10.179.34.12.514: udp 836
14.350456 10.179.34.1.1217 -> 10.179.34.12.514: udp 838
14.350493 10.179.34.1.1217 -> 10.179.34.12.514: udp 838
14.340042 10.179.34.1.1217 -> 10.179.34.12.514: udp 606
14.340098 10.179.34.1.1217 -> 10.179.34.12.514: udp 606
14.340670 10.179.34.1.1217 -> 10.179.34.12.514: udp 850
14.340708 10.179.34.1.1217 -> 10.179.34.12.514: udp 850
14.341165 10.179.34.1.1217 -> 10.179.34.12.514: udp 846
14.341200 10.179.34.1.1217 -> 10.179.34.12.514: udp 846
14.341579 10.179.34.1.1217 -> 10.179.34.12.514: udp 836
14.341611 10.179.34.1.1217 -> 10.179.34.12.514: udp 836
14.350456 10.179.34.1.1217 -> 10.179.34.12.514: udp 838
14.350493 10.179.34.1.1217 -> 10.179.34.12.514: udp 838
It seems to work well
These are the settings applied in Wazuh:
<ossec_config>
<remote>
<connection>syslog</connection>
<port>514</port>
<protocol>udp</protocol>
<allowed-ips>10.179.34.1/32</allowed-ips>
<local_ip>10.179.34.12</local_ip>
</remote>
root@fire:/home/user# netstat -lupnd
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
udp 0 0 127.0.0.53:53 0.0.0.0:* 680/systemd-resolve
udp 0 0 10.179.34.12:514 0.0.0.0:* 113683/wazuh-remote
<port>514</port>
<protocol>udp</protocol>
<allowed-ips>10.179.34.1/32</allowed-ips>
<local_ip>10.179.34.12</local_ip>
</remote>
root@fire:/home/user# netstat -lupnd
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
udp 0 0 127.0.0.53:53 0.0.0.0:* 680/systemd-resolve
udp 0 0 10.179.34.12:514 0.0.0.0:* 113683/wazuh-remote
It seems that the configuration is done well.
During the day I could not see any event from this device, but at dawn I could see only two syslog fortigate events.
Jan 21, 2023 @ 01:46:24.158
agent.name:fire rule.groups:fortigate, syslog input.type:log agent.id:000 manager.name:toad data.devid:FGT90D3Z2500487 data.msg:Configuration is changed in the admin session data.level:alert data.eventtime:1674283584 data.type:event data.vd:root data.logdesc:Configuration changed data.ui:https(10.179.36.3) data.subtype:system data.dstuser:juan.bolivar data.devname:NAME_DEV data.logid:0100032102 data.time:01:46:24 rule.firedtimes:1 rule.mail:false rule.level:7 rule.description:Fortigate: Configuration changed. rule.id:81608 rule.gdpr:IV_32.2, IV_35.7.d location:10.179.34.1 decoder.name:fortigate-firewall-v5 id:1674283584.271803 full_log:date=2023-01-21 time=01:46:24 devname="
NAME_DEV" devid="FGT90D3Z15006939" logid="0100032102" type="event" subtype="system" level="alert" vd="root" eventtime=1674283584 logdesc="Configuration changed" user="juan.bolivar" ui="https(10.179.36.3)" msg="Configuration is changed in the admin session" timestamp:Jan 21, 2023 @ 01:46:24.158 _index:wazuh-alerts-4.x-2023.01.21
Can anyone help me to solve this problem, since I can't see all the received syslog events.
Thanks.
Pablo Ariel Gonzalez
Jan 21, 2023, 11:30:17 PM1/21/23
to Wazuh mailing list
Hello jpbolivarbus:
Let's see if we can solve this inconvenience. The configuration seems to be correct. I see that you have verified that the events are being sent from the firewall and that on the wazuh machine the service is up on the right port.
Let's see if we can solve this inconvenience. The configuration seems to be correct. I see that you have verified that the events are being sent from the firewall and that on the wazuh machine the service is up on the right port.
Could you tell us if you have verified if the events are arriving to the wazuh machine? If you have not verified it yet, could you do it? If you would like you could do it with tcpdump from the command line, this could be an example to execute it:
tcpdump -i any host 10.179.34.1
o
tcpdump -i any host 10.179.34.1 and port 514
tcpdump -i any host 10.179.34.1
o
tcpdump -i any host 10.179.34.1 and port 514
Thanks,
Pablo Bolivar Bustamante
Jan 22, 2023, 10:25:51 AM1/22/23
to Wazuh mailing list
Thanks for your reply by running the command tcpdump -i any host 10.179.34.1 and port 514 this is the output:
root@fire:/home/xxxxx# tcpdump -i any host 10.179.34.1
tcpdump: data link type LINUX_SLL2
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
14:55:23.422803 ens18 In IP _gateway.1217 > fire.syslog: SYSLOG user.notice, length: 848
14:55:23.423806 ens18 In IP _gateway.1217 > fire.syslog: SYSLOG user.notice, length: 848
14:55:23.435433 ens18 In IP _gateway.1217 > fire.syslog: SYSLOG user.notice, length: 836
14:55:23.436062 ens18 In IP _gateway.1217 > fire.syslog: SYSLOG user.notice, length: 850
14:55:23.443850 ens18 In IP _gateway.1217 > fire.syslog: SYSLOG user.notice, length: 853
14:55:23.452986 ens18 In IP _gateway.1217 > fire.syslog: SYSLOG user.notice, length: 845
14:55:23.483122 ens18 In IP _gateway.1217 > fire.syslog: SYSLOG user.notice, length: 849
14:55:23.483951 ens18 In IP _gateway.1217 > fire.syslog: SYSLOG user.notice, length: 831
14:55:23.513340 ens18 In IP _gateway.1217 > fire.syslog: SYSLOG user.notice, length: 836
14:55:23.522744 ens18 In IP _gateway.1217 > fire.syslog: SYSLOG user.notice, length: 846
Thks.
tcpdump: data link type LINUX_SLL2
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
14:55:23.422803 ens18 In IP _gateway.1217 > fire.syslog: SYSLOG user.notice, length: 848
14:55:23.423806 ens18 In IP _gateway.1217 > fire.syslog: SYSLOG user.notice, length: 848
14:55:23.435433 ens18 In IP _gateway.1217 > fire.syslog: SYSLOG user.notice, length: 836
14:55:23.436062 ens18 In IP _gateway.1217 > fire.syslog: SYSLOG user.notice, length: 850
14:55:23.443850 ens18 In IP _gateway.1217 > fire.syslog: SYSLOG user.notice, length: 853
14:55:23.452986 ens18 In IP _gateway.1217 > fire.syslog: SYSLOG user.notice, length: 845
14:55:23.483122 ens18 In IP _gateway.1217 > fire.syslog: SYSLOG user.notice, length: 849
14:55:23.483951 ens18 In IP _gateway.1217 > fire.syslog: SYSLOG user.notice, length: 831
14:55:23.513340 ens18 In IP _gateway.1217 > fire.syslog: SYSLOG user.notice, length: 836
14:55:23.522744 ens18 In IP _gateway.1217 > fire.syslog: SYSLOG user.notice, length: 846
Thks.
Reply all
Reply to author
Forward
0 new messages