Fortigate v7.0.14 build0601 not sending event on tcp event stream
55 views
Skip to first unread message
Sanjeev Karandikar
May 10, 2024, 5:28:43 AM5/10/24
to Wazuh | Mailing List
Dear Wazuh team,
I have integrated fortigate with wazuh by configuring rsyslog daemon on my linux box (where wazuh server is there) to capture syslog event stream from fortigate in a file.
and then specifying location of this file in a localfile block
<localfile>
<location>"path of fortigate log as dumpsed by rsyslogd "</location>
<log_format>syslog</log_format>
</localfile>
<location>"path of fortigate log as dumpsed by rsyslogd "</location>
<log_format>syslog</log_format>
</localfile>
My destination port for capturing fortigate logs is 514, protocol is udp.
Till 30th April - fortigate was sending event stream properly to rsyslogd and wazuh
was capturing these events.
recently - i discovered that the fortigate log file (where the event stream was being
dumped) was not getting updated after 30th april.
I tried running following command on linux box to check if event stream coming
from fortigate:-
tcpdump -v -i any -nn -XX src <fortigate ip> and dst 172.17.1.70 and dst port 514
but nothing seems to be coming now.
I checked with my developers and they state they have not changed any setting on the fortigate firewall.
So - are there any lines of investigation i should try out? We need to integrate fortigate logs into our wazuh SIEM tool for compliance purposes
My wazuh server version is
WAZUH_VERSION":"v4.7.3"},{"WAZUH_REVISION":"40714"
One weird thing - looks like my linux server was rebooted on 30th april
(if i run command last reboot, it shows following:-
# last reboot
reboot system boot 5.15.0-105-gener Tue Apr 30 07:08 still running
reboot system boot 5.15.0-105-gener Tue Apr 30 07:08 still running
I even tried restarting rsyslogd yesterday - but no change.
Most importantly tcpdump does not show any output.
regards,
Sanjeev
Emiliano Zorn
May 13, 2024, 2:32:50 AM5/13/24
to Wazuh | Mailing List
Hello Sanjeev!
Are we talking about Rsyslog on a device where you have Wazuh Agent installed? Or are you sending the logs directly to the Wazuh manager?
If it's the first option, the problem is completely outside the platform's settings or activity, since the only thing the Wazuh agent does is read the folder where the logs are being stored. Everything indicates that after the firewall was restarted, it has taken a new configuration and has stopped sending information to the device where the agent is located.
Regards.
Reply all
Reply to author
Forward
0 new messages