Fortinet Vpn logs - Location

[JCO]

Hi all,

I am monitoring Fortinet Vpn connections and it works fine. But I want to know the location of them.

The IP is filled in data.remip field but I do not have any filed with location information or geolocation information.

I do not know if I have to look for the location of this IP usin Geo function.

Any ideas?? Has anybody configured this on wazuh 4.12.0?

Thank you so much in advance.

[Delfina Lizarralde Bressan]

Hello!

Yes, you can use GeoIP geolocation to look up the location of this IP address.

You can configure Filebeat to enrich the data.remip field with GeoIP data by editing the ingest pipelines.
To do so, insert a GeoIP processor block into both

• /usr/share/filebeat/module/wazuh/alerts/ingest/pipeline.json
• /usr/share/filebeat/module/wazuh/archives/ingest/pipeline.json

{
  "geoip": {
    "field": "data.remip",
    "target_field": "GeoLocation",
    "properties": ["city_name", "region_name", "country_name", "location"],
    "ignore_missing": true,
    "ignore_failure": true
  }
}

After making the changes, run:   filebeat setup --pipelines

Then, via the Wazuh dashboard Dev Tools, verify your ingest pipeline has been updated: GET _ingest/pipeline

You can find more information about this in
https://www.zerozone.it/appunti-di-sistema/fortinet-vpn-events-integration-with-wazuh-siem/23260

Let me know how this goes.

[JCO]

Wow, It works fine!!!

Thank you so much Bressan.

[Delfina Lizarralde Bressan]

That's great to hear!
If you have any other questions, feel free to ask them in any of our channels.
Regards.