Fortigate logs to Wazuh

[Alex TDT]

Hi everyone,

I've been trying for the past 3 days to get the Fortigate logs to show up in Wazuh but no success... What I did was:

1. enabled the syslog on the Fortigate and set the wazuh ip there

2. modified the ossec.conf file and added the needed config with the udp port, fortigate ip and wazuh's ip

3. added some custom decoder and rule that I found online

4. restarted the wazuh manager

There's nothing in the Discover section of Kibana, but I did find references of the Fortigate in archives.log. Nothing in alerts.log.

Now, if I go to the built-on decoders  and rules folders I see that there's already something for fortigate (0100-fortigate_decoders.xml), so why is there need for a custom one?

Anyway, can anyone please help me with this? I really don't know what I'm doing wrong here...

[Luis González Romero]

Hello! Hope you are doing great.

First of all, could you please share some Fortigate logs you have collected? I need one to make some checks and research your issue.

Thanks,

Luis.

[Alex TDT]

Hi Luis,

Sure. This is from archives.log, multiple entries there, this is one of them::

{"timestamp":"2022-04-29T07:10:14.371+0000","agent":{"id":"000","name":"wazuh-ma nager"},"manager":{"name":"wazuh-manager"},"id":"1651216214.0","full_log":"date= 2022-04-29 time=10:10:14 devname=\"FW1\" devid=\"FG100ETK20008071\" eventtim e=1651216214342718179 tz=\"+0300\" logid=\"1059028704\" type=\"utm\" subtype=\"a pp-ctrl\" eventtype=\"signature\" level=\"information\" vd=\"root\" appid=40568 srcip=192.168.150.52 dstip=xxxxxxxxxx srcport=52939 dstport=443 srcintf=\"V LAN_150\" srcintfrole=\"lan\" dstintf=\"wan1\" dstintfrole=\"wan\" proto=6 servi ce=\"SSL\" direction=\"incoming\" policyid=3 sessionid=97877004 applist=\"defaul t\" action=\"pass\" appcat=\"Web.Client\" app=\"HTTPS.BROWSER\" hostname=\"xxxxxxx\" incidentserialno=271766913 url=\"/\" msg=\"Web.Client: H TTPS.BROWSER,\" apprisk=\"medium\" scertcname=\"xxxxxxxxx"","d ecoder":{"name":"fortigate-custom"},"data":{"action":"pass","srcip":"192.168.150 .52","srcport":"52939","dstip":"xxxxxxxx","dstport":"wan1","date":"2022-0 4-29","time":"10:10:14","eventtype":"signature","level":"information","vd":"root ","srcintf":"VLAN_150","srcintfrole":"lan","dstintf":"wan","msg":"Web.Client: HT TPS.BROWSER,\" apprisk=\"medium\" scertcname=\"xxxxxxxxx"},"loc ation":"192.168.3.213"}

The ip in bold is fortigate's ip.I've attached the custom decoder that I found here and also the rule.

[Luis González Romero]

Hello again!

The log you provided has no timestamp(this should match even when the decoder does not) and does not follow the expected decoder format.

root@manager:/home/vagrant# /var/ossec/bin/wazuh-logtest
Starting wazuh-logtest v4.2.5
Type one log per line

date= 2022-04-29 time=10:10:14 devname="FW1" devid="FG100ETK20008071" eventtim e=1651216214342718179 tz="+0300" logid="1059028704" type="utm" subtype="a pp-ctrl" eventtype="signature" level="information" vd="root" appid=40568 srcip=192.168.150.52 dstip=xxxxxxxxxx srcport=52939 dstport=443 srcintf="V LAN_150" srcintfrole="lan" dstintf="wan1" dstintfrole="wan" proto=6 servi ce="SSL" direction="incoming" policyid=3 sessionid=97877004 applist="defaul t" action="pass" appcat="Web.Client" app="HTTPS.BROWSER" hostname="xxxxxxx" incidentserialno=271766913 url="/" msg="Web.Client: H TTPS.BROWSER," apprisk="medium" scertcname="xxxxxxxxx"

**Phase 1: Completed pre-decoding.
    full event: 'date= 2022-04-29 time=10:10:14 devname="FW1" devid="FG100ETK20008071" eventtim e=1651216214342718179 tz="+0300" logid="1059028704" type="utm" subtype="a pp-ctrl" eventtype="signature" level="information" vd="root" appid=40568 srcip=192.168.150.52 dstip=xxxxxxxxxx srcport=52939 dstport=443 srcintf="V LAN_150" srcintfrole="lan" dstintf="wan1" dstintfrole="wan" proto=6 servi ce="SSL" direction="incoming" policyid=3 sessionid=97877004 applist="defaul t" action="pass" appcat="Web.Client" app="HTTPS.BROWSER" hostname="xxxxxxx" incidentserialno=271766913 url="/" msg="Web.Client: H TTPS.BROWSER," apprisk="medium" scertcname="xxxxxxxxx"
'

**Phase 2: Completed decoding.
    No decoder matched.

You can follow this workaround:

• Forwarding the syslog event to a file following this guide.
  
• Monitor that file using a localfile block in the ossec.conf file. Adding the timestamp, so now it has the expected syslog timestamp, a brief descriptive Fortigate string, and the expected hostd.

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/example.log</location>
    <out_format>$(timestamp) Fortigate hostd: $(log)</out_format>
  </localfile>
  

• Now you have a new log within the archives files, but it still does not follow the decoder format. A custom decoder is needed to work with this log because some fields like devid should be device_id, for example. As you can see in the parent decoder. 

  <decoder name="fortigate-firewall-v3">
    <type>syslog</type>
    <prematch>date=\S+ time=\.+ devname=\S+ device_id=FG\w+ log_id=\d+ type=\S+ subtype=\S+ pri=\S+ vd=</prematch>
  </decoder>
  

If you need some help creating this custom decoder, feel free to ask for help. Here you have some information about adding custom decoders and decoders syntax.

Have a nice weekend.

Hope this helps you,
Luis.

​

[sharo]

Hi All,

 

We are in the process of upgrading Wazuh from 4.0 to 4.1

 

While upgrading we haven’t received any error messages. Also while upgrading to 4.1, it automatically selects the latest version. We have tried with version but says invalid package.

We couldn’t login to Kibana Dashboard. It shows Wazuh API mismatch error.

Attached screenshots for ref.

 

Please help

 

We have used below link for the upgrade.

https://documentation.wazuh.com/4.0/upgrade-guide/upgrading-wazuh.html.

 

 

Thanks in advance.

Sharo

 

 

 

[Luis González Romero]

Hello! Hope you are doing great.

Could you create a new thread for this issue to give visibility to other users? So they can read it if they have some related issue.

Thanks!

Luis.

[sharo]