Problem with Fortinet FortiGate Firewall Logs integrations

[runerh]

Version

2.4.20

Installation Method

Security Onion ISO image

Description

configuration

Installation Type

Standalone

Location

airgap

Hardware Specs

Exceeds minimum requirements

CPU

16

RAM

32

Storage for /

200GB

Storage for /nsm

7TB

Network Traffic Collection

other (please provide detail below)

Network Traffic Speeds

Less than 1Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

Yes, there are additional clues in /opt/so/log/ (please provide detail below)

Detail

Hello,

I'v been doing some testing of Security Onion, and are trying to get logs from a fortigate fw into Security Onion, with the fleet integrations.
Have added the Fortinet FortiGate Firewall Logs integrations v 1.14.0 (not the deprecated one) to the so-grid-nodes_general policy,
Enabled Collect Fortinet Fortigate logs (input: udp) Listen address = SO IP, Listen Port: 9004
Added customhostgroup0 and customportgroup0 and added them to the standalone input chain and docker-user.

In the logstach.log I'll get an mapping error.
"error"=>{"type"=>"document_parsing_exception", "reason"=>"[1:1921] failed to parse field [event.module] of type [constant_keyword] in document with id 'E0IiqYsBfMAPdu-pr-y4'. Preview of field's value: 'fortinet_fortigate'", "caused_by"=>{"type"=>"illegal_argument_exception", "reason"=>"[constant_keyword] field [event.module] only accepts values that are equal to the value defined in the mappings [fortinet], but got [fortinet_fortigate]"}}}}}

Should this work "out of the box"?

Guidelines

• I have read the above statement and can confirm my post is relevant to Security Onion 2.4.

[InfosecGoon]

It looks like the integration is expecting event.module to be "fortinet" but it's getting "fortinet_fortigate" instead.

My colleague @cm-ops came up with a workaround for this:

Copy /opt/so/saltstack/default/salt/elasticsearch/files/ingest/.fleet_final_pipeline-1 to the local path (same path, replacing default with local) and add the following line:

{ "set": { "if": "ctx.event?.module == 'fortinet_fortigate'", "field": "event.module", "value": "fortinet" } },

Then restart Elasticsearch.

[rjdub2]

I just tried this and it worked for me. I believe this has to do with FortiGate's on FortiOS 7.x where the Elasticsearch integration was only tested on 6.x.

[geistchevalier]

@rwagenmann can you clarify your steps? I tried the same thing but I'm still getting the fortinet_fortigate error in my logs

what I did

1. copy /opt/so/saltstack/**default**/salt/elasticsearch/files/ingest/.fleet_final_pipeline-1 to /opt/so/saltstack/**local**/salt/elasticsearch/files/ingest/.fleet_final_pipeline-1
2. edit the local file and added { "set": { "if": "ctx.event?.module == 'fortinet_fortigate'", "field": "event.module", "value": "fortinet" } }, in with the other rules in the middle of the file
3. run sudo so-elasticsearch-restart
4. still getting the same error in my logs after restart

is there something I'm missing here?

edit: nvm, I figured out another way to fix it #11995 (comment)

[ebdavison]

Tried this myself and was not able to get this to work. I was able, however, to get the logs sent to a local linux server with the SO agent on it running syslog-ng. I am forwarding these logs to SO and they now show up in ES and can be searched. However, they are not being parsed.

Any thoughts on making this workflow function properly with parsed logs?

[rjdub2]

I think the link below is the better way to do it. I just rebuilt my cluster and tried this and it fixed the issue again. I found an easier way to get to the mappings than editing the integration.

FortiGate Firewall log integration issues · Security-Onion-Solutions/securityonion · Discussion #11995 (github.com)

1. In SOC, go to Kibana then click on Stack Management from the side menu
2. Click on Index Management then click on the Component Templates tab
3. Search for logs-fortinet_fortigate.log@package and click on it
4. Click the big manage button on the bottom right -> Edit
5. Click Mappings, then drill down to event -> module -> edit the value from fortinet -> fortinet_fortigate
6. Scroll back up and click Review and then Save component template and choose to apply now and rollover