FortiGate Firewall log integration issues

[geistchevalier]

Version

2.4.30

Installation Method

Security Onion ISO image

Description

configuration

Installation Type

Standalone

Location

on-prem with Internet access

Hardware Specs

Exceeds minimum requirements

CPU

6

RAM

64GB

Storage for /

500GB

Storage for /nsm

2TB

Network Traffic Collection

tap

Network Traffic Speeds

Less than 1Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

Yes, there are additional clues in /opt/so/log/ (please provide detail below)

Detail

Additional Info:

Fortigate version: 7.x
Fortigate integration version: Fortinet FortiGate Integration 1.19.0
Fortigate integration setting:

errors found in /opt/so/log/logstash/logstash.log:

"reason"=>"[constant_keyword] field [event.module] only accepts values that are equal to the value defined in the mappings [fortinet], but got [fortinet_fortigate]"

I'm currently having issues ingesting logs from my onprem fortigate, tcpdump is showing to me that the fortigate is sending the logs, but SO is not processing it

I tried doing this #11730 (comment)

and adding the following rule to the final pipeline definition

{ "set": { "if": "ctx.event?.module == 'fortinet_fortigate'", "field": "event.module", "value": "fortinet" } },

I tried having just the one in the local folder having the rule, I tried just having the one in the default folder having the rule, I tried them both with the rule added, even after service and/or physical machine restart I'm still getting the [fortinet_fortigate] error. Is there any other solution I can try to make this fortigate integration work?

Guidelines

• I have read the above statement and can confirm my post is relevant to Security Onion 2.4.

[geistchevalier]

I ended up changing the mapping of the integration since the set rule in the pipeline mentioned above does not seem to be working for me

what I did:

1. Go to Kibana -> side menu -> integrations -> search Fortinet FortiGate Firewall Logs
2. Go to Integration policies, select your relevant integration
3. Open up advanced options under your relevant method of sending the logs (in my case it is under the UDP section since that is how my FG is sending the logs)
4. Mappings -> logs-fortinet_fortigate.log@package -> click on the magnifying glass
5. Big manage button on the bottom right -> Edit
6. Mappings ->event -> module -> edit the value from fortinet -> fortinet_fortigate
7. scroll back up and just click Review and then Save component template

I am personally not sure if this is the "correct" way to fix this issue, so I'm hoping the SO maintainers can comment below whether doing this is advisable or not. But now my log are getting processed by SO.

edit: if you stumbled onto this post, please check the settings above again after updating SO to a new version, it may have reverted to the old value

edit 2: If you are from a version of SO earlier than 2.4.50 and updated to 2.4.50 or greater, but still seeing the module persisting with the old value, you need to remove and add the Fortinet FortiGate Firewall Logs integration again to get the fix introduced in 2.4.50

[amorphys]

Perfect ! Work like a charm ! first we try the firewall issues thought that we did not ok in the firewall but after we get the logs from Logstash we bring the light in the room :) Unfortunately the error was obvious so we search a method and we found yours answer !!!!
Well done ! thanks for your complete answer !!!

[ebdavison]

This did not work for me so am still searching for a way to get these logs to be "detected" by SO after they are clearing arriving on the box with tcpdump showing them.

[geistchevalier]

my original issue was that the logs did come in and is processed by elasticsearch, but the elasticsearch integration pipeline was expecting the data to be tagged as fortinet, but newer versions of fortigate will export logs tagged with fortinet_fortigate instead, so I needed to change the definition in the pipeline as my answer above.

If following the above didn't work, it's worth to check if you have set up the firewall to accept syslogs from your fortigate

Either use the so-allow wizard in terminal or use the web interface

Administration > Configuration > firewall > hostgroups > syslog > enter your source ip(s) on the right hand side, separated by newline for each entry

(requires Show all configurable settings, including advanced settings to be enabled)
Administration > Configuration > firewall > portgroups > syslog > enter the port you're using to accept the log export, in my case it was 9004 under the udp section

[ebdavison]

I did this and the above steps to change fortinet -> fortinet_fortigate but it is still not working for me. I am sending on UDP 9004 and have tried both default and rfc5424.
I am seeing the logs in tcpdump but they are not matching the fortigate template for some reason and never make it into ES.
Seems like the ES log processor is not recognizing the incoming logs. They are not showing up at all, not as generic syslog or as fortinet logs.

[geistchevalier]

I think you need to open a new discussion for your issue so that the devs can see what's blocking your syslogs from being processed. Describe your setup and what you have tried, include errors found in /opt/so/log/logstash/logstash.log and your tcpdump results

[ebdavison]

probably so. I will do that. thanks for the input so far.

[samuel809]

to what policy are you adding the fortinet integration?