Skip to main content
Shirshak
Shirshak
Visitor III
December 4, 2024
Question

Detecting Missing Logs for a Specific Log Type

  • December 4, 2024
  • 1 reply
  • 1075 views

We are trying to create a rule in FortiSIEM to detect the absence of a specific type of log being received from a device. For example, if a log source is configured to send PING, Sysmon, and Syslog logs to FortiSIEM, we need to create a rule that triggers an alert only when Syslog logs are missing from that device, even though other log types (e.g., PING, Sysmon) may still be received.

The default "No logs from a device" rule in FortiSIEM triggers alerts if all logs stop coming from the device, which does not meet our requirement to monitor the absence of a specific log type.

Has anyone implemented a rule or workaround to address this scenario? Any guidance or suggestions would be greatly appreciated!

 

1 reply

sjoshi
Staff
sjoshi
Staff
December 4, 2024

Hi,

 

To create a rule in FortiSIEM to detect the absence of a specific type of log from a device while still receiving other log types, you can utilize Event Dropping rules. By setting up a custom Event Dropping rule for the specific log type you want to monitor, you can configure it to drop all events except for the desired log type. This way, if the syslog logs are missing, the rule will not drop them, triggering an alert. You can follow the steps outlined in the FortiSIEM User Guide to create this custom Event Dropping rule tailored to your specific monitoring needs.

Thanks, Salon
    Shirshak
    ShirshakAuthor
    Visitor III
    December 6, 2024

    Hi,
    Thank you for your insight. However, we want to trigger the silent log rule without discarding the events. We still need the ping and Sysmon logs but want the rule to trigger only if no Syslogs are detected, without dropping the ping and Sysmon logs.

    Terms & ConditionsAccessibility statement