EventHandler for Syslog device

Forum|Forum|10 years ago
January 20, 2016
1 reply
11473 views

Hello everyone,

we are using a FortiAnalyzer VM 5.2.4 to test integration with our own network monitoring system.

Our system generates syslog messages that are typically forwarded to SIM/SIEMs, and we can do that in various formats (CEF, LEEF), even customs.

Now, we we would like to create EventHandlers for our events (about 50+) and we are wondering how to achieve that by parsing the "msg" field (as our system is seen as a generic Syslog device and lacks all of the fields available for other Fortinet devices) with a Generic Text Filter...

We can't find good examples to achieve this...

thanks!

scao_FTNT

Staff

pls try below example see if works for you example log: date=2015-09-24 time=19:32:10 itime=1443123130 device_id=SYSLOG-0A027D1F level=information type=generic msg="device_id=SYSLOG-C0A8015C type=generic pri=information msg='Nov 19 16:14:43 itest named[1813]: error (unexpected RCODE REFUSED) resolving '109.198.115.75.in-addr.arpa/PTR/IN': 71.44.33.20#53'" Event handler for generic text filter: msg ~ "unexpected RCODE REFUSED"

Thanks

Simon

sridharsre

New Member

Hi Simon,

Thanks for the reply.

Do we need to change the filter for this ? like "Log Field" "Match Criteria" "Value" ?

I just tried to configure alert for "Deleted Device" with the following filters:

Devices selected Local FortiManager:

Log Type: Event Log

Event Category: Any

Group by: Device ID

Log Field: Level

Match Criteria: Equal To

Value: Critical

Generic Test Filter: msg ~ "Deleted device" (Since I see the alert messages as Deleted device <device>)

But still not working :(

Kindly help me on this .

Thanks in advance !!!

scao_FTNT

Staff

Value: Critical

-- so needed log level is critical ?

thanks

Simon

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded