Skip to main content
SebastianRogers
SebastianRogers
Visitor III
March 22, 2022
Solved

Fortiweb CEF Malformatted

  • March 22, 2022
  • 1 reply
  • 4925 views

i have seen this a couple of times and just wondering if anyone else has come across this. and can add any logic, so i can add to my notes for resolution. when the logotype has been set to CEF, via the GUI.

however the format it seem to come out in the local disk value not the expected CEF e.g  expected output  CEF:0|Fortinet|Fortigate|version|etc

not the ondisk format

date=2022-03-20 time=14:55:20 logid="1203030258" type="utm" subtype="waf" eventtype="waf-http-constraint" level="warning"

 

Best answer by ddsouza_FTNT

@SebastianRogers As per the Engineering team, this is a bug in 6.3, and it will be fixed in  version 6.3.19 GA. 

1 reply

ddsouza_FTNT
Staff
ddsouza_FTNT
Staff
March 22, 2022

I haven't come across this problem yet. Could you please provide the output of the following commands, so I can investigate from my end?

get system status show log siem-policy show log siem-message-policy show log syslog-policy show log syslogd

 

SebastianRogers
SebastianRogersAuthor
Visitor III
March 22, 2022

get system status
International Version: FortiWeb-Azure_OnDemand 6.3.17,build1195(GA),211130
Serial-Number: Sanitized
Bios version: 04000002
Log hard disk: Available
Hostname: Sanitized-FWB-A
Operation Mode: Reverse Proxy
FIPS-CC mode: disabled
Current HA mode: standalone
Database Status: Available
Current Manager role: standalone

 

show log siem-policy
config log siem-policy
end

 

show log siem-message-policy

config log siem-message-policy
end

 

show log syslog-policy
config log syslog-policy
edit "SampleSyslog"
config syslog-server-list
edit 1
set server XX.XXX.XX.XXX
set format cef
next
end
next
end

 

show log syslogd config log syslogd
set status enable
set facility local0
set policy SampleSyslog
config custom-field
end

ddsouza_FTNT
Staff
ddsouza_FTNT
Staff
March 24, 2022

@SebastianRogers I am able to reproduce this problem in my lab environment but running on a 6.3.18 GA release with the same configuration. I am checking internally. I shall get back to you with some updates. Stay tuned!

Terms & ConditionsAccessibility statement