Skip to main content
fiesta
fiesta
New Member
May 4, 2022
Solved

telegram webhook incomplete raw log

  • May 4, 2022
  • 4 replies
  • 6440 views

Hello everyone.

 

We have issue with webhook with parameter HTTP Body with %%log%% added to telegram parameter "text" field because it's showing incomplete raw log. I tried to compare email and webhook, email is fine but webhook is incomplete.

For example:
1. In webhook using telegram I receive like this "Administrator msinfokom logged in successfully from ssh(10.xxxxxxx) --- FGTxxxx xxxx Admin Success Login --- date=2022-05-04 time=09:42:28 logid=" after logid it's nothing more
2. In email I receive "FGT[FG1xxxxxxxxxx] Automation Stitch:Admin Success Login Automation is triggered.
date=2022-05-04 time=09:42:28 logid="0100032001" type="event" subtype="system" level="information" vd="VDOM_xxxx" eventtime=1651632148xxxxxxxx tz="+0700" logdesc="Admin login successful" sn="16516xxxxx" user="xxxxxx" ui="ssh(10.xx.xxxxxx)" method="ssh" srcip=10.xxxxxx dstip=10.xxxxx action="login" status="success" reason="none" profile="super_admin" msg="Administrator xxxxx logged in successfully from ssh(10.xxxxxx)"" log is complete after logid.

Is something wrong with my webhook configuration? has anyone have the same issue?


Here I attach some picture.

 

webhook-output-1.jpg

email-notif-1.jpg

webhook-param.jpg
Best regards.

Best answer by fiesta

Sorry for late reply, here is the solution.

You need to add more variable to xxx inside "text":" xxxx" just like variable here https://docs.fortinet.com/document/fortigate/7.0.6/fortios-log-message-reference/1/log-messages. Double percent (%%variable%%) is mandatory.

Here are the example :

{"chat_id":"-yourchatid","text":"--- FGTxxx NEW--- conserve=%%conserve%% date=%%date%% eventtime=%%eventtime%% thresholdgreen=%%green%% level=%%level%% logdesc%%logdesc%% logid=%%logid%% msg=%%msg%% thresholdred=%%red%% service=%%service%% subtype=%%subtype%% time=%%time%% total=%%total%% type=%%type%% timezone=%%tz%% currentram=%%used%% mgmtvdom=%%vd%%"}

%%log%% can be removed and use above instead.

 

Some variable may not work, and some variable can confusing.

Best regards.

 

FWD~.

4 replies

A
Anonymous_User
Contributor
May 6, 2022
Hello @fiesta ,
 
Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.
 
Thanks,
Debbie_FTNT
Staff & Editor
Debbie_FTNT
Staff & Editor
May 10, 2022

Hey fiesta,

I haven't tested webhooks with Telegram, but I think the issue is with how JSON is parsed and the log message.

JSON consists of value pairs with "<field>":"<value>" (like "chat_id"="5").

The log message is 'date=2022-05-04 time=09:42:28 logid="0100032001" [...]' <- there are quotation marks starting with logid.

I think the Telegram API treats that 'logid="' as end of the value for 'text', because of the quotation mark. The quotation marks would probably have to be escaped:

date=2022-05-04 time=09:42:28 logid=\"0100032001\" [...] from ssh(10.14.92.58)\" and then a final " to end the text field.

I do not believe FortiGate adds escape characters to the quotation marks when sending the message to Telegram API, so Telegram API is confused by the many quotation marks in the log message.

I can't say if this would require a feature request to fix or should be considered a bug, that needs to be decided by developers.

I would suggest opening a ticket with Technical Support and reporting the issue (as well as my theory) there to get some assistance in digging into the communication and figuring out if/how it can be fixed.

hermanthom
hermanthom
New Member
June 27, 2022

@fiesta did you ever get this sorted? I have the same issue. 

Thanks, 

fiesta
fiestaAuthorAnswer
New Member
July 19, 2022

Sorry for late reply, here is the solution.

You need to add more variable to xxx inside "text":" xxxx" just like variable here https://docs.fortinet.com/document/fortigate/7.0.6/fortios-log-message-reference/1/log-messages. Double percent (%%variable%%) is mandatory.

Here are the example :

{"chat_id":"-yourchatid","text":"--- FGTxxx NEW--- conserve=%%conserve%% date=%%date%% eventtime=%%eventtime%% thresholdgreen=%%green%% level=%%level%% logdesc%%logdesc%% logid=%%logid%% msg=%%msg%% thresholdred=%%red%% service=%%service%% subtype=%%subtype%% time=%%time%% total=%%total%% type=%%type%% timezone=%%tz%% currentram=%%used%% mgmtvdom=%%vd%%"}

%%log%% can be removed and use above instead.

 

Some variable may not work, and some variable can confusing.

Best regards.

 

FWD~.

    Debbie_FTNT
    Staff & Editor
    Debbie_FTNT
    Staff & Editor
    July 19, 2022

    Thanks for sharing, fiesta :)

    Terms & ConditionsAccessibility statement