Cybersecurity Forum

This forum is for all security enthusiasts to discuss Fortinet's latest & evolving technologies and to connect & network with peers in the cybersecurity hemisphere. Share and learn on a broad range of topics like best practices, use cases, integrations and more. For support specific questions/resources, please visit the Support Forum or the Knowledge Base.

HafizJasmi
New Contributor

Cisco Ironport Log Issues

Hi Guys,

I have issue with Cisco Ironport log, the configuration on cisco ironport syslog have been done base on recommendation but in our Fortisiem, we cannot filter to specific criteria like source IP and Informational URL. Attach image as sample :

UploadedImages_cbl5qhT4Kon3gM5VNmHw_sc1.png

As you can see the source IP and informational did not appear in the filter but the information is in the raw log.

If possible any Fortisiem details manual for me to refer.

5 REPLIES 5
RobertEvans
New Contributor III

Hi Muhammad,

Can you share some sample logs with data anonymized (replace any reference to source ip, user, etc with dummy values) and send to me? 

I'll see if we have an existing parser. Also please submit the same sample logs to support.fortinet.com as a tech case so they can update the parser on their end.

Thanks,

-Rob

RobertEvans
New Contributor III

These sample logs you sent tested fine in the IronportWeb system parser for FortiSIEM version v6.1.0. What version is your FortiSIEM instance?

If you are on an older version, you can disable the IronPortWeb system parser, clone it, and use this parser. Attached .

Disable existing IronportWeb parser

Clone existing IronportWeb parser

Edit cloned version, paste in the file below, click validate -> then test -> then save 

Click apply with the cloned parser selected

You may have to restart services (or reboot) collectors for new parser to take effect. 

Thanks,

-Rob

HafizJasmi

I am currently using FortiSIEM 5.3.1.

dtomic_FTNT

Hi Muhammad,

You can replace the system parser used in 5.3.1 by following these steps:

1) Go to Admin / Device Support / Parsers

2) Search for IronPort Web and disable it

3) Clone that same disabled IronPort Web parser

4) In the parser XML section, replace all the content with the contents of the file Robert posted

5) Validate, Test, Enable and Save

6) Click Apply when you're back at the parser list

Kind Regards,

Dusan Tomic



------------------------------
Dušan Tomić - Consulting Systems Engineer INTL
Fortinet
------------------------------
Dušan Tomić - Consulting Systems Engineer INTL Fortinet
HafizJasmi

Hi Dusan,

Thank you for the replied the solution given by Robert work also.