Help
Cybersecurity Forum

This forum is for all security enthusiasts to discuss Fortinet's latest & evolving technologies and to connect & network with peers in the cybersecurity hemisphere. Share and learn on a broad range of topics like best practices, use cases, integrations and more. For support specific questions/resources, please visit the Support Forum or the Knowledge Base.

HafizJasmi
New Contributor

Created on ‎12-22-2020 07:19 PM

Cisco Ironport Log Issues

Hi Guys,

I have issue with Cisco Ironport log, the configuration on cisco ironport syslog have been done base on recommendation but in our Fortisiem, we cannot filter to specific criteria like source IP and Informational URL. Attach image as sample :

UploadedImages_cbl5qhT4Kon3gM5VNmHw_sc1.png

As you can see the source IP and informational did not appear in the filter but the information is in the raw log.

If possible any Fortisiem details manual for me to refer.

Labels:
1137
0 Kudos
5 REPLIES 5
RobertEvans
New Contributor III

Created on ‎12-22-2020 07:25 PM

Hi Muhammad,

Can you share some sample logs with data anonymized (replace any reference to source ip, user, etc with dummy values) and send to me? 

I'll see if we have an existing parser. Also please submit the same sample logs to support.fortinet.com as a tech case so they can update the parser on their end.

Thanks,

-Rob

1113
0 Kudos
RobertEvans
New Contributor III

Created on ‎12-22-2020 08:11 PM

These sample logs you sent tested fine in the IronportWeb system parser for FortiSIEM version v6.1.0. What version is your FortiSIEM instance?

If you are on an older version, you can disable the IronPortWeb system parser, clone it, and use this parser. Attached .

Disable existing IronportWeb parser

Clone existing IronportWeb parser

Edit cloned version, paste in the file below, click validate -> then test -> then save 

Click apply with the cloned parser selected

You may have to restart services (or reboot) collectors for new parser to take effect. 

Thanks,

-Rob

Preview file
6 KB
1113
0 Kudos
HafizJasmi
New Contributor
In response to RobertEvans

Created on ‎12-22-2020 08:48 PM

I am currently using FortiSIEM 5.3.1.

1113
0 Kudos
dtomic_FTNT
Staff
Staff
In response to HafizJasmi

Created on ‎12-28-2020 04:20 AM

Hi Muhammad,

You can replace the system parser used in 5.3.1 by following these steps:

1) Go to Admin / Device Support / Parsers

2) Search for IronPort Web and disable it

3) Clone that same disabled IronPort Web parser

4) In the parser XML section, replace all the content with the contents of the file Robert posted

5) Validate, Test, Enable and Save

6) Click Apply when you're back at the parser list

Kind Regards,

Dusan Tomic



------------------------------
Dušan Tomić - Consulting Systems Engineer INTL
Fortinet
------------------------------
Dušan Tomić - Consulting Systems Engineer INTL Fortinet
1113
0 Kudos
HafizJasmi
New Contributor
In response to dtomic_FTNT

Created on ‎12-28-2020 10:44 PM

Hi Dusan,

Thank you for the replied the solution given by Robert work also.

1113
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.