Cybersecurity Forum

This forum is for all security enthusiasts to discuss Fortinet's latest & evolving technologies and to connect & network with peers in the cybersecurity hemisphere. Share and learn on a broad range of topics like best practices, use cases, integrations and more. For support specific questions/resources, please visit the Support Forum or the Knowledge Base.

Antonio2022
New Contributor II

Passwordstate parser?

Hello everyone,

I would like to ask for assistance regarding a Passwordstate parser. Has anyone already worked on it?

One of the major challenge I am having is the lack of Passwordstate syslog documentation. I only has been able to find this page that contains all reports types that can be run within Passwordstate.
Passwordstate Compliance Reporting

The other problem is related to the logs formats, they are not coming in a Json format. I have not been able to find a common field to be use it as EventType.

Passwordstate Syslog samples:

<110>10-17-2022 21:25:43 192.168.1.5 Passwordstate: First Last (domain\First.Last) retrieved the Password record '<Name> Management API Secret' from the Password List '<Name>' via a API search. (Title = <Name> Management API Secret, UserName = 46666641fyu4hjfi4ji4jifj4ijhf4i4). Client IP Address = 192.168.1.10. PasswordListID = 1025, PasswordID = 8445

<110>10-17-2022 21:25:34 192.168.1.5 Passwordstate: First Last (domain\First.Last) retrieved the Password record 'ABC' (UserName = 9542574) from the Password List 'Name DTK' to form fill the web site https://www.abc.com/client/. Client IP Address = 192.168.1.80. PasswordListID = 6987, PasswordID = 7412

<110>10-17-2022 21:25:15 192.168.1.5 Passwordstate: First Last (domain\First.Last) copied the UserName for 'BCD' (Name BCD) to the clipboard(Title = Name DTK, UserName = 652352). Client IP Address = 192.168.1.85. PasswordListID = 7414, PasswordID = 3698

<110>10-19-2022 09:14:18 192.168.1.5 Passwordstate: Automatic logoff for user from the IP Address '192.168.1.200'. Reporting of the actual user is not possible, due to expired session. The Client IP Address may also not be accurate if using Proxy Servers or Load Balancers. Client IP Address = 192.168.1.200

<110>10-18-2022 16:37:26 192.168.1.5 Passwordstate: A scheduled Account Heartbeat check failed to validated the password for account abc (\Database Administrators\ABC Accounts) of Account Type 'MS SQL Server' on Host ServerName.domain.com. Error = Failed to validate the password for the SQL account 'abc' on Host 'ServerName.domain.com'. UserName or Password is incorrect. Client IP Address = 192.168.1.23. PasswordListID = 7458, PasswordID = 98547

Is it possible to create a parser using multiples Cases? one for each event type? - I may need around 100 cases
Could be any performances issues of doing so?
<switch>
<case1>
<collectAndSetAttrByRegex src="$_body">
<regex><![CDATA[]]></regex>
</collectAndSetAttrByRegex>
</case>

<case2>
<collectAndSetAttrByRegex src="$_body">
<regex><![CDATA[]]></regex>
</collectAndSetAttrByRegex>
</case>

<case3>
<collectAndSetAttrByRegex src="$_body">
<regex><![CDATA[]]></regex>
</collectAndSetAttrByRegex>
</case>
..
...

<case100>
<collectAndSetAttrByRegex src="$_body">
<regex><![CDATA[]]></regex>
</collectAndSetAttrByRegex>
</case>

</switch>

Do you have any alternative about generating an EventType automatically?
1 REPLY 1
cdurkin_FTNT
Staff
Staff

Absolutely your method for these kinds of logs is correct...

You would just create as many case statements as needed.  In some cases you might set two or more cases to the same eventType as below.

<switch>
<case>
<collectAndSetAttrByRegex src="$_body">
<regex><![CDATA[Passwordstate: blah blah this is the first type of login  ]]></regex>
</collectAndSetAttrByRegex>
<setEventAttribute attr="eventType">PasswordState-Login-Success</setEventAttribute>
</case>

<case>
<collectAndSetAttrByRegex src="$_body">
<regex><![CDATA[Passwordstate: blah blah blah blah this is the second type of login ]]></regex>
</collectAndSetAttrByRegex>
<setEventAttribute attr="eventType">PasswordState-Login-Success</setEventAttribute>
</case>

<case>
<collectAndSetAttrByRegex src="$_body">
<regex><![CDATA[Passwordstate: this is a login failure]]></regex>
</collectAndSetAttrByRegex>
<setEventAttribute attr="eventType">PasswordState-Login-Failure</setEventAttribute>
</case>
</Switch>


Im not sure your samples have a need for this, but the way to create dynamic event types would be via the combineMsgId function...
<setEventAttribute attr="eventType">combineMsgId("PasswordState-", $someVariable)</setEventAttribute>-------------------------------------------
Original Message:
Sent: Oct 21, 2022 07:14 AM
From: Tony C
Subject: Passwordstate parser?

Hello everyone,

I would like to ask for assistance regarding a Passwordstate parser. Has anyone already worked on it?

One of the major challenge I am having is the lack of Passwordstate syslog documentation. I only has been able to find this page that contains all reports types that can be run within Passwordstate.
Passwordstate Compliance Reporting

The other problem is related to the logs formats, they are not coming in a Json format. I have not been able to find a common field to be use it as EventType.

Passwordstate Syslog samples:

<110>10-17-2022 21:25:43 192.168.1.5 Passwordstate: First Last (domain\First.Last) retrieved the Password record '<Name> Management API Secret' from the Password List '<Name>' via a API search. (Title = <Name> Management API Secret, UserName = 46666641fyu4hjfi4ji4jifj4ijhf4i4). Client IP Address = 192.168.1.10. PasswordListID = 1025, PasswordID = 8445

<110>10-17-2022 21:25:34 192.168.1.5 Passwordstate: First Last (domain\First.Last) retrieved the Password record 'ABC' (UserName = 9542574) from the Password List 'Name DTK' to form fill the web site https://www.abc.com/client/. Client IP Address = 192.168.1.80. PasswordListID = 6987, PasswordID = 7412

<110>10-17-2022 21:25:15 192.168.1.5 Passwordstate: First Last (domain\First.Last) copied the UserName for 'BCD' (Name BCD) to the clipboard(Title = Name DTK, UserName = 652352). Client IP Address = 192.168.1.85. PasswordListID = 7414, PasswordID = 3698

<110>10-19-2022 09:14:18 192.168.1.5 Passwordstate: Automatic logoff for user from the IP Address '192.168.1.200'. Reporting of the actual user is not possible, due to expired session. The Client IP Address may also not be accurate if using Proxy Servers or Load Balancers. Client IP Address = 192.168.1.200

<110>10-18-2022 16:37:26 192.168.1.5 Passwordstate: A scheduled Account Heartbeat check failed to validated the password for account abc (\Database Administrators\ABC Accounts) of Account Type 'MS SQL Server' on Host ServerName.domain.com. Error = Failed to validate the password for the SQL account 'abc' on Host 'ServerName.domain.com'. UserName or Password is incorrect. Client IP Address = 192.168.1.23. PasswordListID = 7458, PasswordID = 98547

Is it possible to create a parser using multiples Cases? one for each event type? - I may need around 100 cases
Could be any performances issues of doing so?
<switch>
<case1>
<collectAndSetAttrByRegex src="$_body">
<regex><![CDATA[]]></regex>
</collectAndSetAttrByRegex>
</case>

<case2>
<collectAndSetAttrByRegex src="$_body">
<regex><![CDATA[]]></regex>
</collectAndSetAttrByRegex>
</case>

<case3>
<collectAndSetAttrByRegex src="$_body">
<regex><![CDATA[]]></regex>
</collectAndSetAttrByRegex>
</case>
..
...

<case100>
<collectAndSetAttrByRegex src="$_body">
<regex><![CDATA[]]></regex>
</collectAndSetAttrByRegex>
</case>

</switch>

Do you have any alternative about generating an EventType automatically?
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.