Hi Guys,
I have issue with Cisco Ironport log, the configuration on cisco ironport syslog have been done base on recommendation but in our Fortisiem, we cannot filter to specific criteria like source IP and Informational URL. Attach image as sample :
As you can see the source IP and informational did not appear in the filter but the information is in the raw log.
If possible any Fortisiem details manual for me to refer.
Hi Muhammad,
Can you share some sample logs with data anonymized (replace any reference to source ip, user, etc with dummy values) and send to me?
I'll see if we have an existing parser. Also please submit the same sample logs to support.fortinet.com as a tech case so they can update the parser on their end.
Thanks,
-Rob
-------------------------------------------
Original Message:
Sent: Dec 22, 2020 07:18 PM
From: Muhammad Hafiz Safwan Bin Jasmi
Subject: Cisco Ironport Log Issues
Hi Guys,
I have issue with Cisco Ironport log, the configuration on cisco ironport syslog have been done base on recommendation but in our Fortisiem, we cannot filter to specific criteria like source IP and Informational URL. Attach image as sample :
As you can see the source IP and informational did not appear in the filter but the information is in the raw log.
If possible any Fortisiem details manual for me to refer.
These sample logs you sent tested fine in the IronportWeb system parser for FortiSIEM version v6.1.0. What version is your FortiSIEM instance?
If you are on an older version, you can disable the IronPortWeb system parser, clone it, and use this parser. Attached .
Disable existing IronportWeb parser
Clone existing IronportWeb parser
Edit cloned version, paste in the file below, click validate -> then test -> then save
Click apply with the cloned parser selected
You may have to restart services (or reboot) collectors for new parser to take effect.
Thanks,
-Rob
-------------------------------------------
Original Message:
Sent: Dec 22, 2020 07:18 PM
From: Muhammad Hafiz Safwan Bin Jasmi
Subject: Cisco Ironport Log Issues
Hi Guys,
I have issue with Cisco Ironport log, the configuration on cisco ironport syslog have been done base on recommendation but in our Fortisiem, we cannot filter to specific criteria like source IP and Informational URL. Attach image as sample :
As you can see the source IP and informational did not appear in the filter but the information is in the raw log.
If possible any Fortisiem details manual for me to refer.
I am currently using FortiSIEM 5.3.1.
-------------------------------------------These sample logs you sent tested fine in the IronportWeb system parser for FortiSIEM version v6.1.0. What version is your FortiSIEM instance?
If you are on an older version, you can disable the IronPortWeb system parser, clone it, and use this parser. Attached .
Disable existing IronportWeb parser
Clone existing IronportWeb parser
Edit cloned version, paste in the file below, click validate -> then test -> then save
Click apply with the cloned parser selected
You may have to restart services (or reboot) collectors for new parser to take effect.
Thanks,
-Rob
Hi Guys,
I have issue with Cisco Ironport log, the configuration on cisco ironport syslog have been done base on recommendation but in our Fortisiem, we cannot filter to specific criteria like source IP and Informational URL. Attach image as sample :
As you can see the source IP and informational did not appear in the filter but the information is in the raw log.
If possible any Fortisiem details manual for me to refer.
Hi Muhammad,
You can replace the system parser used in 5.3.1 by following these steps:
1) Go to Admin / Device Support / Parsers
2) Search for IronPort Web and disable it
3) Clone that same disabled IronPort Web parser
4) In the parser XML section, replace all the content with the contents of the file Robert posted
5) Validate, Test, Enable and Save
6) Click Apply when you're back at the parser list
Kind Regards,
Dusan Tomic
I am currently using FortiSIEM 5.3.1.
These sample logs you sent tested fine in the IronportWeb system parser for FortiSIEM version v6.1.0. What version is your FortiSIEM instance?
If you are on an older version, you can disable the IronPortWeb system parser, clone it, and use this parser. Attached .
Disable existing IronportWeb parser
Clone existing IronportWeb parser
Edit cloned version, paste in the file below, click validate -> then test -> then save
Click apply with the cloned parser selected
You may have to restart services (or reboot) collectors for new parser to take effect.
Thanks,
-Rob
Hi Guys,
I have issue with Cisco Ironport log, the configuration on cisco ironport syslog have been done base on recommendation but in our Fortisiem, we cannot filter to specific criteria like source IP and Informational URL. Attach image as sample :
As you can see the source IP and informational did not appear in the filter but the information is in the raw log.
If possible any Fortisiem details manual for me to refer.
Hi Dusan,
Thank you for the replied the solution given by Robert work also.
Hi Muhammad,
You can replace the system parser used in 5.3.1 by following these steps:
1) Go to Admin / Device Support / Parsers
2) Search for IronPort Web and disable it
3) Clone that same disabled IronPort Web parser
4) In the parser XML section, replace all the content with the contents of the file Robert posted
5) Validate, Test, Enable and Save
6) Click Apply when you're back at the parser list
Kind Regards,
Dusan Tomic
I am currently using FortiSIEM 5.3.1.
These sample logs you sent tested fine in the IronportWeb system parser for FortiSIEM version v6.1.0. What version is your FortiSIEM instance?
If you are on an older version, you can disable the IronPortWeb system parser, clone it, and use this parser. Attached .
Disable existing IronportWeb parser
Clone existing IronportWeb parser
Edit cloned version, paste in the file below, click validate -> then test -> then save
Click apply with the cloned parser selected
You may have to restart services (or reboot) collectors for new parser to take effect.
Thanks,
-Rob
Hi Guys,
I have issue with Cisco Ironport log, the configuration on cisco ironport syslog have been done base on recommendation but in our Fortisiem, we cannot filter to specific criteria like source IP and Informational URL. Attach image as sample :
As you can see the source IP and informational did not appear in the filter but the information is in the raw log.
If possible any Fortisiem details manual for me to refer.
Welcome to your new Fortinet Community!
You'll find your previous forum posts under "Forums"
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.