FortiSIEM Discussions
HafizJasmi
New Contributor

Cisco Ironport Log Issues

Hi Guys,

I have issue with Cisco Ironport log, the configuration on cisco ironport syslog have been done base on recommendation but in our Fortisiem, we cannot filter to specific criteria like source IP and Informational URL. Attach image as sample :

As you can see the source IP and informational did not appear in the filter but the information is in the raw log.

If possible any Fortisiem details manual for me to refer.

5 REPLIES 5
RobertEvans
New Contributor III

Hi Muhammad,

Can you share some sample logs with data anonymized (replace any reference to source ip, user, etc with dummy values) and send to me? 

I'll see if we have an existing parser. Also please submit the same sample logs to support.fortinet.com as a tech case so they can update the parser on their end.

Thanks,

-Rob

-------------------------------------------
Original Message:
Sent: Dec 22, 2020 07:18 PM
From: Muhammad Hafiz Safwan Bin Jasmi
Subject: Cisco Ironport Log Issues

Hi Guys,

I have issue with Cisco Ironport log, the configuration on cisco ironport syslog have been done base on recommendation but in our Fortisiem, we cannot filter to specific criteria like source IP and Informational URL. Attach image as sample :

As you can see the source IP and informational did not appear in the filter but the information is in the raw log.

If possible any Fortisiem details manual for me to refer.

RobertEvans
New Contributor III

These sample logs you sent tested fine in the IronportWeb system parser for FortiSIEM version v6.1.0. What version is your FortiSIEM instance?

If you are on an older version, you can disable the IronPortWeb system parser, clone it, and use this parser. Attached .

Disable existing IronportWeb parser

Clone existing IronportWeb parser

Edit cloned version, paste in the file below, click validate -> then test -> then save 

Click apply with the cloned parser selected

You may have to restart services (or reboot) collectors for new parser to take effect. 

Thanks,

-Rob

-------------------------------------------
Original Message:
Sent: Dec 22, 2020 07:18 PM
From: Muhammad Hafiz Safwan Bin Jasmi
Subject: Cisco Ironport Log Issues

Hi Guys,

I have issue with Cisco Ironport log, the configuration on cisco ironport syslog have been done base on recommendation but in our Fortisiem, we cannot filter to specific criteria like source IP and Informational URL. Attach image as sample :

As you can see the source IP and informational did not appear in the filter but the information is in the raw log.

If possible any Fortisiem details manual for me to refer.

HafizJasmi

I am currently using FortiSIEM 5.3.1.

-------------------------------------------
Original Message:
Sent: Dec 22, 2020 08:10 PM
From: Robert Evans
Subject: Cisco Ironport Log Issues

-------------------------------------------
Original Message:
Sent: Dec 22, 2020 07:18 PM
From: Muhammad Hafiz Safwan Bin Jasmi
Subject: Cisco Ironport Log Issues


These sample logs you sent tested fine in the IronportWeb system parser for FortiSIEM version v6.1.0. What version is your FortiSIEM instance?

If you are on an older version, you can disable the IronPortWeb system parser, clone it, and use this parser. Attached .

Disable existing IronportWeb parser

Clone existing IronportWeb parser

Edit cloned version, paste in the file below, click validate -> then test -> then save 

Click apply with the cloned parser selected

You may have to restart services (or reboot) collectors for new parser to take effect. 

Thanks,

-Rob

Hi Guys,

I have issue with Cisco Ironport log, the configuration on cisco ironport syslog have been done base on recommendation but in our Fortisiem, we cannot filter to specific criteria like source IP and Informational URL. Attach image as sample :

As you can see the source IP and informational did not appear in the filter but the information is in the raw log.

If possible any Fortisiem details manual for me to refer.

DusanTomic

Hi Muhammad,

You can replace the system parser used in 5.3.1 by following these steps:

1) Go to Admin / Device Support / Parsers

2) Search for IronPort Web and disable it

3) Clone that same disabled IronPort Web parser

4) In the parser XML section, replace all the content with the contents of the file Robert posted

5) Validate, Test, Enable and Save

6) Click Apply when you're back at the parser list

Kind Regards,

Dusan Tomic



------------------------------
Dušan Tomić - Consulting Systems Engineer INTL
Fortinet
------------------------------
-------------------------------------------
Original Message:
Sent: Dec 22, 2020 08:48 PM
From: Muhammad Hafiz Safwan Bin Jasmi
Subject: Cisco Ironport Log Issues

I am currently using FortiSIEM 5.3.1.


Original Message:
Sent: Dec 22, 2020 08:10 PM
From: Robert Evans
Subject: Cisco Ironport Log Issues


Original Message:
Sent: Dec 22, 2020 07:18 PM
From: Muhammad Hafiz Safwan Bin Jasmi
Subject: Cisco Ironport Log Issues


These sample logs you sent tested fine in the IronportWeb system parser for FortiSIEM version v6.1.0. What version is your FortiSIEM instance?

If you are on an older version, you can disable the IronPortWeb system parser, clone it, and use this parser. Attached .

Disable existing IronportWeb parser

Clone existing IronportWeb parser

Edit cloned version, paste in the file below, click validate -> then test -> then save 

Click apply with the cloned parser selected

You may have to restart services (or reboot) collectors for new parser to take effect. 

Thanks,

-Rob

Hi Guys,

I have issue with Cisco Ironport log, the configuration on cisco ironport syslog have been done base on recommendation but in our Fortisiem, we cannot filter to specific criteria like source IP and Informational URL. Attach image as sample :

As you can see the source IP and informational did not appear in the filter but the information is in the raw log.

If possible any Fortisiem details manual for me to refer.

HafizJasmi

Hi Dusan,

Thank you for the replied the solution given by Robert work also.

-------------------------------------------
Original Message:
Sent: Dec 28, 2020 04:20 AM
From: Dusan Tomic
Subject: Cisco Ironport Log Issues

Hi Muhammad,

You can replace the system parser used in 5.3.1 by following these steps:

1) Go to Admin / Device Support / Parsers

2) Search for IronPort Web and disable it

3) Clone that same disabled IronPort Web parser

4) In the parser XML section, replace all the content with the contents of the file Robert posted

5) Validate, Test, Enable and Save

6) Click Apply when you're back at the parser list

Kind Regards,

Dusan Tomic



------------------------------
Dušan Tomić - Consulting Systems Engineer INTL
Fortinet
------------------------------

Original Message:
Sent: Dec 22, 2020 08:48 PM
From: Muhammad Hafiz Safwan Bin Jasmi
Subject: Cisco Ironport Log Issues

I am currently using FortiSIEM 5.3.1.


Original Message:
Sent: Dec 22, 2020 08:10 PM
From: Robert Evans
Subject: Cisco Ironport Log Issues


Original Message:
Sent: Dec 22, 2020 07:18 PM
From: Muhammad Hafiz Safwan Bin Jasmi
Subject: Cisco Ironport Log Issues


These sample logs you sent tested fine in the IronportWeb system parser for FortiSIEM version v6.1.0. What version is your FortiSIEM instance?

If you are on an older version, you can disable the IronPortWeb system parser, clone it, and use this parser. Attached .

Disable existing IronportWeb parser

Clone existing IronportWeb parser

Edit cloned version, paste in the file below, click validate -> then test -> then save 

Click apply with the cloned parser selected

You may have to restart services (or reboot) collectors for new parser to take effect. 

Thanks,

-Rob

Hi Guys,

I have issue with Cisco Ironport log, the configuration on cisco ironport syslog have been done base on recommendation but in our Fortisiem, we cannot filter to specific criteria like source IP and Informational URL. Attach image as sample :

As you can see the source IP and informational did not appear in the filter but the information is in the raw log.

If possible any Fortisiem details manual for me to refer.

Announcements

Welcome to your new Fortinet Community!

You'll find your previous forum posts under "Forums"