Dear Team,
Based on the article "Ingesting JSON Formatted Events Received via HTTP(S) POST", I attempted to import logs from my DHCP Server (note: these are actual log files, not real-time logs sent by the DHCP Server). However, I encountered several issues, which are described below:
1.I'm currently using curl to send a JSON file (dhcpactivity.json) to FortiSIEM via HTTP (not HTTPS), including the -u '<admin>:<password>' information. However, the result returns a 401 Unauthorized error. What should I do about this? Or do I need to create a dedicated account in FortiSIEM (which I've actually done, but it still doesn't work)?
2.If I'm using HTTP, do I need to add the line "htpasswd -b /etc/httpd/accounts/passwds <user> '<password>'"? Or under what circumstances should this be added? (I've actually added this as well)
3.Before executing the curl command to send the logs, do I need to define Parsers in FortiSIEM first?
4.I noticed that the log example in the article (Ingesting JSON Formatted Events Received via HTTP(S) POST) is [PH_DEV_MON_CUSTOM_JSON]:[reptVendor]=<vendor>,[reptModel]=<model>,[reptDevName]=<reptName>,[reptDevIpAddr]=<reptIp>,[json]=<JSON>.
However, my log looks like the content shown below:
{"data":{"dhcpv4Message":{"chaddr":"00:00:00:00:00:01","siaddr":"0.0.0.0","secs":0,"hType":1,"xId":"0xc123456d","yiaddr":"192.168.1.1","giaddr":"192.168.1.2","options":[{"optionId":53,"messageType":"DHCP Ack","messageTypeId":5},{"serverId":"192.168.1.10","optionId":54},{"optionId":51,"leaseTime":67556},{"subnetMask":"255.255.255.0","optionId":1},{"router":["192.168.1.100"],"optionId":3},{"domainNameSever":["192.168.1.10","192.168.1.20","192.168.1.30"],"optionId":6},{"domainName":"domain.local","optionId":15},{"netBIOSNameServer":["192.168.1.40"],"optionId":44},{"optionId":46,"netBIOSNodeType":"H-node"},{"optionData":"00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00","optionId":81},{"optionData":"00 00 00 00 00 00 00 00 00 00 00 00 00 00 00","optionId":82}],"flags":"0x0000","hops":1,"ciaddr":"0.0.0.0","hLength":6,"op":2}},"schemaVersion":"1.0.0","headers":{"http_version":"HTTP/1.1","content_length":"37932","content_type":"application/json","request_method":"POST","http_user_agent":"Vector/0.22.1 (x86_64-unknown-linux-gnu)","http_host":"192.168.1.101:80","http_accept":null,"request_path":"/","accept_encoding":"identity"},"time":1719422428,"sourceId":"00000000-0000-0000-0000-000000000000","type":"dhcpactivity","timePrecision":"s","key":"00000000-0000-0000-0000-000000000000","@version":"1","tags":["_geoip_lookup_failure"],"payloadType":"dhcpv4-packet","host":"192.168.1.17","serverId":"dhcp-01","@timestamp":"2024-06-26T17:20:11.570Z"}
Can FortiSIEM parse this log content without modifying the Parser?
References:
[1] https://docs.fortinet.com/document/fortisiem/7.2.1/external-systems-configuration-guide/522142/inges...
[2] https://help.fortinet.com/fsiem/6-4-0/Online-Help/HTML5_Help/Ingesting_JSON.htm
Hi @Bruce7x2 ,
Let me try to provide some answers:
1) You have not created the appropriate account. Refer to your second question. You are required to create the account and setup the Authorization header (Basic "") in your POST request.
2) Yes the account is required for ingesting the logs. This account should be utilised to send the logs.
4) When you perform the POST your URL should follow the structure https://<FSMNodeName>/rawupload?vendor=<vendor>&model=<model>&reptIp=<reptIp>&reptName=<reptHost>
Vendor, Model, Reporting IP and Reporting name are all extracted from the URI.
3) For the custom Parser usually the answer is Yes. FortiSIEM has a basic parser for JSON ingested events that expects a single JSON Object with multiple Key, Value entries. I would suggest the following, start by sending the logs and check what the existing default Parser can parse. From there clone the parser and make any necessary modifications.
Regards,
S
Dear Sioannou,
To be honest, I’m still unsure about how to define a Parser by observing the JSON format, and how they are interconnected. I don’t have any ideas up to this point.
Could you provide some valuable reference materials to help me attempt to define a Parser on my own?
Dear Team ,
I have transmitted the DHCP logs to FortiSIEM using curl with the account and password information. However, the system that generates these logs does not support features like curl, which can input account and password information as well as vendor, model, reptIp, and reptHost.
Given this, is there still a way for FortiSIEM to receive the logs?”
Dear Sioannou,
no,it’s why i would like to know whether fortisiem support http/json without account/password.
Unfortunately it is required. Is this a Bluecat system? The Dhcpactivity logs with output type HTTP here? https://docs.bluecatnetworks.com/r/Address-Manager-Administration-Guide/Configuring-DHCP-Activity/9....
Dear Rob,
You’re correct in your understanding, the log example is indeed from BlueCat.
I have successfully sent logs to FortiSIEM via "HTTP" using curl without the need for account and password information. This process involves adding a whitelist to /etc/httpd/conf/httpd.conf on FortiSIEM, which then allows me to send logs without adding account and password information to the curl command line.
Further, as you’re aware, if we want to use HTTPS and add a token in the form of a Bearer, BlueCat provides a Bearer Token.
How can I obtain this Bearer Token from FortiSIEM?
The bearer token format is just "Basic + base64(username:pw)". When the sending product sends this, it puts it in the 'Authorization' header of the request.
So the header -> value is Authorization -> Basic bXl1c2VybmFtZTpteXBhc3N3b3Jk
I've attempted to attach a python script that takes a user/pw and generates the resulting bearer token. Be sure to replace username/password with yours you generated when running htpasswd.
Welcome to your new Fortinet Community!
You'll find your previous forum posts under "Forums"
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.