- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FortiSIEM Parser for Wallix Admin Bastion
Hi All
Can any one have parser for Wallix Admin Bastion logs
Best Regards
- Labels:
-
FortiSIEM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Waloo5,
Sorry, this might just be my fault, but I'm afraid I don't understand your request. Can you explain what you're looking for in more detail please?
Kind regards,
Created on ‎07-01-2024 12:55 AM Edited on ‎07-01-2024 12:56 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @Stephen_G
I need to have logs from my Wallix Bastion and I configured it to send logs to my FortiSIEM but all logs are as "Unknown event type", If some one have the parser for it I will be gratuful
Some exemples of logs:
Log 1: <14>1 2024-06-26T22:37:26+01:00 SRV-Wallix-Bastion rdpproxy 18992 - -
[RDP Session] session_id="190566c73953a5be0050568a45c1"
client_ip="192.168.100.1" target_ip="192.168.1.210" user="XXXX"
device="DC-XXXXX" service="RDP" account="XXXX" type="KBD_INPUT"
data="hraccess1"
Log 2: <14>1 2024-06-26T22:37:30+01:00 SRV-Wallix-Bastion rdpproxy 20258 - -
[RDP Session] session_id="190564df441871e70050568a45c1"
client_ip="192.168.1.240" target_ip="10.10.33.13"
user="XXXX" device="PCYYYY" service="RDP"
account="JXXX" type="COMPLETED_PROCESS"
command_line="\"C:\\Program Files
(x86)\\Microsoft\\Edge\\Application\\126.0.2592.61\\identity_helper.exe\" --
type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --
lang=fr --service-sandbox-type=none --field-trialhandle=
25476,i,3536162623415184737,13780532054667721275,262144 --
variations-seed-version --mojo-platform-channel-handle=29472 /prefetch:14"
In attach the configuration of my Wallix Bastion ( I use rfc 5424):
Best Regards
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Waloo5,
Understood - thanks for clarifying! I'm afraid I don't know if this is possible. But if someone here could reply to contradict me, that would be great.
Sorry I can't help further.
Kind regards,
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @Stephen_G
For devices that are not supported out of the box by FortiSIEM, custom parsers are required to interpret the events received. The following link provides some more information:
https://help.fortinet.com/fsiem/7-2-1/Online-Help/HTML5_Help/Configuring_parsers.htm
There is also a course on the training institute:
https://training.fortinet.com/local/staticpage/view.php?page=library_fortisiem-parser
Alternatively, Fortinet professional services do offer parser creation as a service.
I hope that helps.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you export a broader sample of event in CSV format from FortiSIEM and send to me direct? I will have a look.
Do you know if there is a logging guide?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
![](/skins/images/EC12350B26E3A30E8BDB0075C9F4DA72/responsive_peak/images/icon_anonymous_message.png)