Hi All
Can any one have parser for Wallix Admin Bastion logs
Best Regards
Hi Waloo5,
Sorry, this might just be my fault, but I'm afraid I don't understand your request. Can you explain what you're looking for in more detail please?
Kind regards,
Created on 07-01-2024 12:55 AM Edited on 07-01-2024 12:56 AM
Hi @Stephen_G
I need to have logs from my Wallix Bastion and I configured it to send logs to my FortiSIEM but all logs are as "Unknown event type", If some one have the parser for it I will be gratuful
Some exemples of logs:
Log 1: <14>1 2024-06-26T22:37:26+01:00 SRV-Wallix-Bastion rdpproxy 18992 - -
[RDP Session] session_id="190566c73953a5be0050568a45c1"
client_ip="192.168.100.1" target_ip="192.168.1.210" user="XXXX"
device="DC-XXXXX" service="RDP" account="XXXX" type="KBD_INPUT"
data="hraccess1"
Log 2: <14>1 2024-06-26T22:37:30+01:00 SRV-Wallix-Bastion rdpproxy 20258 - -
[RDP Session] session_id="190564df441871e70050568a45c1"
client_ip="192.168.1.240" target_ip="10.10.33.13"
user="XXXX" device="PCYYYY" service="RDP"
account="JXXX" type="COMPLETED_PROCESS"
command_line="\"C:\\Program Files
(x86)\\Microsoft\\Edge\\Application\\126.0.2592.61\\identity_helper.exe\" --
type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --
lang=fr --service-sandbox-type=none --field-trialhandle=
25476,i,3536162623415184737,13780532054667721275,262144 --
variations-seed-version --mojo-platform-channel-handle=29472 /prefetch:14"
In attach the configuration of my Wallix Bastion ( I use rfc 5424):
Best Regards
Hi Waloo5,
Understood - thanks for clarifying! I'm afraid I don't know if this is possible. But if someone here could reply to contradict me, that would be great.
Sorry I can't help further.
Kind regards,
Hi @Stephen_G
For devices that are not supported out of the box by FortiSIEM, custom parsers are required to interpret the events received. The following link provides some more information:
https://help.fortinet.com/fsiem/7-2-1/Online-Help/HTML5_Help/Configuring_parsers.htm
There is also a course on the training institute:
https://training.fortinet.com/local/staticpage/view.php?page=library_fortisiem-parser
Alternatively, Fortinet professional services do offer parser creation as a service.
I hope that helps.
Can you export a broader sample of event in CSV format from FortiSIEM and send to me direct? I will have a look.
Do you know if there is a logging guide?
Welcome to your new Fortinet Community!
You'll find your previous forum posts under "Forums"
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.