FortiSIEM Discussions
Waloo5
New Contributor III

FortiSIEM Parser for Wallix Admin Bastion

Hi All

Can any one have parser for Wallix Admin Bastion logs 

Best Regards

Amir
Amir
6 REPLIES 6
Stephen_G
Moderator
Moderator

Hi Waloo5,

 

Sorry, this might just be my fault, but I'm afraid I don't understand your request. Can you explain what you're looking for in more detail please?

 

Kind regards,

Stephen - Fortinet Community Team
Waloo5
New Contributor III

Hi @Stephen_G 

I need to have logs from my Wallix Bastion and I configured it to send logs to my FortiSIEM but all logs are as "Unknown event type", If some one have the parser for it I will be gratuful

 

Some exemples of logs:

Log 1:   <14>1 2024-06-26T22:37:26+01:00 SRV-Wallix-Bastion rdpproxy 18992 - -
[RDP Session] session_id="190566c73953a5be0050568a45c1"
client_ip="192.168.100.1" target_ip="192.168.1.210" user="XXXX"
device="DC-XXXXX" service="RDP" account="XXXX" type="KBD_INPUT"
data="hraccess1"

Log 2:  <14>1 2024-06-26T22:37:30+01:00 SRV-Wallix-Bastion rdpproxy 20258 - -
[RDP Session] session_id="190564df441871e70050568a45c1"
client_ip="192.168.1.240" target_ip="10.10.33.13"
user="XXXX" device="PCYYYY" service="RDP"
account="JXXX" type="COMPLETED_PROCESS"
command_line="\"C:\\Program Files
(x86)\\Microsoft\\Edge\\Application\\126.0.2592.61\\identity_helper.exe\" --
type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --
lang=fr --service-sandbox-type=none --field-trialhandle=
25476,i,3536162623415184737,13780532054667721275,262144 --
variations-seed-version --mojo-platform-channel-handle=29472 /prefetch:14"

 

In attach the configuration of my Wallix Bastion ( I use rfc 5424):RFC SIEM WALLIX (002).png

 

Best Regards

 

Amir
Amir
Stephen_G

Hi Waloo5,

 

Understood - thanks for clarifying! I'm afraid I don't know if this is possible. But if someone here could reply to contradict me, that would be great.

Sorry I can't help further.

 

Kind regards,

Stephen - Fortinet Community Team
Richie_C

Hi @Stephen_G 

 

For devices that are not supported out of the box by FortiSIEM, custom parsers are required to interpret the events received. The following link provides some more information:

 

https://help.fortinet.com/fsiem/7-2-1/Online-Help/HTML5_Help/Configuring_parsers.htm

 

There is also a course on the training institute:

 

https://training.fortinet.com/local/staticpage/view.php?page=library_fortisiem-parser

 

Alternatively, Fortinet professional services do offer parser creation as a service. 

 

I hope that helps. 

 

Take a backup before making any changes
FSM_FTNT

Can you export a broader sample of event in CSV format from FortiSIEM and send to me direct? I will have a look.

 

Do you know if there is a logging guide?

Waloo5
New Contributor III

Hi @FSM_FTNT 

logs sent in your mail box

Thank you for help

Amir
Amir
Announcements

Welcome to your new Fortinet Community!

You'll find your previous forum posts under "Forums"