Help
FortiSIEM Discussions
Waloo5
New Contributor III

Created on ā€Ž06-26-2024 10:02 AM

FortiSIEM Parser for Wallix Admin Bastion

Hi All

Can any one have parser for Wallix Admin Bastion logs 

Best Regards

Amir
Amir
Labels:
794
0 Kudos
6 REPLIES 6
Stephen_G
Moderator
Moderator

Created on ā€Ž06-30-2024 05:46 AM

Hi Waloo5,

 

Sorry, this might just be my fault, but I'm afraid I don't understand your request. Can you explain what you're looking for in more detail please?

 

Kind regards,

Stephen - Fortinet Community Team
737
Waloo5
New Contributor III
In response to Stephen_G

Created on ā€Ž07-01-2024 12:55 AM Edited on ā€Ž07-01-2024 12:56 AM

Hi @Stephen_G 

I need to have logs from my Wallix Bastion and I configured it to send logs to my FortiSIEM but all logs are as "Unknown event type", If some one have the parser for it I will be gratuful

 

Some exemples of logs:

Log 1:   <14>1 2024-06-26T22:37:26+01:00 SRV-Wallix-Bastion rdpproxy 18992 - -
[RDP Session] session_id="190566c73953a5be0050568a45c1"
client_ip="192.168.100.1" target_ip="192.168.1.210" user="XXXX"
device="DC-XXXXX" service="RDP" account="XXXX" type="KBD_INPUT"
data="hraccess1"

Log 2:  <14>1 2024-06-26T22:37:30+01:00 SRV-Wallix-Bastion rdpproxy 20258 - -
[RDP Session] session_id="190564df441871e70050568a45c1"
client_ip="192.168.1.240" target_ip="10.10.33.13"
user="XXXX" device="PCYYYY" service="RDP"
account="JXXX" type="COMPLETED_PROCESS"
command_line="\"C:\\Program Files
(x86)\\Microsoft\\Edge\\Application\\126.0.2592.61\\identity_helper.exe\" --
type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --
lang=fr --service-sandbox-type=none --field-trialhandle=
25476,i,3536162623415184737,13780532054667721275,262144 --
variations-seed-version --mojo-platform-channel-handle=29472 /prefetch:14"

 

In attach the configuration of my Wallix Bastion ( I use rfc 5424):RFC SIEM WALLIX (002).png

 

Best Regards

 

Amir
Amir
720
0 Kudos
Stephen_G
Moderator
Moderator
In response to Waloo5

Created on ā€Ž07-01-2024 04:30 AM

Hi Waloo5,

 

Understood - thanks for clarifying! I'm afraid I don't know if this is possible. But if someone here could reply to contradict me, that would be great.

Sorry I can't help further.

 

Kind regards,

Stephen - Fortinet Community Team
706
Richie_C
Staff
Staff
In response to Stephen_G

Created on ā€Ž07-17-2024 03:59 AM

Hi @Stephen_G 

 

For devices that are not supported out of the box by FortiSIEM, custom parsers are required to interpret the events received. The following link provides some more information:

 

https://help.fortinet.com/fsiem/7-2-1/Online-Help/HTML5_Help/Configuring_parsers.htm

 

There is also a course on the training institute:

 

https://training.fortinet.com/local/staticpage/view.php?page=library_fortisiem-parser

 

Alternatively, Fortinet professional services do offer parser creation as a service. 

 

I hope that helps. 

 

Take a backup before making any changes
615
FSM_FTNT
Staff
Staff
In response to Waloo5

Created on ā€Ž07-17-2024 02:42 PM

Can you export a broader sample of event in CSV format from FortiSIEM and send to me direct? I will have a look.

 

Do you know if there is a logging guide?

583
Waloo5
New Contributor III
In response to FSM_FTNT

Created on ā€Ž07-18-2024 07:26 AM

Hi @FSM_FTNT 

logs sent in your mail box

Thank you for help

Amir
Amir
540
0 Kudos
Announcements

Welcome to your new Fortinet Community!

You'll find your previous forum posts under "Forums"

Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.