Help
FortiSIEM Discussions
ESDManiac
New Contributor

Created on ‎10-24-2023 12:25 AM

Fortie Siem log aggregation feature

Hi guys,

Do you see the corresponding DNS name for each IP and vice versa?
I was wondering how you deal with this. My understanding is that a SIEM is able to aggregate logs and their information to different data sources. We have a collector on our domain controllers (DNS) and also our Fortigates send logs to the SIEM stack.
But still, I do not see the data aggregated as mentioned before IP to DNS or the DHCP lease time of an IP.
Basically any SIEM solution can do this, but with FortiSiem I cannot see it working.

Thanks for your help :)

Labels:
699
0 Kudos
2 REPLIES 2
Secusaurus
Contributor II

Created on ‎10-24-2023 12:43 AM

Hi ESDManiac,

 

I did not need this, as we usually use the Quick Lookup Feature which shows all the details from the CMDB. In the Analyze panel, you will use the CMDB objects instead of IPs/DNS anyways.

Perhaps our "no need for DNS" is also based on the multi-tenant setup: There is much less information from the quirky DNS names of each customer. The details manually put into the CMDB matter more to us.

 

Perhaps this post might help you: https://community.fortinet.com/t5/FortiSIEM-Discussions/Reverse-DNS-Queries-for-CMDB/m-p/231459

Important point there: DNS lookup for each log will need resources as well and therefore an issue in high EPS environments.

 

The DHCP lease time is something that should be found in the logs of the DHCP app. I haven't got a case where we monitor that at the moment. A short search spit out event id 50058 (see here).

 

Best,

Christian

FCP & FCSS Security Operations | Fortinet Advanced Partner
FCP & FCSS Security Operations | Fortinet Advanced Partner
692
FSM_FTNT
Staff
Staff

Created on ‎10-25-2023 02:38 AM

Just to echo what @Secusaurus wrote, FortiSIEM can perform DNS lookups at parsing time.

 

To use a simple example

 

Send this FortiGate into a Collector

<188>Oct 25 09:13:25 time=17:34:59 devname="FortiGate-OT-OTCSE" devid="FGVM8VTM20000517" logid="0000000011" type="traffic" subtype="forward" level="warning" vd="root" eventtime=1600162499737149263 tz="+0800" srcip=8.8.8.8 srcport=51043 srcintf="port10" srcintfrole="undefined" dstip=8.8.8.8 dstport=53 dstintf="port1" dstintfrole="undefined" srccountry="Reserved" dstcountry="United States" sessionid=609167 proto=17 action="dns" policyid=2 policytype="policy" poluuid="5ff0eb08-b69b-51ea-5450-67a6aeec750d" policyname="MGT Out" service="DNS" appcat="unscanned" crscore=5 craction=262144 crlevel="low"

The Destination Host Name will default to HOST-8.8.8.8

 

Then login to the Collector, edit this file

vi /opt/phoenix/config/phoenix_config.txt

change
use_dns_lookup=no

to
use_dns_lookup=yes
save the file with a ESC :wq

restart the processes

phtools --restart all

send the event back in

<188>Oct 25 09:13:25 time=17:34:59 devname="FortiGate-OT-OTCSE" devid="FGVM8VTM20000517" logid="0000000011" type="traffic" subtype="forward" level="warning" vd="root" eventtime=1600162499737149263 tz="+0800" srcip=8.8.8.8 srcport=51043 srcintf="port10" srcintfrole="undefined" dstip=8.8.8.8 dstport=53 dstintf="port1" dstintfrole="undefined" srccountry="Reserved" dstcountry="United States" sessionid=609167 proto=17 action="dns" policyid=2 policytype="policy" poluuid="5ff0eb08-b69b-51ea-5450-67a6aeec750d" policyname="MGT Out" service="DNS" appcat="unscanned" crscore=5 craction=262144 crlevel="low"

The Destination Host Name should now be dns.google.com

 

Hope this helps, just be cautious as it can have performance impact on parsing performance.

 

673
0 Kudos
Announcements

Welcome to your new Fortinet Community!

You'll find your previous forum posts under "Forums"

Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.