FortiSIEM Discussions
adem_netsys
Contributor

SIEM&XSOAR Integration

We want to do FortiSIEM integration with Xsoar, but we can only get the incidents, the events in it do not come. We were asked to pull debug mode for this. Is there such a mode on FortiSIEM?

5 REPLIES 5
Secusaurus
Contributor II

Hi @adem_netsys,

 

Sounds like you tried to configure an Automation Policy oder a given webhook integration from Xsoar? This one only fetches the incidents' XML including the 10 most recent events, not all of them.

 

If you like to get all the events, the easiest method is forwarding (Settings -> Event Handling -> Forwarding), usually using syslog.

 

Do I understand it correct that you get just none? Or some of them?

Anyways, you should get an XML. So perhaps a packet capture in between could already show if its missing in the XML already or the Xsoar is unable to parse.

 

Best,

Christian

FCP & FCSS Security Operations | Fortinet Advanced Partner
FCP & FCSS Security Operations | Fortinet Advanced Partner
adem_netsys

Hi @Secusaurus 

It was reported that incidents came but events did not come. XSOAR team wants us to send logs with debug mode. I heard this mode for the first time, do you have any idea?

 

Secusaurus

There are some specific debug modes, depending on which logs to look at.

 

The main (phoenix) would go this way:

# Configure debug mode (in that case, we edit per shell, but you could edit this in the xml by yourself):
cp /opt/phoenix/config/log4j2.xml /opt/phoenix/config/log4j2.xml.bak

sed -i 's/<Logger name=\"com.ph.phoenix\" level=\"info\" additivity=\"false\">/<Logger name=\"com.ph.phoenix\" level=\"debug\" additivity=\"false\">/' /opt/phoenix/config/log4j2.xml

# view live logs:
tail -f /opt/glassfish/domains/domain1/logs/phoenix.log
# Probably, filtering would make sense, use
tail -f /opt/glassfish/domains/domain1/logs/phoenix.log | egrep -i 'YOURFILTER'

# Or export just all the logs at the end to /tmp/debuglogs/aologs.tar:
phziplogs /tmp/debuglogs 1

# And make sure to disable it after troubleshooting:
mv -f /opt/phoenix/config/log4j2.xml.bak /opt/phoenix/config/log4j2.xml

 

(kudos to Matthieu here, as he was the one showing me these commands)

 

Best,

Christian

FCP & FCSS Security Operations | Fortinet Advanced Partner
FCP & FCSS Security Operations | Fortinet Advanced Partner
adem_netsys

First of all, thank you for your interest. If this method does not work, I will do log forwarding as you said.

adem_netsys

@Secusaurus 

I think I expressed it wrong here, I want to correct that the events that create an incident do not appear.

Announcements

Welcome to your new Fortinet Community!

You'll find your previous forum posts under "Forums"