We want to do FortiSIEM integration with Xsoar, but we can only get the incidents, the events in it do not come. We were asked to pull debug mode for this. Is there such a mode on FortiSIEM?
Hi @adem_netsys,
Sounds like you tried to configure an Automation Policy oder a given webhook integration from Xsoar? This one only fetches the incidents' XML including the 10 most recent events, not all of them.
If you like to get all the events, the easiest method is forwarding (Settings -> Event Handling -> Forwarding), usually using syslog.
Do I understand it correct that you get just none? Or some of them?
Anyways, you should get an XML. So perhaps a packet capture in between could already show if its missing in the XML already or the Xsoar is unable to parse.
Best,
Christian
Hi @Secusaurus
It was reported that incidents came but events did not come. XSOAR team wants us to send logs with debug mode. I heard this mode for the first time, do you have any idea?
There are some specific debug modes, depending on which logs to look at.
The main (phoenix) would go this way:
# Configure debug mode (in that case, we edit per shell, but you could edit this in the xml by yourself):
cp /opt/phoenix/config/log4j2.xml /opt/phoenix/config/log4j2.xml.bak
sed -i 's/<Logger name=\"com.ph.phoenix\" level=\"info\" additivity=\"false\">/<Logger name=\"com.ph.phoenix\" level=\"debug\" additivity=\"false\">/' /opt/phoenix/config/log4j2.xml
# view live logs:
tail -f /opt/glassfish/domains/domain1/logs/phoenix.log
# Probably, filtering would make sense, use
tail -f /opt/glassfish/domains/domain1/logs/phoenix.log | egrep -i 'YOURFILTER'
# Or export just all the logs at the end to /tmp/debuglogs/aologs.tar:
phziplogs /tmp/debuglogs 1
# And make sure to disable it after troubleshooting:
mv -f /opt/phoenix/config/log4j2.xml.bak /opt/phoenix/config/log4j2.xml
(kudos to Matthieu here, as he was the one showing me these commands)
Best,
Christian
First of all, thank you for your interest. If this method does not work, I will do log forwarding as you said.
I think I expressed it wrong here, I want to correct that the events that create an incident do not appear.
Welcome to your new Fortinet Community!
You'll find your previous forum posts under "Forums"
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.