Help
FortiSIEM Discussions
adem_netsys
Contributor

Created on ‎07-31-2024 07:45 AM

SIEM&XSOAR Integration

We want to do FortiSIEM integration with Xsoar, but we can only get the incidents, the events in it do not come. We were asked to pull debug mode for this. Is there such a mode on FortiSIEM?

498
0 Kudos
6 REPLIES 6
Secusaurus
Contributor II

Created on ‎07-31-2024 11:57 PM Edited on ‎08-01-2024 12:00 AM

Hi @adem_netsys,

 

Sounds like you tried to configure an Automation Policy oder a given webhook integration from Xsoar? This one only fetches the incidents' XML including the 10 most recent events, not all of them.

 

If you like to get all the events, the easiest method is forwarding (Settings -> Event Handling -> Forwarding), usually using syslog.

 

Do I understand it correct that you get just none? Or some of them?

Anyways, you should get an XML. So perhaps a packet capture in between could already show if its missing in the XML already or the Xsoar is unable to parse.

 

Best,

Christian

FCP & FCSS Security Operations | Fortinet Advanced Partner
FCP & FCSS Security Operations | Fortinet Advanced Partner
481
0 Kudos
adem_netsys
Contributor
In response to Secusaurus

Created on ‎08-01-2024 12:04 AM

Hi @Secusaurus 

It was reported that incidents came but events did not come. XSOAR team wants us to send logs with debug mode. I heard this mode for the first time, do you have any idea?

 

477
0 Kudos
Secusaurus
Contributor II
In response to adem_netsys

Created on ‎08-01-2024 12:30 AM

There are some specific debug modes, depending on which logs to look at.

 

The main (phoenix) would go this way:

# Configure debug mode (in that case, we edit per shell, but you could edit this in the xml by yourself):
cp /opt/phoenix/config/log4j2.xml /opt/phoenix/config/log4j2.xml.bak

sed -i 's/<Logger name=\"com.ph.phoenix\" level=\"info\" additivity=\"false\">/<Logger name=\"com.ph.phoenix\" level=\"debug\" additivity=\"false\">/' /opt/phoenix/config/log4j2.xml

# view live logs:
tail -f /opt/glassfish/domains/domain1/logs/phoenix.log
# Probably, filtering would make sense, use
tail -f /opt/glassfish/domains/domain1/logs/phoenix.log | egrep -i 'YOURFILTER'

# Or export just all the logs at the end to /tmp/debuglogs/aologs.tar:
phziplogs /tmp/debuglogs 1

# And make sure to disable it after troubleshooting:
mv -f /opt/phoenix/config/log4j2.xml.bak /opt/phoenix/config/log4j2.xml

 

(kudos to Matthieu here, as he was the one showing me these commands)

 

Best,

Christian

FCP & FCSS Security Operations | Fortinet Advanced Partner
FCP & FCSS Security Operations | Fortinet Advanced Partner
475
0 Kudos
adem_netsys
Contributor
In response to Secusaurus

Created on ‎08-01-2024 12:33 AM

First of all, thank you for your interest. If this method does not work, I will do log forwarding as you said.

474
0 Kudos
adem_netsys
Contributor
In response to Secusaurus

Created on ‎08-01-2024 12:55 PM

@Secusaurus 

I think I expressed it wrong here, I want to correct that the events that create an incident do not appear.

446
0 Kudos
davidbrown72
New Contributor

Created on ‎08-05-2024 03:16 PM Edited on ‎08-05-2024 03:16 PM

Yes, FortiSIEM does have a debug mode. You can enable it to get more detailed logs and potentially resolve the issue with Forbidden leggings event integration. Check the documentation or contact support for specific instructions on how to activate it.

406
0 Kudos
Announcements

Welcome to your new Fortinet Community!

You'll find your previous forum posts under "Forums"

Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.