Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ciccio81
New Contributor

EventHandler for Syslog device

Hello everyone,

we are using a FortiAnalyzer VM 5.2.4 to test integration with our own network monitoring system.

 

Our system generates syslog messages that are typically forwarded to SIM/SIEMs, and we can do that in various formats (CEF, LEEF), even customs.

 

Now, we we would like to create EventHandlers for our events (about 50+) and we are wondering how to achieve that by parsing the "msg" field (as our system is seen as a generic Syslog device and lacks all of the fields available for other Fortinet devices) with a Generic Text Filter...

 

We can't find good examples to achieve this...

 

thanks!

9 REPLIES 9
scao_FTNT
Staff
Staff

pls try below example see if works for you   example log:  date=2015-09-24 time=19:32:10 itime=1443123130 device_id=SYSLOG-0A027D1F level=information type=generic msg="device_id=SYSLOG-C0A8015C type=generic pri=information msg='Nov 19 16:14:43 itest named[1813]: error (unexpected RCODE REFUSED) resolving '109.198.115.75.in-addr.arpa/PTR/IN': 71.44.33.20#53'" Event handler for generic text filter: msg ~ "unexpected RCODE REFUSED"

 

Thanks

Simon

sridharsre

Hi Simon,

 

Thanks for the reply.

 

Do we need to change the filter for this ? like "Log Field" "Match Criteria" "Value" ?

 

I just tried to configure alert for "Deleted Device" with the following filters:

 

Devices selected Local FortiManager:

 

Log Type: Event Log

Event Category: Any

Group by: Device ID

 

Log Field: Level

Match Criteria: Equal To

Value: Critical

 

Generic Test Filter: msg ~ "Deleted device" (Since I see the alert messages as Deleted device <device>)

 

But still not working :(

 

Kindly help me on this .

 

Thanks in advance !!!

 

 

Warmest Regards, Sri Sre
Warmest Regards, Sri Sre
scao_FTNT

Value: Critical

   -- so needed log level is critical ?

 

thanks

 

Simon

sridharsre

Nope not required.

 

For testing I put it like that 

Warmest Regards, Sri Sre
Warmest Regards, Sri Sre
sridharsre

Just trying to make this event alert to work, if I know how to catch this event and alert it for single event, I will customize it for rest of the logs

Warmest Regards, Sri Sre
Warmest Regards, Sri Sre
scao_FTNT

for your config, event alert will try to find any log,

 

log level = critical and message has "Deleted device"

 

so if log level is not critical for needed log, pls change to >= debug and thus all log will be checked for that message

 

thanks

 

Simon

sridharsre

Hi Simon,

 

How to configure if there is change in policy package and config status in FortiManager, like from Installed to out of Sync/ Conflict....

 

Please help me !!!

Thanks in advance !!!

Regards,

Sridhar S

 

Warmest Regards, Sri Sre
Warmest Regards, Sri Sre
Vikram512

Hi Simon,

 

Have you got how to configure generic text filter , i am using this for filtering the alerts.

 

status=DOWN itime=2016-09-25 23:19:10 vd=root level=information dtime=2016-09-26 01:19:06 devid=FGT92D3G16001060 logid=0100020099 subtype=system

devname=1018_richland itime_t=1474870750 logdesc=Interface status changed time=01:19:06 date=2016-09-26 type=event action=interface-stat-change msg=Link%20monitor%3A%20Interface%20wan1%20was%20turned%20down

 

status=DOWN itime=2016-09-25 23:19:10 vd=root level=information dtime=2016-09-26 01:19:06 devid=FGT92D3G16001060 logid=0100020099 subtype=system

devname=1018_richland itime_t=1474870750 logdesc=Interface status changed time=01:19:06 date=2016-09-26 type=event action=interface-stat-change msg=Link%20monitor%3A%20Interface%20wan1%20was%20turned%20down

 

I have configured in many ways but nothing is working. Please suggest me.  I want interface form wan1 and wan2 only.

sgao_FTNT

Hi Vikram,

 

Please try following configuration, it should work:

  1) clone from predefined handler "Interface Down"

  2) add generic text filter: msg ~ "wan1|wan2"

 

Shawn

Labels
Top Kudoed Authors