Hello dear community.
I would like to ask for help, with an event related to syslog reception from a Fortigate 1100E v7.0.9 device to FortiSiem 6.6.2.
Well, the problem is that when sending the syslog, FortiSiem does not parse the log, and this is shown as: "Unknown_EventType".
I attach examples:
- Analytics Tab
-Raw log example:
<189> date=2023-03-15 time=14:52:01 devname="FW_test" devid="XXXXXX" eventtime=1678909921471927003 tz="-0500" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" srcip=XX.XX.XX.XX srcport=36474 srcintf="WAN" srcintfrole="wan" dstip=XX.XX.XX.XX dstport=8080 dstintf="Vlan1700" dstintfrole="dmz" srccountry="X" dstcountry="X" sessionid=3406205251 proto=6 action="close" policyid=256 policytype="policy" poluuid="40eecd7e-e6e1-51ec-02f0-d634d8a11574" policyname="policyName" service="TCP_8080" trandisp="dnat" tranip=XX.XX.XX.XX tranport=8080 duration=1 sentbyte=678 rcvdbyte=1234 sentpkt=7 rcvdpkt=5 appcat="unscanned"
It is something strange, since another device with the same characteristics and similar configurations does parse the syslog it sends.
<189> date=2023-03-15 time=15:16:23 devname="XXXXX" devid="XXXXX" eventtime=1678911382505715155 tz="-0500" logid="0001000014" type="traffic" subtype="local" level="notice" vd="root" srcip=XXXXX identifier=6501 srcintf="XXXXX" srcintfrole="lan" dstip=XXXXX dstintf="root" dstintfrole="undefined" srccountry="Reserved" dstcountry="Reserved" sessionid=1274430 proto=1 action="accept" policyid=0 policytype="local-in-policy" service="PING" trandisp="noop" app="PING" duration=60 sentbyte=84 rcvdbyte=84 sentpkt=1 rcvdpkt=1 appcat="unscanned" devtype="Router" mastersrcmac="XXXXX" srcmac="XXXXX" srcserver=0
Thank you very much for your valuable help.
I am using a translator, apologies if any misinterpretation is generated.
Hi Anthony,
I tell you, we finally found the error with the Engineering team, basically, the error was because the Fortigate device that sent the log to FortiSiem, had the field <devid: FD10EXXXXXXX>, by performing an analysis on the "parser" that normalizes the logs of FortiGate "FortiGateParser", we found that this did not contemplate the serials that start with "FD...".
The solution we implemented, while the TAC team gave us an answer, was:
1. Disable the "FortiDeceptorParser" parser, this because, in the next step, when cloning the "FortiGateParser" parser with the new configuration, an error was generated, and somehow the FortiDeceptor parser applied to the log with the field <devid: FDXXX>, finally it did not let clone the FortiGate parser, taking advantage that in our FortiSiem we do not have FortiDeceptor devices, we took the decision to disable it.
2. clone the parser "FortiGateParser", adding the "exception" on the serials starting with "FD...."
Once these changes were applied, we waited a few minutes and we could see that the logs generated by the Fortigate device with serial FD10E..... were normalized with the modified parser.
Finally, once the TAC gave us an answer, we already had the configuration applied, and they were warned about the failure in the parser, and also the case was escalated with the development area of fortinet, so I would like to think that in a next version, update or patch, this novelty will be solved.
I hope this can help someone with the same problem.
I am using a translator, apologies if any misinterpretation is generated. :)
