Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
RonaldVco
New Contributor II

Error in reception of logs in fortisiem from fortigate

Hello dear community.
I would like to ask for help, with an event related to syslog reception from a Fortigate 1100E v7.0.9 device to FortiSiem 6.6.2.
Well, the problem is that when sending the syslog, FortiSiem does not parse the log, and this is shown as: "Unknown_EventType".
I attach examples:

 

- Analytics Tab 

1.png

 

-Raw log example:

<189> date=2023-03-15 time=14:52:01 devname="FW_test" devid="XXXXXX" eventtime=1678909921471927003 tz="-0500" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" srcip=XX.XX.XX.XX srcport=36474 srcintf="WAN" srcintfrole="wan" dstip=XX.XX.XX.XX dstport=8080 dstintf="Vlan1700" dstintfrole="dmz" srccountry="X" dstcountry="X" sessionid=3406205251 proto=6 action="close" policyid=256 policytype="policy" poluuid="40eecd7e-e6e1-51ec-02f0-d634d8a11574" policyname="policyName" service="TCP_8080" trandisp="dnat" tranip=XX.XX.XX.XX tranport=8080 duration=1 sentbyte=678 rcvdbyte=1234 sentpkt=7 rcvdpkt=5 appcat="unscanned"

 

It is something strange, since another device with the same characteristics and similar configurations does parse the syslog it sends.

2.png

 

<189> date=2023-03-15 time=15:16:23 devname="XXXXX" devid="XXXXX" eventtime=1678911382505715155 tz="-0500" logid="0001000014" type="traffic" subtype="local" level="notice" vd="root" srcip=XXXXX identifier=6501 srcintf="XXXXX" srcintfrole="lan" dstip=XXXXX dstintf="root" dstintfrole="undefined" srccountry="Reserved" dstcountry="Reserved" sessionid=1274430 proto=1 action="accept" policyid=0 policytype="local-in-policy" service="PING" trandisp="noop" app="PING" duration=60 sentbyte=84 rcvdbyte=84 sentpkt=1 rcvdpkt=1 appcat="unscanned" devtype="Router" mastersrcmac="XXXXX" srcmac="XXXXX" srcserver=0

 

Thank you very much for your valuable help.
I am using a translator, apologies if any misinterpretation is generated.

5 REPLIES 5
Anthony_E
Community Manager
Community Manager

Hello Ronaldo,


Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.


Thanks,

Anthony-Fortinet Community Team.
Anthony_E
Community Manager
Community Manager

Hello Ronaldo,

 

We are still looking for someone to help you.

We will come back to you ASAP.


Regards,

Anthony-Fortinet Community Team.
RonaldVco
New Contributor II

Hello Anthony.

I requested a ticket with TAC a few days ago, but I have not yet received a response. If you need more info about this event, please let me know.

 

Anthony_E
Community Manager
Community Manager

Hello Ronald,

 

First sorry to have called you Ronaldo twice :P.

 

And After I am sure the TAC team will help. Do not hesitate to share the aoltuion here once you get it :)!

 

Regards,

Anthony-Fortinet Community Team.
RonaldVco
New Contributor II

Hi Anthony,
I tell you, we finally found the error with the Engineering team, basically, the error was because the Fortigate device that sent the log to FortiSiem, had the field <devid: FD10EXXXXXXX>, by performing an analysis on the "parser" that normalizes the logs of FortiGate "FortiGateParser", we found that this did not contemplate the serials that start with "FD...".

1.PNG

 

The solution we implemented, while the TAC team gave us an answer, was:

1. Disable the "FortiDeceptorParser" parser, this because, in the next step, when cloning the "FortiGateParser" parser with the new configuration, an error was generated, and somehow the FortiDeceptor parser applied to the log with the field <devid: FDXXX>, finally it did not let clone the FortiGate parser, taking advantage that in our FortiSiem we do not have FortiDeceptor devices, we took the decision to disable it.
2. clone the parser "FortiGateParser", adding the "exception" on the serials starting with "FD...."

2.PNG

 

Once these changes were applied, we waited a few minutes and we could see that the logs generated by the Fortigate device with serial FD10E..... were normalized with the modified parser.

Finally, once the TAC gave us an answer, we already had the configuration applied, and they were warned about the failure in the parser, and also the case was escalated with the development area of fortinet, so I would like to think that in a next version, update or patch, this novelty will be solved.

I hope this can help someone with the same problem.

I am using a translator, apologies if any misinterpretation is generated. :)

Labels
Top Kudoed Authors