Hello dear community.
I would like to ask for help, with an event related to syslog reception from a Fortigate 1100E v7.0.9 device to FortiSiem 6.6.2.
Well, the problem is that when sending the syslog, FortiSiem does not parse the log, and this is shown as: "Unknown_EventType".
I attach examples:
- Analytics Tab
-Raw log example:
<189> date=2023-03-15 time=14:52:01 devname="FW_test" devid="XXXXXX" eventtime=1678909921471927003 tz="-0500" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" srcip=XX.XX.XX.XX srcport=36474 srcintf="WAN" srcintfrole="wan" dstip=XX.XX.XX.XX dstport=8080 dstintf="Vlan1700" dstintfrole="dmz" srccountry="X" dstcountry="X" sessionid=3406205251 proto=6 action="close" policyid=256 policytype="policy" poluuid="40eecd7e-e6e1-51ec-02f0-d634d8a11574" policyname="policyName" service="TCP_8080" trandisp="dnat" tranip=XX.XX.XX.XX tranport=8080 duration=1 sentbyte=678 rcvdbyte=1234 sentpkt=7 rcvdpkt=5 appcat="unscanned"
It is something strange, since another device with the same characteristics and similar configurations does parse the syslog it sends.
<189> date=2023-03-15 time=15:16:23 devname="XXXXX" devid="XXXXX" eventtime=1678911382505715155 tz="-0500" logid="0001000014" type="traffic" subtype="local" level="notice" vd="root" srcip=XXXXX identifier=6501 srcintf="XXXXX" srcintfrole="lan" dstip=XXXXX dstintf="root" dstintfrole="undefined" srccountry="Reserved" dstcountry="Reserved" sessionid=1274430 proto=1 action="accept" policyid=0 policytype="local-in-policy" service="PING" trandisp="noop" app="PING" duration=60 sentbyte=84 rcvdbyte=84 sentpkt=1 rcvdpkt=1 appcat="unscanned" devtype="Router" mastersrcmac="XXXXX" srcmac="XXXXX" srcserver=0
Thank you very much for your valuable help.
I am using a translator, apologies if any misinterpretation is generated.
