Error in reception of logs in fortisiem from fortigate
Hello dear community. I would like to ask for help, with an event related to syslog reception from a Fortigate 1100E v7.0.9 device to FortiSiem 6.6.2. Well, the problem is that when sending the syslog, FortiSiem does not parse the log, and this is shown as: "Unknown_EventType". I attach examples:
Hi Anthony, I tell you, we finally found the error with the Engineering team, basically, the error was because the Fortigate device that sent the log to FortiSiem, had the field <devid: FD10EXXXXXXX>, by performing an analysis on the "parser" that normalizes the logs of FortiGate "FortiGateParser", we found that this did not contemplate the serials that start with "FD...".
The solution we implemented, while the TAC team gave us an answer, was:
1. Disable the "FortiDeceptorParser" parser, this because, in the next step, when cloning the "FortiGateParser" parser with the new configuration, an error was generated, and somehow the FortiDeceptor parser applied to the log with the field <devid: FDXXX>, finally it did not let clone the FortiGate parser, taking advantage that in our FortiSiem we do not have FortiDeceptor devices, we took the decision to disable it. 2. clone the parser "FortiGateParser", adding the "exception" on the serials starting with "FD...."
Once these changes were applied, we waited a few minutes and we could see that the logs generated by the Fortigate device with serial FD10E..... were normalized with the modified parser.
Finally, once the TAC gave us an answer, we already had the configuration applied, and they were warned about the failure in the parser, and also the case was escalated with the development area of fortinet, so I would like to think that in a next version, update or patch, this novelty will be solved.
I hope this can help someone with the same problem.
I am using a translator, apologies if any misinterpretation is generated. :)
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.