Hello dear community.
I would like to ask for help, with an event related to syslog reception from a Fortigate 1100E v7.0.9 device to FortiSiem 6.6.2.
Well, the problem is that when sending the syslog, FortiSiem does not parse the log, and this is shown as: "Unknown_EventType".
I attach examples:
- Analytics Tab
-Raw log example:
<189> date=2023-03-15 time=14:52:01 devname="FW_test" devid="XXXXXX" eventtime=1678909921471927003 tz="-0500" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" srcip=XX.XX.XX.XX srcport=36474 srcintf="WAN" srcintfrole="wan" dstip=XX.XX.XX.XX dstport=8080 dstintf="Vlan1700" dstintfrole="dmz" srccountry="X" dstcountry="X" sessionid=3406205251 proto=6 action="close" policyid=256 policytype="policy" poluuid="40eecd7e-e6e1-51ec-02f0-d634d8a11574" policyname="policyName" service="TCP_8080" trandisp="dnat" tranip=XX.XX.XX.XX tranport=8080 duration=1 sentbyte=678 rcvdbyte=1234 sentpkt=7 rcvdpkt=5 appcat="unscanned"
It is something strange, since another device with the same characteristics and similar configurations does parse the syslog it sends.
<189> date=2023-03-15 time=15:16:23 devname="XXXXX" devid="XXXXX" eventtime=1678911382505715155 tz="-0500" logid="0001000014" type="traffic" subtype="local" level="notice" vd="root" srcip=XXXXX identifier=6501 srcintf="XXXXX" srcintfrole="lan" dstip=XXXXX dstintf="root" dstintfrole="undefined" srccountry="Reserved" dstcountry="Reserved" sessionid=1274430 proto=1 action="accept" policyid=0 policytype="local-in-policy" service="PING" trandisp="noop" app="PING" duration=60 sentbyte=84 rcvdbyte=84 sentpkt=1 rcvdpkt=1 appcat="unscanned" devtype="Router" mastersrcmac="XXXXX" srcmac="XXXXX" srcserver=0
Thank you very much for your valuable help.
I am using a translator, apologies if any misinterpretation is generated.
Hello Ronaldo,
Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.
Thanks,
Hello Ronaldo,
We are still looking for someone to help you.
We will come back to you ASAP.
Regards,
Hello Anthony.
I requested a ticket with TAC a few days ago, but I have not yet received a response. If you need more info about this event, please let me know.
Hello Ronald,
First sorry to have called you Ronaldo twice :P.
And After I am sure the TAC team will help. Do not hesitate to share the aoltuion here once you get it :)!
Regards,
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2023 Fortinet, Inc. All Rights Reserved.