Hello everyone,
we are using a FortiAnalyzer VM 5.2.4 to test integration with our own network monitoring system.
Our system generates syslog messages that are typically forwarded to SIM/SIEMs, and we can do that in various formats (CEF, LEEF), even customs.
Now, we we would like to create EventHandlers for our events (about 50+) and we are wondering how to achieve that by parsing the "msg" field (as our system is seen as a generic Syslog device and lacks all of the fields available for other Fortinet devices) with a Generic Text Filter...
We can't find good examples to achieve this...
thanks!
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
pls try below example see if works for you example log: date=2015-09-24 time=19:32:10 itime=1443123130 device_id=SYSLOG-0A027D1F level=information type=generic msg="device_id=SYSLOG-C0A8015C type=generic pri=information msg='Nov 19 16:14:43 itest named[1813]: error (unexpected RCODE REFUSED) resolving '109.198.115.75.in-addr.arpa/PTR/IN': 71.44.33.20#53'" Event handler for generic text filter: msg ~ "unexpected RCODE REFUSED"
Thanks
Simon
Hi Simon,
Thanks for the reply.
Do we need to change the filter for this ? like "Log Field" "Match Criteria" "Value" ?
I just tried to configure alert for "Deleted Device" with the following filters:
Devices selected Local FortiManager:
Log Type: Event Log
Event Category: Any
Group by: Device ID
Log Field: Level
Match Criteria: Equal To
Value: Critical
Generic Test Filter: msg ~ "Deleted device" (Since I see the alert messages as Deleted device <device>)
But still not working :(
Kindly help me on this .
Thanks in advance !!!
Value: Critical
-- so needed log level is critical ?
thanks
Simon
Nope not required.
For testing I put it like that
Just trying to make this event alert to work, if I know how to catch this event and alert it for single event, I will customize it for rest of the logs
for your config, event alert will try to find any log,
log level = critical and message has "Deleted device"
so if log level is not critical for needed log, pls change to >= debug and thus all log will be checked for that message
thanks
Simon
Hi Simon,
How to configure if there is change in policy package and config status in FortiManager, like from Installed to out of Sync/ Conflict....
Please help me !!!
Thanks in advance !!!
Regards,
Sridhar S
Hi Simon,
Have you got how to configure generic text filter , i am using this for filtering the alerts.
status=DOWN itime=2016-09-25 23:19:10 vd=root level=information dtime=2016-09-26 01:19:06 devid=FGT92D3G16001060 logid=0100020099 subtype=system
devname=1018_richland itime_t=1474870750 logdesc=Interface status changed time=01:19:06 date=2016-09-26 type=event action=interface-stat-change msg=Link%20monitor%3A%20Interface%20wan1%20was%20turned%20down
status=DOWN itime=2016-09-25 23:19:10 vd=root level=information dtime=2016-09-26 01:19:06 devid=FGT92D3G16001060 logid=0100020099 subtype=system
devname=1018_richland itime_t=1474870750 logdesc=Interface status changed time=01:19:06 date=2016-09-26 type=event action=interface-stat-change msg=Link%20monitor%3A%20Interface%20wan1%20was%20turned%20down
I have configured in many ways but nothing is working. Please suggest me. I want interface form wan1 and wan2 only.
Hi Vikram,
Please try following configuration, it should work:
1) clone from predefined handler "Interface Down"
2) add generic text filter: msg ~ "wan1|wan2"
Shawn
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1733 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.