Hello,
Has anyone used the new feature added to FSSO collector which is available from before in FortiAuthenticator - Syslog source list?
Basically I am trying to configure FSSO to recognise mappings from MS Exchange server. For this I am using the new tab that was added to FSSO collector agent - Syslog source list.
On the Exchange server the IIS logs are exported via NXlog to the FSSO collector listener. I can see that the syslog messages are coming to the FSSO collector but the username and IP address mappings are never parsed by the collector.
FSSO debug log shows this:
07/10/2020 16:41:22 [ 4424] Received syslog: <13>1 2020-07-10T16:41:22.248089+03:00 exchanger - - - [NXLOG@14506 EventReceivedTime="2020-07-10 16:41:22" SourceModuleName="iis_w3c" SourceModuleType="im_file"] User Authentication Successful: user='MYDOMAIN\username2' MAC=78:f5:fd:dd:ff:90 IP='10.200.27.68' role=MUST-STAFF_UR VLAN=472 AP=00:1a:1e:c5:13:c0 SSID=MUST-DOT1X AAA profile=MUST-DOT1X_AAAP auth method=802.1x auth server=STAFF, from:10.10.10.200
07/10/2020 16:41:22 [ 4424] Failed to parse log, error:-4
Attached are the settings of the syslog rule as per the following guide from FortiAuthenticator:
For simiplicity I am creating manually a file with username and IP address mappings which nxlog to export via syslog to the collector. If this gets working I will have a general idea how this works and can proceed with exporting the actual Microsoft IIS logs.
This is a sample log that is manually created:
User Authentication Successful: user='MYDOMAIN\username1' MAC=00:88:65:c4:13:55 IP='10.200.40.201' role=Guest VLAN=440 AP=00:1a:1e:c5:ed:11 SSID=Guest AAA profile=Guest auth method=Web auth server=Guest
User Authentication Successful: user='MYDOMAIN\username2' MAC=78:f5:fd:dd:ff:90 IP='10.200.27.67'
User Authentication Successful: user='MYDOMAIN\username3' MAC=78:f5:fd:dd:ff:90 IP='10.200.27.68' role=MUST-STAFF_UR VLAN=472 AP=00:1a:1e:c5:13:c0 SSID=MUST-DOT1X AAA profile=MUST-DOT1X_AAAP auth method=802.1x auth server=STAFF
User Authentication Successful: user='MYDOMAIN\username4' MAC=c0:9f:42:b4:c5:78 IP='10.200.36.176' role=Guest VLAN=436 AP=00:1a:1e:c5:13:ee SSID=Guest AAA profile=Guest auth method=Web auth server=Guest
I will appreciate any advise from people using such implementations.
Regards,
Emil
Forgot to add, I already had a TAC case with Fortinet Support and the engineer said that they are not doing configuration assistance, only incident troubleshooting. It seems very strange to me but the ticket was closed.
I am currently facing the same issue. The documentation on the feature is very sparse. Did you made any progress?
I created a python script to send a simple syslog message to the FSSO collector agent on UDP Port 514. The syslog message is received sucessfully, according to the following log line:
12/09/2020 11:48:58 [ 3488] Received syslog: <14>Logon,User="CONTOSO\Admin",IP="1.1.1.1",Group="Admins", from:2.2.2.2
But then the parsing seems to fail. I get the following error message:
wrong DC agent message format (-2)
Unfortunately it is unclear what -2 means. I checked the parsing rules in the Syslog Rule Settings and they parse just fine (see attached Screenshot).
Any ideas on how to proceed?
To answer my own question above the answer is quite simple but unexpected.
The following needs to be added:
[ul]Then it works just fine.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.