Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
eenchev
New Contributor

FSSO parse user and IP from syslog

Hello,

 

Has anyone used the new feature added to FSSO collector which is available from before in FortiAuthenticator - Syslog source list?

 

Basically I am trying to configure FSSO to recognise mappings from MS Exchange server. For this I am using the new tab that was added to FSSO collector agent - Syslog source list.

 

On the Exchange server the IIS logs are exported via NXlog to the FSSO collector listener. I can see that the syslog messages are coming to the FSSO collector but the username and IP address mappings are never parsed by the collector.

 

FSSO debug log shows this:

07/10/2020 16:41:22 [ 4424] Received syslog: <13>1 2020-07-10T16:41:22.248089+03:00 exchanger - - - [NXLOG@14506 EventReceivedTime="2020-07-10 16:41:22" SourceModuleName="iis_w3c" SourceModuleType="im_file"] User Authentication Successful: user='MYDOMAIN\username2' MAC=78:f5:fd:dd:ff:90 IP='10.200.27.68' role=MUST-STAFF_UR VLAN=472 AP=00:1a:1e:c5:13:c0 SSID=MUST-DOT1X AAA profile=MUST-DOT1X_AAAP auth method=802.1x auth server=STAFF, from:10.10.10.200

07/10/2020 16:41:22 [ 4424] Failed to parse log, error:-4

 

Attached are the settings of the syslog rule as per the following guide from FortiAuthenticator:

https://docs.fortinet.com/document/fortiauthenticator/6.0.0/administration-guide/713528/syslog-sourc...

 

For simiplicity I am creating manually a file with username and IP address mappings which nxlog to export via syslog to the collector. If this gets working I will have a general idea how this works and can proceed with exporting the actual Microsoft IIS logs.

 

This is a sample log that is manually created:

User Authentication Successful: user='MYDOMAIN\username1' MAC=00:88:65:c4:13:55 IP='10.200.40.201' role=Guest VLAN=440 AP=00:1a:1e:c5:ed:11 SSID=Guest AAA profile=Guest auth method=Web auth server=Guest

User Authentication Successful: user='MYDOMAIN\username2' MAC=78:f5:fd:dd:ff:90 IP='10.200.27.67'

User Authentication Successful: user='MYDOMAIN\username3' MAC=78:f5:fd:dd:ff:90 IP='10.200.27.68' role=MUST-STAFF_UR VLAN=472 AP=00:1a:1e:c5:13:c0 SSID=MUST-DOT1X AAA profile=MUST-DOT1X_AAAP auth method=802.1x auth server=STAFF

User Authentication Successful: user='MYDOMAIN\username4' MAC=c0:9f:42:b4:c5:78 IP='10.200.36.176' role=Guest VLAN=436 AP=00:1a:1e:c5:13:ee SSID=Guest AAA profile=Guest auth method=Web auth server=Guest

 

I will appreciate any advise from people using such implementations.

 

Regards,

Emil

3 REPLIES 3
eenchev
New Contributor

Forgot to add, I already had a TAC case with Fortinet Support and the engineer said that they are not doing configuration assistance, only incident troubleshooting. It seems very strange to me but the ticket was closed.

 

 

thrawn
New Contributor

I am currently facing the same issue. The documentation on the feature is very sparse. Did you made any progress?

 

I created a python script to send a simple syslog message to the FSSO collector agent on UDP Port 514. The syslog message is received sucessfully, according to the following log line:

 

12/09/2020 11:48:58 [ 3488] Received syslog: <14>Logon,User="CONTOSO\Admin",IP="1.1.1.1",Group="Admins", from:2.2.2.2

 

But then the parsing seems to fail. I get the following error message:

 

wrong DC agent message format (-2)

 

Unfortunately it is unclear what -2 means. I checked the parsing rules in the Syslog Rule Settings and they parse just fine (see attached Screenshot).

 

Any ideas on how to proceed?

 

thrawn
New Contributor

To answer my own question above the answer is quite simple but unexpected.

The following needs to be added:

[ul]
  • IPv6 address needs to be present in the syslog packet.
  • IPv6 pattern needs to be configured in FSSO CA Advanced Settings.[/ul]

    Then it works just fine.

  • Top Kudoed Authors