- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FSSO parse user and IP from syslog
Hello,
Has anyone used the new feature added to FSSO collector which is available from before in FortiAuthenticator - Syslog source list?
Basically I am trying to configure FSSO to recognise mappings from MS Exchange server. For this I am using the new tab that was added to FSSO collector agent - Syslog source list.
On the Exchange server the IIS logs are exported via NXlog to the FSSO collector listener. I can see that the syslog messages are coming to the FSSO collector but the username and IP address mappings are never parsed by the collector.
FSSO debug log shows this:
07/10/2020 16:41:22 [ 4424] Received syslog: <13>1 2020-07-10T16:41:22.248089+03:00 exchanger - - - [NXLOG@14506 EventReceivedTime="2020-07-10 16:41:22" SourceModuleName="iis_w3c" SourceModuleType="im_file"] User Authentication Successful: user='MYDOMAIN\username2' MAC=78:f5:fd:dd:ff:90 IP='10.200.27.68' role=MUST-STAFF_UR VLAN=472 AP=00:1a:1e:c5:13:c0 SSID=MUST-DOT1X AAA profile=MUST-DOT1X_AAAP auth method=802.1x auth server=STAFF, from:10.10.10.200
07/10/2020 16:41:22 [ 4424] Failed to parse log, error:-4
Attached are the settings of the syslog rule as per the following guide from FortiAuthenticator:
For simiplicity I am creating manually a file with username and IP address mappings which nxlog to export via syslog to the collector. If this gets working I will have a general idea how this works and can proceed with exporting the actual Microsoft IIS logs.
This is a sample log that is manually created:
User Authentication Successful: user='MYDOMAIN\username1' MAC=00:88:65:c4:13:55 IP='10.200.40.201' role=Guest VLAN=440 AP=00:1a:1e:c5:ed:11 SSID=Guest AAA profile=Guest auth method=Web auth server=Guest
User Authentication Successful: user='MYDOMAIN\username2' MAC=78:f5:fd:dd:ff:90 IP='10.200.27.67'
User Authentication Successful: user='MYDOMAIN\username3' MAC=78:f5:fd:dd:ff:90 IP='10.200.27.68' role=MUST-STAFF_UR VLAN=472 AP=00:1a:1e:c5:13:c0 SSID=MUST-DOT1X AAA profile=MUST-DOT1X_AAAP auth method=802.1x auth server=STAFF
User Authentication Successful: user='MYDOMAIN\username4' MAC=c0:9f:42:b4:c5:78 IP='10.200.36.176' role=Guest VLAN=436 AP=00:1a:1e:c5:13:ee SSID=Guest AAA profile=Guest auth method=Web auth server=Guest
I will appreciate any advise from people using such implementations.
Regards,
Emil
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Forgot to add, I already had a TAC case with Fortinet Support and the engineer said that they are not doing configuration assistance, only incident troubleshooting. It seems very strange to me but the ticket was closed.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am currently facing the same issue. The documentation on the feature is very sparse. Did you made any progress?
I created a python script to send a simple syslog message to the FSSO collector agent on UDP Port 514. The syslog message is received sucessfully, according to the following log line:
12/09/2020 11:48:58 [ 3488] Received syslog: <14>Logon,User="CONTOSO\Admin",IP="1.1.1.1",Group="Admins", from:2.2.2.2
But then the parsing seems to fail. I get the following error message:
wrong DC agent message format (-2)
Unfortunately it is unclear what -2 means. I checked the parsing rules in the Syslog Rule Settings and they parse just fine (see attached Screenshot).
Any ideas on how to proceed?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
To answer my own question above the answer is quite simple but unexpected.
The following needs to be added:
[ul]Then it works just fine.
