Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Waloo5
New Contributor III

Created on ‎06-26-2024 10:02 AM

FortiSIEM Parser for Wallix Admin Bastion

Hi All

Can any one have parser for Wallix Admin Bastion logs 

Best Regards

Amir
Amir
Labels:
104
0 Kudos
3 REPLIES 3
Stephen_G
Moderator
Moderator

Created on ‎06-30-2024 05:46 AM

Hi Waloo5,

 

Sorry, this might just be my fault, but I'm afraid I don't understand your request. Can you explain what you're looking for in more detail please?

 

Kind regards,

Stephen - Fortinet Community Team
47
Waloo5
New Contributor III
In response to Stephen_G

Created on ‎07-01-2024 12:55 AM Edited on ‎07-01-2024 12:56 AM

Hi @Stephen_G 

I need to have logs from my Wallix Bastion and I configured it to send logs to my FortiSIEM but all logs are as "Unknown event type", If some one have the parser for it I will be gratuful

 

Some exemples of logs:

Log 1:   <14>1 2024-06-26T22:37:26+01:00 SRV-Wallix-Bastion rdpproxy 18992 - -
[RDP Session] session_id="190566c73953a5be0050568a45c1"
client_ip="192.168.100.1" target_ip="192.168.1.210" user="XXXX"
device="DC-XXXXX" service="RDP" account="XXXX" type="KBD_INPUT"
data="hraccess1"

Log 2:  <14>1 2024-06-26T22:37:30+01:00 SRV-Wallix-Bastion rdpproxy 20258 - -
[RDP Session] session_id="190564df441871e70050568a45c1"
client_ip="192.168.1.240" target_ip="10.10.33.13"
user="XXXX" device="PCYYYY" service="RDP"
account="JXXX" type="COMPLETED_PROCESS"
command_line="\"C:\\Program Files
(x86)\\Microsoft\\Edge\\Application\\126.0.2592.61\\identity_helper.exe\" --
type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --
lang=fr --service-sandbox-type=none --field-trialhandle=
25476,i,3536162623415184737,13780532054667721275,262144 --
variations-seed-version --mojo-platform-channel-handle=29472 /prefetch:14"

 

In attach the configuration of my Wallix Bastion ( I use rfc 5424):RFC SIEM WALLIX (002).png

 

Best Regards

 

Amir
Amir
30
0 Kudos
Stephen_G
Moderator
Moderator
In response to Waloo5

Created on ‎07-01-2024 04:30 AM

Hi Waloo5,

 

Understood - thanks for clarifying! I'm afraid I don't know if this is possible. But if someone here could reply to contradict me, that would be great.

Sorry I can't help further.

 

Kind regards,

Stephen - Fortinet Community Team
16
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.