Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
adem_netsys
Contributor

Created on ‎01-04-2024 04:06 AM

FortiSIEM: Rule sync error

Hello,

 

I cloned the existing "Windows Security Log Cleared" rule in the rules and created it in a new name, only I made the within value 120, not 600, and made the rule in the default disable. However, this time, when the rule was triggered, it created an incident with the name in the default and gave a sync error error in the rule. What could be the reason?

Labels:
5350
0 Kudos
1 Solution
Richie_C
Staff
Staff
In response to adem_netsys

Created on ‎01-05-2024 10:59 AM

yes indeed. As per the documentation:

 

https://help.fortinet.com/fsiem/7-1-1/Online-Help/HTML5_Help/Notification_Settings.htm

 

"Notifications will be sent only if an incident occurs during the time range you set here."

Take a backup before making any changes

View solution in original post

5199
26 REPLIES 26
adem_netsys
Contributor
In response to dmontgomery

Created on ‎01-20-2024 03:04 AM

Hi everyone,

 

Obviously, I'm not sure what's causing it. I added an incident header with a different name but I still get a timed out error. I look at the services and they all look normal.

1106
0 Kudos
Richie_C
Staff
Staff
In response to adem_netsys

Created on ‎01-20-2024 05:24 AM

Its difficult to know exactly what is happening. Could export the rule and share it? Also share a log that should trigger it. Change any sensitive information before sharing. I will try it in my lab when i have some spare time.

 

Take a backup before making any changes
1093
adem_netsys
Contributor
In response to Richie_C

Created on ‎01-20-2024 06:49 AM

Hi @Richie_C 

 

I couldn't share the xml log. I got the related images. Ekran görüntüsü 2024-01-20 174256.pngEkran görüntüsü 2024-01-20 174314.png

1073
0 Kudos
Richie_C
Staff
Staff
In response to adem_netsys

Created on ‎01-21-2024 10:47 AM Edited on ‎01-21-2024 10:48 AM

@adem_netsys - It tested successfully in my lab (version 7.1.1).

I found a couple of tests events from the web:

Jun 12 14:38:03.679: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/50, changed state to down
Jun 12 14:38:22.644: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/50, changed state to up

I configured the rule as per your screenshots. I replayed the events and it triggered as expected.

triggered.JPG

 

The rule was configured as follows:

 

 

<?xml version="1.0" encoding="UTF-8"?><rules><DataRequest functionCategory="Other" mode="Streaming"><Name>Cisco Interface State Change</Name><Description>A test to monitor the state change  of an interface on a Cisco IOS device</Description><Remediation/><DataSource/><DetectionTechnology>Correlation</DetectionTechnology><PatternClause window="300">
<SubPattern id="1366161" name="Filter_1">
<SingleEvtConstr>reptDevIpAddr=1.2.3.4 AND (eventType="IOS-LINEPROTO-UPDOWN-TO-UP" OR eventType="IOS-LINEPROTO-UPDOWN-TO-DOWN")</SingleEvtConstr>
<GroupEvtConstr>COUNT(*)&gt;=1</GroupEvtConstr>
<GroupByAttr>reptDevIpAddr,eventType,eventName,intfName</GroupByAttr>
</SubPattern>
</PatternClause><IncidentDef eventType="Cisco_Interface_State_Change" eventTypeGroup="PH_SYS_EVENT_PH_RULE" fireFreq="3600" severity="1">
<ArgList>destIpAddr=Filter_1.reptDevIpAddr,compEventType=Filter_1.eventType,eventName=Filter_1.eventName,intfName=Filter_1.intfName</ArgList>
</IncidentDef><DynWatchLists/><TriggerEventDisplay>
<AttrList>phRecvTime,eventType,reptDevIpAddr,rawEventMsg,eventName,intfName</AttrList>
</TriggerEventDisplay><IncidentTitle>$destIpAddr Test</IncidentTitle></DataRequest></rules>

 

 

 

I hope it helps.

Take a backup before making any changes
1038
adem_netsys
Contributor
In response to Richie_C

Created on ‎01-21-2024 11:30 PM

Hi @Richie_C 

First of all, I wanna thank you for interest.

When I examined it, I couldn't see much difference, what is the difference or is there a problem with my version?

1026
Richie_C
Staff
Staff
In response to adem_netsys

Created on ‎01-22-2024 12:30 AM

I tried to copy your rule as closely as I could. It is impossible to know the difference without seeing your XML and test events.  

Take a backup before making any changes
1020
0 Kudos
adem_netsys
Contributor
In response to Richie_C

Created on ‎01-22-2024 12:33 AM

Obviously,

frankly, I'm also having a problem with not dropping an incident when creating a new rule. i see that an event has occurred, but it doesn't turn into an incident. have you experienced this before?

1017
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.