Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
rakesh_kumar
New Contributor

Logging in IBM LEEF format issue

Hi Everyone,

 

We have configured our Fortiweb to send logs to QRadar SIEM.

For that we have used this "log siem-policy", which is pretty straight forward.

 

But when it reaches to SIEM, its not parsing. Further investigation and IBM acknowledged that, every attribute of the log should be separated by the "tab", but currently fortiweb is sending the logs separated with "space".

 

My main concern is, if there is a option to select 'IBM LEEF' in logging, then it should match what IBM is expecting.

Why we are seeing a discrepancy here.

 

Anyone who have gone thru this, please revert.

SS attached

 

 

 

Regards,

Rakesh

3 REPLIES 3
abelio
Valued Contributor

Hi,

every qualified siem (as qradar is)  has the capabilities to parse logs from different sources and formats.

'tab' or 'space' separators are very common, so it should be solve adjusting parser in the Qradar site.

 

 

 

regards




/ Abel

regards / Abel
rakesh_kumar

Hi Abelio, Thanks for the response. Actually we are using the same setting "Log Policy > SIEM Policy" and using IBM LEEF as 'set type'. When we asked IBM about logs not getting parsed under Universal Leef, they are saying this should only be separated by tab. Space not supported Regards Rakesh
emnoc
Esteemed Contributor III

CEF is a commonly supported format and the fortiweb like fortigates support CEF. Qradar should also.Just my 2cts

 

Getting away from tab and csv is better and using a standard format is wise. BTW, You can grab a pcap of the export-logs and validate the format that's being sent.

 

Ken Felix

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Labels
Top Kudoed Authors