Hi Everyone,
We have configured our Fortiweb to send logs to QRadar SIEM.
For that we have used this "log siem-policy", which is pretty straight forward.
But when it reaches to SIEM, its not parsing. Further investigation and IBM acknowledged that, every attribute of the log should be separated by the "tab", but currently fortiweb is sending the logs separated with "space".
My main concern is, if there is a option to select 'IBM LEEF' in logging, then it should match what IBM is expecting.
Why we are seeing a discrepancy here.
Anyone who have gone thru this, please revert.
SS attached
Regards,
Rakesh
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi,
every qualified siem (as qradar is) has the capabilities to parse logs from different sources and formats.
'tab' or 'space' separators are very common, so it should be solve adjusting parser in the Qradar site.
regards
/ Abel
CEF is a commonly supported format and the fortiweb like fortigates support CEF. Qradar should also.Just my 2cts
Getting away from tab and csv is better and using a standard format is wise. BTW, You can grab a pcap of the export-logs and validate the format that's being sent.
Ken Felix
PCNSE
NSE
StrongSwan
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1696 | |
1091 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.