Multiple log messages combine into one message when sending to SIEM

FortiNewbie2022 · ‎04-04-2022

Hello Everyone,

I have a Fortigate with multiple VDOMs configure inside it. When sending Syslog to QRadar SIEM, I notice that multiple log messages are combined into 1 log message on QRadar SIEM. So each log message on SIEM contain 5 srcip and 5 dstip but the QRadar SIEM can only parse the first srcip and dstip. Here is the sample log messages:

me=1649043203 srcip=10.96.10.11 srcport=33097 srcintf="VLAN100" srcintfrole="lan" dstip=10.97.172.121 dstport=1024 dstintf="VLAN 1113" dstintfrole="lan" poluuid="46d3f1fe-c332-51e9-ec6b-8f124f22f8b7" sessionid=3879979829 proto=6 action="server-rst" policyid=10 policytype="policy" service="P1024" dstcountry="Reserved" srccountry="Reserved" trandisp="noop" duration=5 sentbyte=60 rcvdbyte=40 sentpkt=1 rcvdpkt=1 appcat="unscanned" devtype="Router/NAT Device" devcategory="Windows Device" mastersrcmac="08:b2:58:a4:a3:41" srcmac="08:b2:58:a4:a3:41" srcserver=0 dstdevtype="Router/NAT Device" dstdevcategory="None" masterdstmac="5c:16:c7:0a:d0:28" dstmac="5c:16:c7:0a:d0:28" dstserver=1849 <189>date=2022-04-04 time=10:33:23 devname="DR-CORE-FW-01" devid="FG1K5DT919801187" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="VDOM1" eventtime=1649043203 srcip=10.89.144.65 srcport=54957 srcintf="VLAN100" srcintfrole="lan" dstip=10.97.150.11 dstport=53 dstintf="VLAN 1127" dstintfrole="lan" poluuid="46d5e108-c332-51e9-7fff-6e3b85f61c36" sessionid=3879873541 proto=17 action="accept" policyid=12 policytype="policy" service="DNS" dstcountry="Reserved" srccountry="Reserved" trandisp="noop" duration=180 sentbyte=76 rcvdbyte=204 sentpkt=1 rcvdpkt=1 appcat="unscanned" devtype="Router/NAT Device" devcategory="Windows Device" mastersrcmac="08:b2:58:a4:a3:41" srcmac="08:b2:58:a4:a3:41" srcserver=0 dstdevtype="Router/NAT Device" dstdevcategory="None" masterdstmac="5c:16:c7:0a:d0:28" dstmac="5c:16:c7:0a:d0:28" dstserver=1855 <189>date=2022-04-04 time=10:33:23 devname="DR-CORE-FW-01" devid="FG1K5DT919801187" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="VDOM1" eventtime=1649043203 srcip=10.160.9.59 srcport=50473 srcintf="VLAN100" srcintfrole="lan" dstip=10.97.150.11 dstport=389 dstintf="VLAN 1127" dstintfrole="lan" poluuid="46d5e108-c332-51e9-7fff-6e3b85f61c36" sessionid=3879873595 proto=17 action="accept" policyid=12 policytype="policy" service="LDAP_UDP" dstcountry="Reserved" srccountry="Reserved" trandisp="noop" duration=180 sentbyte=227 rcvdbyte=178 sentpkt=1 rcvdpkt=1 appcat="unscanned" devtype="Router/NAT Device" devcategory="Windows Device" mastersrcmac="08:b2:58:a4:a3:41" srcmac="08:b2:58:a4:a3:41" srcserver=0 dstdevtype="Router/NAT Device" dstdevcategory="None" masterdstmac="5c:16:c7:0a:d0:28" dstmac="5c:16:c7:0a:d0:28" dstserver=1849 <189>date=2022-04-04 time=10:33:23 devname="DR-CORE-FW-01" devid="FG1K5DT919801187" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="VDOM1" eventtime=1649043203 srcip=10.83.70.103 srcport=64506 srcintf="VLAN100" srcintfrole="lan" dstip=10.97.150.11 dstport=53 dstintf="VLAN 1127" dstintfrole="lan" poluuid="46d5e108-c332-51e9-7fff-6e3b85f61c36" sessionid=3879873613 proto=17 action="accept" policyid=12 policytype="policy" service="DNS" dstcountry="Reserved" srccountry="Reserved" trandisp="noop" duration=180 sentbyte=56 rcvdbyte=119 sentpkt=1 rcvdpkt=1 appcat="unscanned" devtype="Router/NAT Device" devcategory="Windows Device" mastersrcmac="08:b2:58:a4:a3:41" srcmac="08:b2:58:a4:a3:41" srcserver=0 dstdevtype="Router/NAT Device" dstdevcategory="None" masterdstmac="5c:16:c7:0a:d0:28" dstmac="5c:16:c7:0a:d0:28" dstserver=1848 <189>date=2022-04-04 time=10:33:23 devname="DR-CORE-FW-01" devid="FG1K5DT919801187" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="VDOM1" eventtime=1649043203 srcip=10.66.68.104 srcport=52962 srcintf="VLAN100" srcintfrole="lan" dstip=10.97.150.11 dstport=53 dstintf="VLAN 1127" dstintfrole="lan" poluuid="46d5e108-c332-51e9-7fff-6e3b85f61c36" sessionid=3879873619 proto=17 action="accept" policyid=12 policytype="policy" service="DNS" dstcountry="Reserved" srccountry="Reserved" trandisp="noop" duration=180 sentbyte=60 rcvdbyte=76 sentpkt=1 rcvdpkt=1 appcat="unscanned" devtype="Router/NAT Device" devcategory="Windows Device" mastersrcmac="08:b2:58:a4:a3:41" srcmac="08:b2:58:a4:a3:41" srcserver=0 dstdevtype="Router/NAT Device" dstdevcategory="None" masterdstmac="5c:16:c7:0a:d0:28" dstmac="5c:16:c7:0a:d0:28" dstser

But on the firewall which only have default VDOM, the log messages does not being combine.

<189>date=2022-04-04 time=10:33:23 devname="DR-CORE-FW-01" devid="FG1K5DT919801187" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="VDOM1" eventtime=1649043203 srcip=10.83.70.103 srcport=64506 srcintf="VLAN100" srcintfrole="lan" dstip=10.97.150.11 dstport=53 dstintf="VLAN 1127" dstintfrole="lan" poluuid="46d5e108-c332-51e9-7fff-6e3b85f61c36" sessionid=3879873613 proto=17 action="accept" policyid=12 policytype="policy" service="DNS" dstcountry="Reserved" srccountry="Reserved" trandisp="noop" duration=180 sentbyte=56 rcvdbyte=119 sentpkt=1 rcvdpkt=1 appcat="unscanned" devtype="Router/NAT Device" devcategory="Windows Device" mastersrcmac="08:b2:58:a4:a3:41" srcmac="08:b2:58:a4:a3:41" srcserver=0 dstdevtype="Router/NAT Device" dstdevcategory="None" masterdstmac="5c:16:c7:0a:d0:28" dstmac="5c:16:c7:0a:d0:28" dstserver=1848

Can I edit the Syslog messages format or prevent this combination? Please help advice.

Anonymous · ‎04-06-2022

Hello @FortiNewbie2022,

Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.

Thanks,

Multiple log messages combine into one message when sending to SIEM

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website