Hello Everyone,
I have a Fortigate with multiple VDOMs configure inside it. When sending Syslog to QRadar SIEM, I notice that multiple log messages are combined into 1 log message on QRadar SIEM. So each log message on SIEM contain 5 srcip and 5 dstip but the QRadar SIEM can only parse the first srcip and dstip. Here is the sample log messages:
me=1649043203 srcip=10.96.10.11 srcport=33097 srcintf="VLAN100" srcintfrole="lan" dstip=10.97.172.121 dstport=1024 dstintf="VLAN 1113" dstintfrole="lan" poluuid="46d3f1fe-c332-51e9-ec6b-8f124f22f8b7" sessionid=3879979829 proto=6 action="server-rst" policyid=10 policytype="policy" service="P1024" dstcountry="Reserved" srccountry="Reserved" trandisp="noop" duration=5 sentbyte=60 rcvdbyte=40 sentpkt=1 rcvdpkt=1 appcat="unscanned" devtype="Router/NAT Device" devcategory="Windows Device" mastersrcmac="08:b2:58:a4:a3:41" srcmac="08:b2:58:a4:a3:41" srcserver=0 dstdevtype="Router/NAT Device" dstdevcategory="None" masterdstmac="5c:16:c7:0a:d0:28" dstmac="5c:16:c7:0a:d0:28" dstserver=1849 <189>date=2022-04-04 time=10:33:23 devname="DR-CORE-FW-01" devid="FG1K5DT919801187" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="VDOM1" eventtime=1649043203 srcip=10.89.144.65 srcport=54957 srcintf="VLAN100" srcintfrole="lan" dstip=10.97.150.11 dstport=53 dstintf="VLAN 1127" dstintfrole="lan" poluuid="46d5e108-c332-51e9-7fff-6e3b85f61c36" sessionid=3879873541 proto=17 action="accept" policyid=12 policytype="policy" service="DNS" dstcountry="Reserved" srccountry="Reserved" trandisp="noop" duration=180 sentbyte=76 rcvdbyte=204 sentpkt=1 rcvdpkt=1 appcat="unscanned" devtype="Router/NAT Device" devcategory="Windows Device" mastersrcmac="08:b2:58:a4:a3:41" srcmac="08:b2:58:a4:a3:41" srcserver=0 dstdevtype="Router/NAT Device" dstdevcategory="None" masterdstmac="5c:16:c7:0a:d0:28" dstmac="5c:16:c7:0a:d0:28" dstserver=1855 <189>date=2022-04-04 time=10:33:23 devname="DR-CORE-FW-01" devid="FG1K5DT919801187" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="VDOM1" eventtime=1649043203 srcip=10.160.9.59 srcport=50473 srcintf="VLAN100" srcintfrole="lan" dstip=10.97.150.11 dstport=389 dstintf="VLAN 1127" dstintfrole="lan" poluuid="46d5e108-c332-51e9-7fff-6e3b85f61c36" sessionid=3879873595 proto=17 action="accept" policyid=12 policytype="policy" service="LDAP_UDP" dstcountry="Reserved" srccountry="Reserved" trandisp="noop" duration=180 sentbyte=227 rcvdbyte=178 sentpkt=1 rcvdpkt=1 appcat="unscanned" devtype="Router/NAT Device" devcategory="Windows Device" mastersrcmac="08:b2:58:a4:a3:41" srcmac="08:b2:58:a4:a3:41" srcserver=0 dstdevtype="Router/NAT Device" dstdevcategory="None" masterdstmac="5c:16:c7:0a:d0:28" dstmac="5c:16:c7:0a:d0:28" dstserver=1849 <189>date=2022-04-04 time=10:33:23 devname="DR-CORE-FW-01" devid="FG1K5DT919801187" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="VDOM1" eventtime=1649043203 srcip=10.83.70.103 srcport=64506 srcintf="VLAN100" srcintfrole="lan" dstip=10.97.150.11 dstport=53 dstintf="VLAN 1127" dstintfrole="lan" poluuid="46d5e108-c332-51e9-7fff-6e3b85f61c36" sessionid=3879873613 proto=17 action="accept" policyid=12 policytype="policy" service="DNS" dstcountry="Reserved" srccountry="Reserved" trandisp="noop" duration=180 sentbyte=56 rcvdbyte=119 sentpkt=1 rcvdpkt=1 appcat="unscanned" devtype="Router/NAT Device" devcategory="Windows Device" mastersrcmac="08:b2:58:a4:a3:41" srcmac="08:b2:58:a4:a3:41" srcserver=0 dstdevtype="Router/NAT Device" dstdevcategory="None" masterdstmac="5c:16:c7:0a:d0:28" dstmac="5c:16:c7:0a:d0:28" dstserver=1848 <189>date=2022-04-04 time=10:33:23 devname="DR-CORE-FW-01" devid="FG1K5DT919801187" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="VDOM1" eventtime=1649043203 srcip=10.66.68.104 srcport=52962 srcintf="VLAN100" srcintfrole="lan" dstip=10.97.150.11 dstport=53 dstintf="VLAN 1127" dstintfrole="lan" poluuid="46d5e108-c332-51e9-7fff-6e3b85f61c36" sessionid=3879873619 proto=17 action="accept" policyid=12 policytype="policy" service="DNS" dstcountry="Reserved" srccountry="Reserved" trandisp="noop" duration=180 sentbyte=60 rcvdbyte=76 sentpkt=1 rcvdpkt=1 appcat="unscanned" devtype="Router/NAT Device" devcategory="Windows Device" mastersrcmac="08:b2:58:a4:a3:41" srcmac="08:b2:58:a4:a3:41" srcserver=0 dstdevtype="Router/NAT Device" dstdevcategory="None" masterdstmac="5c:16:c7:0a:d0:28" dstmac="5c:16:c7:0a:d0:28" dstser
But on the firewall which only have default VDOM, the log messages does not being combine.
<189>date=2022-04-04 time=10:33:23 devname="DR-CORE-FW-01" devid="FG1K5DT919801187" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="VDOM1" eventtime=1649043203 srcip=10.83.70.103 srcport=64506 srcintf="VLAN100" srcintfrole="lan" dstip=10.97.150.11 dstport=53 dstintf="VLAN 1127" dstintfrole="lan" poluuid="46d5e108-c332-51e9-7fff-6e3b85f61c36" sessionid=3879873613 proto=17 action="accept" policyid=12 policytype="policy" service="DNS" dstcountry="Reserved" srccountry="Reserved" trandisp="noop" duration=180 sentbyte=56 rcvdbyte=119 sentpkt=1 rcvdpkt=1 appcat="unscanned" devtype="Router/NAT Device" devcategory="Windows Device" mastersrcmac="08:b2:58:a4:a3:41" srcmac="08:b2:58:a4:a3:41" srcserver=0 dstdevtype="Router/NAT Device" dstdevcategory="None" masterdstmac="5c:16:c7:0a:d0:28" dstmac="5c:16:c7:0a:d0:28" dstserver=1848
Can I edit the Syslog messages format or prevent this combination? Please help advice.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Created on 04-06-2022 01:12 PM Edited on 04-06-2022 01:13 PM
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1688 | |
1087 | |
752 | |
446 | |
226 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.