Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
fiesta
New Contributor III

Created on ‎05-03-2022 08:13 PM Edited on ‎07-22-2022 04:50 AM

telegram webhook incomplete raw log

Hello everyone.

 

We have issue with webhook with parameter HTTP Body with %%log%% added to telegram parameter "text" field because it's showing incomplete raw log. I tried to compare email and webhook, email is fine but webhook is incomplete.

For example:
1. In webhook using telegram I receive like this "Administrator msinfokom logged in successfully from ssh(10.xxxxxxx) --- FGTxxxx xxxx Admin Success Login --- date=2022-05-04 time=09:42:28 logid=" after logid it's nothing more
2. In email I receive "FGT[FG1xxxxxxxxxx] Automation Stitch:Admin Success Login Automation is triggered.
date=2022-05-04 time=09:42:28 logid="0100032001" type="event" subtype="system" level="information" vd="VDOM_xxxx" eventtime=1651632148xxxxxxxx tz="+0700" logdesc="Admin login successful" sn="16516xxxxx" user="xxxxxx" ui="ssh(10.xx.xxxxxx)" method="ssh" srcip=10.xxxxxx dstip=10.xxxxx action="login" status="success" reason="none" profile="super_admin" msg="Administrator xxxxx logged in successfully from ssh(10.xxxxxx)"" log is complete after logid.

Is something wrong with my webhook configuration? has anyone have the same issue?


Here I attach some picture.

 

webhook-output-1.jpg

email-notif-1.jpg

webhook-param.jpg
Best regards.

FWD~
FWD~
Labels:
3484
0 Kudos
1 Solution
fiesta
New Contributor III

Created on ‎07-19-2022 03:35 AM

Sorry for late reply, here is the solution.

You need to add more variable to xxx inside "text":" xxxx" just like variable here https://docs.fortinet.com/document/fortigate/7.0.6/fortios-log-message-reference/1/log-messages. Double percent (%%variable%%) is mandatory.

Here are the example :

{"chat_id":"-yourchatid","text":"--- FGTxxx NEW---
conserve=%%conserve%%
date=%%date%%
eventtime=%%eventtime%%
thresholdgreen=%%green%%
level=%%level%%
logdesc%%logdesc%%
logid=%%logid%%
msg=%%msg%%
thresholdred=%%red%%
service=%%service%%
subtype=%%subtype%%
time=%%time%%
total=%%total%%
type=%%type%%
timezone=%%tz%%
currentram=%%used%%
mgmtvdom=%%vd%%"}

%%log%% can be removed and use above instead.

 

Some variable may not work, and some variable can confusing.

Best regards.

 

FWD~.

FWD~

View solution in original post

FWD~
3231
8 REPLIES 8
Anonymous
Not applicable

Created on ‎05-06-2022 02:58 PM Edited on ‎05-06-2022 02:59 PM

Hello @fiesta ,
 
Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.
 
Thanks,
3437
0 Kudos
Debbie_FTNT
Staff
Staff

Created on ‎05-10-2022 12:55 AM

Hey fiesta,

I haven't tested webhooks with Telegram, but I think the issue is with how JSON is parsed and the log message.

JSON consists of value pairs with "<field>":"<value>" (like "chat_id"="5").

The log message is 'date=2022-05-04 time=09:42:28 logid="0100032001" [...]' <- there are quotation marks starting with logid.

I think the Telegram API treats that 'logid="' as end of the value for 'text', because of the quotation mark. The quotation marks would probably have to be escaped:

date=2022-05-04 time=09:42:28 logid=\"0100032001\" [...] from ssh(10.14.92.58)\" and then a final " to end the text field.

I do not believe FortiGate adds escape characters to the quotation marks when sending the message to Telegram API, so Telegram API is confused by the many quotation marks in the log message.

I can't say if this would require a feature request to fix or should be considered a bug, that needs to be decided by developers.

I would suggest opening a ticket with Technical Support and reporting the issue (as well as my theory) there to get some assistance in digging into the communication and figuring out if/how it can be fixed.

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
3420
0 Kudos
hermanthom
New Contributor

Created on ‎06-27-2022 08:26 AM

@fiesta did you ever get this sorted? I have the same issue. 

Thanks, 

3274
0 Kudos
fiesta
New Contributor III

Created on ‎07-19-2022 03:35 AM

Sorry for late reply, here is the solution.

You need to add more variable to xxx inside "text":" xxxx" just like variable here https://docs.fortinet.com/document/fortigate/7.0.6/fortios-log-message-reference/1/log-messages. Double percent (%%variable%%) is mandatory.

Here are the example :

{"chat_id":"-yourchatid","text":"--- FGTxxx NEW---
conserve=%%conserve%%
date=%%date%%
eventtime=%%eventtime%%
thresholdgreen=%%green%%
level=%%level%%
logdesc%%logdesc%%
logid=%%logid%%
msg=%%msg%%
thresholdred=%%red%%
service=%%service%%
subtype=%%subtype%%
time=%%time%%
total=%%total%%
type=%%type%%
timezone=%%tz%%
currentram=%%used%%
mgmtvdom=%%vd%%"}

%%log%% can be removed and use above instead.

 

Some variable may not work, and some variable can confusing.

Best regards.

 

FWD~.

FWD~
FWD~
3232
Debbie_FTNT
Staff
Staff
In response to fiesta

Created on ‎07-19-2022 04:01 AM

Thanks for sharing, fiesta :)

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
3211
0 Kudos
Mr_Kim
New Contributor
In response to fiesta

Created on ‎10-17-2023 07:09 PM

Hi bro,

 

Could you help me share other variable like i want have message interface, Interface Tunnel, link monitor, Ipsec VPN... when they status change up/down.

 

Best Regards,

Mr_Kim

1893
0 Kudos
adimailig
Staff
Staff
In response to Mr_Kim

Created on ‎10-18-2023 04:56 PM

Hi Mr_Kim

You can found the log field name here https://docs.fortinet.com/document/fortigate/7.4.1/fortios-log-message-reference/524940/introduction

Just search for the last 5 digits of the logid / per FOS version

Best Regards,

Arnold Dimailig
TAC Engineer
1867
Mr_Kim
New Contributor
In response to adimailig

Created on ‎10-18-2023 07:16 PM

Hi Adimailig,

 

Wow it is wonderful thanks you so much.

 

Best Regards,

Mr_Kim

1858
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.