Hello everyone.
We have issue with webhook with parameter HTTP Body with %%log%% added to telegram parameter "text" field because it's showing incomplete raw log. I tried to compare email and webhook, email is fine but webhook is incomplete.
For example:
1. In webhook using telegram I receive like this "Administrator msinfokom logged in successfully from ssh(10.xxxxxxx) --- FGTxxxx xxxx Admin Success Login --- date=2022-05-04 time=09:42:28 logid=" after logid it's nothing more
2. In email I receive "FGT[FG1xxxxxxxxxx] Automation Stitch:Admin Success Login Automation is triggered.
date=2022-05-04 time=09:42:28 logid="0100032001" type="event" subtype="system" level="information" vd="VDOM_xxxx" eventtime=1651632148xxxxxxxx tz="+0700" logdesc="Admin login successful" sn="16516xxxxx" user="xxxxxx" ui="ssh(10.xx.xxxxxx)" method="ssh" srcip=10.xxxxxx dstip=10.xxxxx action="login" status="success" reason="none" profile="super_admin" msg="Administrator xxxxx logged in successfully from ssh(10.xxxxxx)"" log is complete after logid.
Is something wrong with my webhook configuration? has anyone have the same issue?
Here I attach some picture.
Best regards.
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Sorry for late reply, here is the solution.
You need to add more variable to xxx inside "text":" xxxx" just like variable here https://docs.fortinet.com/document/fortigate/7.0.6/fortios-log-message-reference/1/log-messages. Double percent (%%variable%%) is mandatory.
Here are the example :
{"chat_id":"-yourchatid","text":"--- FGTxxx NEW---
conserve=%%conserve%%
date=%%date%%
eventtime=%%eventtime%%
thresholdgreen=%%green%%
level=%%level%%
logdesc%%logdesc%%
logid=%%logid%%
msg=%%msg%%
thresholdred=%%red%%
service=%%service%%
subtype=%%subtype%%
time=%%time%%
total=%%total%%
type=%%type%%
timezone=%%tz%%
currentram=%%used%%
mgmtvdom=%%vd%%"}
%%log%% can be removed and use above instead.
Some variable may not work, and some variable can confusing.
Best regards.
FWD~.
Created on 05-06-2022 02:58 PM Edited on 05-06-2022 02:59 PM
Hey fiesta,
I haven't tested webhooks with Telegram, but I think the issue is with how JSON is parsed and the log message.
JSON consists of value pairs with "<field>":"<value>" (like "chat_id"="5").
The log message is 'date=2022-05-04 time=09:42:28 logid="0100032001" [...]' <- there are quotation marks starting with logid.
I think the Telegram API treats that 'logid="' as end of the value for 'text', because of the quotation mark. The quotation marks would probably have to be escaped:
date=2022-05-04 time=09:42:28 logid=\"0100032001\" [...] from ssh(10.14.92.58)\" and then a final " to end the text field.
I do not believe FortiGate adds escape characters to the quotation marks when sending the message to Telegram API, so Telegram API is confused by the many quotation marks in the log message.
I can't say if this would require a feature request to fix or should be considered a bug, that needs to be decided by developers.
I would suggest opening a ticket with Technical Support and reporting the issue (as well as my theory) there to get some assistance in digging into the communication and figuring out if/how it can be fixed.
@fiesta did you ever get this sorted? I have the same issue.
Thanks,
Sorry for late reply, here is the solution.
You need to add more variable to xxx inside "text":" xxxx" just like variable here https://docs.fortinet.com/document/fortigate/7.0.6/fortios-log-message-reference/1/log-messages. Double percent (%%variable%%) is mandatory.
Here are the example :
{"chat_id":"-yourchatid","text":"--- FGTxxx NEW---
conserve=%%conserve%%
date=%%date%%
eventtime=%%eventtime%%
thresholdgreen=%%green%%
level=%%level%%
logdesc%%logdesc%%
logid=%%logid%%
msg=%%msg%%
thresholdred=%%red%%
service=%%service%%
subtype=%%subtype%%
time=%%time%%
total=%%total%%
type=%%type%%
timezone=%%tz%%
currentram=%%used%%
mgmtvdom=%%vd%%"}
%%log%% can be removed and use above instead.
Some variable may not work, and some variable can confusing.
Best regards.
FWD~.
Thanks for sharing, fiesta :)
Hi bro,
Could you help me share other variable like i want have message interface, Interface Tunnel, link monitor, Ipsec VPN... when they status change up/down.
Best Regards,
Mr_Kim
Hi Mr_Kim
You can found the log field name here https://docs.fortinet.com/document/fortigate/7.4.1/fortios-log-message-reference/524940/introduction
Just search for the last 5 digits of the logid / per FOS version
Hi Adimailig,
Wow it is wonderful thanks you so much.
Best Regards,
Mr_Kim
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1713 | |
1093 | |
752 | |
447 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.