Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
fiesta
New Contributor III

telegram webhook incomplete raw log

Hello everyone.

 

We have issue with webhook with parameter HTTP Body with %%log%% added to telegram parameter "text" field because it's showing incomplete raw log. I tried to compare email and webhook, email is fine but webhook is incomplete.

For example:
1. In webhook using telegram I receive like this "Administrator msinfokom logged in successfully from ssh(10.xxxxxxx) --- FGTxxxx xxxx Admin Success Login --- date=2022-05-04 time=09:42:28 logid=" after logid it's nothing more
2. In email I receive "FGT[FG1xxxxxxxxxx] Automation Stitch:Admin Success Login Automation is triggered.
date=2022-05-04 time=09:42:28 logid="0100032001" type="event" subtype="system" level="information" vd="VDOM_xxxx" eventtime=1651632148xxxxxxxx tz="+0700" logdesc="Admin login successful" sn="16516xxxxx" user="xxxxxx" ui="ssh(10.xx.xxxxxx)" method="ssh" srcip=10.xxxxxx dstip=10.xxxxx action="login" status="success" reason="none" profile="super_admin" msg="Administrator xxxxx logged in successfully from ssh(10.xxxxxx)"" log is complete after logid.

Is something wrong with my webhook configuration? has anyone have the same issue?


Here I attach some picture.

 

webhook-output-1.jpg

email-notif-1.jpg

webhook-param.jpg
Best regards.

FWD~
FWD~
1 Solution
fiesta
New Contributor III

Sorry for late reply, here is the solution.

You need to add more variable to xxx inside "text":" xxxx" just like variable here https://docs.fortinet.com/document/fortigate/7.0.6/fortios-log-message-reference/1/log-messages. Double percent (%%variable%%) is mandatory.

Here are the example :

{"chat_id":"-yourchatid","text":"--- FGTxxx NEW---
conserve=%%conserve%%
date=%%date%%
eventtime=%%eventtime%%
thresholdgreen=%%green%%
level=%%level%%
logdesc%%logdesc%%
logid=%%logid%%
msg=%%msg%%
thresholdred=%%red%%
service=%%service%%
subtype=%%subtype%%
time=%%time%%
total=%%total%%
type=%%type%%
timezone=%%tz%%
currentram=%%used%%
mgmtvdom=%%vd%%"}

%%log%% can be removed and use above instead.

 

Some variable may not work, and some variable can confusing.

Best regards.

 

FWD~.

FWD~

View solution in original post

FWD~
8 REPLIES 8
Anonymous
Not applicable

Hello @fiesta ,
 
Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.
 
Thanks,
Debbie_FTNT
Staff
Staff

Hey fiesta,

I haven't tested webhooks with Telegram, but I think the issue is with how JSON is parsed and the log message.

JSON consists of value pairs with "<field>":"<value>" (like "chat_id"="5").

The log message is 'date=2022-05-04 time=09:42:28 logid="0100032001" [...]' <- there are quotation marks starting with logid.

I think the Telegram API treats that 'logid="' as end of the value for 'text', because of the quotation mark. The quotation marks would probably have to be escaped:

date=2022-05-04 time=09:42:28 logid=\"0100032001\" [...] from ssh(10.14.92.58)\" and then a final " to end the text field.

I do not believe FortiGate adds escape characters to the quotation marks when sending the message to Telegram API, so Telegram API is confused by the many quotation marks in the log message.

I can't say if this would require a feature request to fix or should be considered a bug, that needs to be decided by developers.

I would suggest opening a ticket with Technical Support and reporting the issue (as well as my theory) there to get some assistance in digging into the communication and figuring out if/how it can be fixed.

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
hermanthom
New Contributor

@fiesta did you ever get this sorted? I have the same issue. 

Thanks, 

fiesta
New Contributor III

Sorry for late reply, here is the solution.

You need to add more variable to xxx inside "text":" xxxx" just like variable here https://docs.fortinet.com/document/fortigate/7.0.6/fortios-log-message-reference/1/log-messages. Double percent (%%variable%%) is mandatory.

Here are the example :

{"chat_id":"-yourchatid","text":"--- FGTxxx NEW---
conserve=%%conserve%%
date=%%date%%
eventtime=%%eventtime%%
thresholdgreen=%%green%%
level=%%level%%
logdesc%%logdesc%%
logid=%%logid%%
msg=%%msg%%
thresholdred=%%red%%
service=%%service%%
subtype=%%subtype%%
time=%%time%%
total=%%total%%
type=%%type%%
timezone=%%tz%%
currentram=%%used%%
mgmtvdom=%%vd%%"}

%%log%% can be removed and use above instead.

 

Some variable may not work, and some variable can confusing.

Best regards.

 

FWD~.

FWD~
FWD~
Debbie_FTNT

Thanks for sharing, fiesta :)

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
Mr_Kim
New Contributor

Hi bro,

 

Could you help me share other variable like i want have message interface, Interface Tunnel, link monitor, Ipsec VPN... when they status change up/down.

 

Best Regards,

Mr_Kim

adimailig

Hi Mr_Kim

You can found the log field name here https://docs.fortinet.com/document/fortigate/7.4.1/fortios-log-message-reference/524940/introduction

Just search for the last 5 digits of the logid / per FOS version

Best Regards,

Arnold Dimailig
TAC Engineer
Mr_Kim

Hi Adimailig,

 

Wow it is wonderful thanks you so much.

 

Best Regards,

Mr_Kim

Labels
Top Kudoed Authors