FortiSIEM- Sangfor NGAF

stevenliang · ‎01-29-2023

Does anyone with experience on create custom parsers for Sangfor NGAF Syslog?

Here is the sample log

<134>Jan 30 11:38:49 localhost fwlog: Log type: APT detection, policy name:fwlogin, rule ID:0, src IP: 10.8.2.201, src port:50815, dst IP: 0.0.0.0, dst port: 53, attack type: Botnet, threat level:Information, action:Denied, URL:pool.hashvault.pro

<134>Jan 30 11:38:50 localhost fwlog: Log Type: traffic audit, App Category:Gmail[Browse], Username/Host:10.63.44.25, Outbound(B):18376, Inbound(B):10572, Bidirectional(B):28948

Please share some advice

#FSM

Jean-Philippe_P · ‎02-01-2023

Hello Stevenliang,

Thank you for using the Community Forum.

I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.

Regards,

Jean-Philippe - Fortinet Community Team

Jean-Philippe_P · ‎02-06-2023

Hello again Stevenliang,

I spoke to one of our engineers who said that 'Sangfor NGAF is not compatible with SIEM, which is why the unknown events appeared. To create a new parser there is a course on the training page: https://training.fortinet.com/local/staticpage/view.php?page=library_fortisiem-parser.

I hope this helps!

Kindest regards,

Jean-Philippe - Fortinet Community Team

FortiSIEM- Sangfor NGAF

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website