Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
FortiNewbie2022
New Contributor

Multiple log messages combine into one message when sending to SIEM

Hello Everyone,

 

I have a Fortigate with multiple VDOMs configure inside it. When sending Syslog to QRadar SIEM, I notice that multiple log messages are combined into 1 log message on QRadar SIEM. So each log message on SIEM contain 5 srcip and 5 dstip but the QRadar SIEM can only parse the first srcip and dstip. Here is the sample log messages:

 

me=1649043203 srcip=10.96.10.11 srcport=33097 srcintf="VLAN100" srcintfrole="lan" dstip=10.97.172.121 dstport=1024 dstintf="VLAN 1113" dstintfrole="lan" poluuid="46d3f1fe-c332-51e9-ec6b-8f124f22f8b7" sessionid=3879979829 proto=6 action="server-rst" policyid=10 policytype="policy" service="P1024" dstcountry="Reserved" srccountry="Reserved" trandisp="noop" duration=5 sentbyte=60 rcvdbyte=40 sentpkt=1 rcvdpkt=1 appcat="unscanned" devtype="Router/NAT Device" devcategory="Windows Device" mastersrcmac="08:b2:58:a4:a3:41" srcmac="08:b2:58:a4:a3:41" srcserver=0 dstdevtype="Router/NAT Device" dstdevcategory="None" masterdstmac="5c:16:c7:0a:d0:28" dstmac="5c:16:c7:0a:d0:28" dstserver=1849 <189>date=2022-04-04 time=10:33:23 devname="DR-CORE-FW-01" devid="FG1K5DT919801187" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="VDOM1" eventtime=1649043203 srcip=10.89.144.65 srcport=54957 srcintf="VLAN100" srcintfrole="lan" dstip=10.97.150.11 dstport=53 dstintf="VLAN 1127" dstintfrole="lan" poluuid="46d5e108-c332-51e9-7fff-6e3b85f61c36" sessionid=3879873541 proto=17 action="accept" policyid=12 policytype="policy" service="DNS" dstcountry="Reserved" srccountry="Reserved" trandisp="noop" duration=180 sentbyte=76 rcvdbyte=204 sentpkt=1 rcvdpkt=1 appcat="unscanned" devtype="Router/NAT Device" devcategory="Windows Device" mastersrcmac="08:b2:58:a4:a3:41" srcmac="08:b2:58:a4:a3:41" srcserver=0 dstdevtype="Router/NAT Device" dstdevcategory="None" masterdstmac="5c:16:c7:0a:d0:28" dstmac="5c:16:c7:0a:d0:28" dstserver=1855 <189>date=2022-04-04 time=10:33:23 devname="DR-CORE-FW-01" devid="FG1K5DT919801187" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="VDOM1" eventtime=1649043203 srcip=10.160.9.59 srcport=50473 srcintf="VLAN100" srcintfrole="lan" dstip=10.97.150.11 dstport=389 dstintf="VLAN 1127" dstintfrole="lan" poluuid="46d5e108-c332-51e9-7fff-6e3b85f61c36" sessionid=3879873595 proto=17 action="accept" policyid=12 policytype="policy" service="LDAP_UDP" dstcountry="Reserved" srccountry="Reserved" trandisp="noop" duration=180 sentbyte=227 rcvdbyte=178 sentpkt=1 rcvdpkt=1 appcat="unscanned" devtype="Router/NAT Device" devcategory="Windows Device" mastersrcmac="08:b2:58:a4:a3:41" srcmac="08:b2:58:a4:a3:41" srcserver=0 dstdevtype="Router/NAT Device" dstdevcategory="None" masterdstmac="5c:16:c7:0a:d0:28" dstmac="5c:16:c7:0a:d0:28" dstserver=1849 <189>date=2022-04-04 time=10:33:23 devname="DR-CORE-FW-01" devid="FG1K5DT919801187" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="VDOM1" eventtime=1649043203 srcip=10.83.70.103 srcport=64506 srcintf="VLAN100" srcintfrole="lan" dstip=10.97.150.11 dstport=53 dstintf="VLAN 1127" dstintfrole="lan" poluuid="46d5e108-c332-51e9-7fff-6e3b85f61c36" sessionid=3879873613 proto=17 action="accept" policyid=12 policytype="policy" service="DNS" dstcountry="Reserved" srccountry="Reserved" trandisp="noop" duration=180 sentbyte=56 rcvdbyte=119 sentpkt=1 rcvdpkt=1 appcat="unscanned" devtype="Router/NAT Device" devcategory="Windows Device" mastersrcmac="08:b2:58:a4:a3:41" srcmac="08:b2:58:a4:a3:41" srcserver=0 dstdevtype="Router/NAT Device" dstdevcategory="None" masterdstmac="5c:16:c7:0a:d0:28" dstmac="5c:16:c7:0a:d0:28" dstserver=1848 <189>date=2022-04-04 time=10:33:23 devname="DR-CORE-FW-01" devid="FG1K5DT919801187" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="VDOM1" eventtime=1649043203 srcip=10.66.68.104 srcport=52962 srcintf="VLAN100" srcintfrole="lan" dstip=10.97.150.11 dstport=53 dstintf="VLAN 1127" dstintfrole="lan" poluuid="46d5e108-c332-51e9-7fff-6e3b85f61c36" sessionid=3879873619 proto=17 action="accept" policyid=12 policytype="policy" service="DNS" dstcountry="Reserved" srccountry="Reserved" trandisp="noop" duration=180 sentbyte=60 rcvdbyte=76 sentpkt=1 rcvdpkt=1 appcat="unscanned" devtype="Router/NAT Device" devcategory="Windows Device" mastersrcmac="08:b2:58:a4:a3:41" srcmac="08:b2:58:a4:a3:41" srcserver=0 dstdevtype="Router/NAT Device" dstdevcategory="None" masterdstmac="5c:16:c7:0a:d0:28" dstmac="5c:16:c7:0a:d0:28" dstser

 

But on the firewall which only have default VDOM, the log messages does not being combine.

 

<189>date=2022-04-04 time=10:33:23 devname="DR-CORE-FW-01" devid="FG1K5DT919801187" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="VDOM1" eventtime=1649043203 srcip=10.83.70.103 srcport=64506 srcintf="VLAN100" srcintfrole="lan" dstip=10.97.150.11 dstport=53 dstintf="VLAN 1127" dstintfrole="lan" poluuid="46d5e108-c332-51e9-7fff-6e3b85f61c36" sessionid=3879873613 proto=17 action="accept" policyid=12 policytype="policy" service="DNS" dstcountry="Reserved" srccountry="Reserved" trandisp="noop" duration=180 sentbyte=56 rcvdbyte=119 sentpkt=1 rcvdpkt=1 appcat="unscanned" devtype="Router/NAT Device" devcategory="Windows Device" mastersrcmac="08:b2:58:a4:a3:41" srcmac="08:b2:58:a4:a3:41" srcserver=0 dstdevtype="Router/NAT Device" dstdevcategory="None" masterdstmac="5c:16:c7:0a:d0:28" dstmac="5c:16:c7:0a:d0:28" dstserver=1848

 

Can I edit the Syslog messages format or prevent this combination? Please help advice.

 

1 REPLY 1
Anonymous
Not applicable

 
Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.
 
Thanks,
Labels
Top Kudoed Authors