How to integrate fortigate logs with Wazuh? #2152
Comments
|
Hi @nkhljswl, <ossec_config>
<global>
<jsonout_output>yes</jsonout_output>
<alerts_log>yes</alerts_log>
<logall>yes</logall> <!-- This -->
<logall_json>yes</logall_json> <!-- This -->
<email_notification>no</email_notification>
<smtp_server>smtp.example.wazuh.com</smtp_server>
<email_from>ossecm@example.wazuh.com</email_from>
<email_to>recipient@example.wazuh.com</email_to>
<email_maxperhour>12</email_maxperhour>
<email_log_source>alerts.log</email_log_source>
</global>You can get more info about the archival data storage here. archival-data-storage If you have events but no alerts, you may need to create decoders or custom rules, this Issue can help. #1884 You can also check this blog: Monitoring network devices Wazuh hids I hope this helps you, don't hesitate to ask if you have any more questions. |
|
Hi @jsanchez91 , I have updated the configuration. Also i have added fortigate decoder. Link But, still i couldn't find logs in archive.log . |
|
Could you explain the steps you take to set up Fortigate on Wazuh? |
|
Sure, Step 1 Enabled syslog in Fortigate firewall to forward log. |
|
Hello, We can check a few things. The first is the "var/ossec/logs/ossec.log" file. Check if you have any errors about the If you have no errors, make sure your remote configuration is good, check if the IP of the Fortigate machine is in the And finally, check the configuration in the file *.* @[WAZUH-MANAGER-IP]:514In these links you can get more info about If you have any questions, don't hesitate to ask. |
|
Hi @jsanchez91 The first is the "var/ossec/logs/ossec.log" file. Check if you have any errors about the rsyslog I can't see any error message related to rsyslog. If you have no errors, make sure your remote configuration is good, check if the IP of the Fortigate machine is in the allowed-ips and the local_ip are visible by the Fortigate. Please find the below screenshot of my configuration
And finally, check the configuration in the file /etc/rsyslog.conf in the Fortigate side. Try to add this to forward all logs to Wazuh: I can see the syslog traffic in tcpdump |
|
After adding the settings to rsyslog.conf to forward all logs, do you receive any events or alerts? |
|
Hi Jose, I can see only archives.log. I couldn't find archives.json. |
|
To save the events in the files.json file enable the logall_json option in the ossec.conf. <ossec_config>
<global>
<jsonout_output>yes</jsonout_output>
<alerts_log>yes</alerts_log>
<logall>yes</logall>
<logall_json>yes</logall_json> <!-- THIS OPTION -->
<email_notification>no</email_notification>
<smtp_server>smtp.example.wazuh.com</smtp_server>
<email_from>ossecm@example.wazuh.com</email_from>
<email_to>recipient@example.wazuh.com</email_to>
<email_maxperhour>12</email_maxperhour>
<email_log_source>alerts.log</email_log_source>
</global>
...After the change, restart Wazuh. |
|
Hi Jose, Configuration is already in place.
|
|
Is there any other workaround to get firewall logs in Wazuh? |
|
Hi @nkhljswl, It's strange that you don't have the Could you share your |
|
Hi Jose, |
|
Hello @nkhljswl, I found no mistake, but it seems your Wazuh service has stopped. Share with me the output from running this command systemctl status wazuh-managerIf the service has stopped, restart with this command. systemctl start wazuh-manager |
|
Hi @nkhljswl I am closing this issue due to inactivity. Please, if you still have this problem, feel free to open a new issue. Thank you. |
|
@jsanchez91 I am having a similar problem as described by @nkhljswl . I have followed all your instructions. I can also see archives.log/json and logs in them. I am not able to on Kibana. I have configured the decoder and rules as described in #1884 . I am using Wazuh 4.0. I am not sure where I am getting wrong. I will appreciate any help! |
|
Hi @hansaliyad1, Could you share your archives.json with me? |
|
Hey! @jsanchez91 I am sorry! I won't be able to share that file since it contains sensitive information. Also, it is a really big file since it is running for a while now. But I can confirm it has all the events related to Fortigate. |
|
Could you send me some examples of events related to Fortigate that hide sensitive information? |
|
On the other hand, you have commented that you added the decoders and ruleset mentioned in this Issue: #1884 In this comment, a rule is added that level 0, which by default does not generate alerts. You can try to use the decoders and ruleset indicated in this other comment: #1884 (comment) |
|
@jsanchez91 Thanks for your response again. I apologize for the delayed response. I did change the level number to 4. I ended removing wazuh and installed ELK. I just needed a log manager. It works now like charm. Thank you again for your help. |
|
I'm glad I could help you, if everything is resolved I'll close the Issue. If you have any further questions, please do not hesitate to reopen the Issue or use our slack channel, our Google group Regards |
|
Hi, May i know which format i should choose in Fortigate ? default Syslog format. |
|
Hi, I can see the log in tail -n 1000 /var/ossec/logs/archives/archives.json but why i still cannot view fortigate log in wazuh discovery? Thanks |
Hi Folks,
I have recently deployed Wazuh in our infrastructure. It was pretty easy to integrate Windows and Linux os for monitoring. So here is the problem-
I followed Wazuh documentation to configure network devices to receive logs in Wazuh manager.Also allowed the port and ip in ossec.conf. I can see the syslog traffic coming from source machine in tcpdump but events are not visible in Wazuh UI.
Also if you can help me to understand below queries:
Wazuh Version: 3.11
Any help would be appreciated.
The text was updated successfully, but these errors were encountered: