Fortigate log monitoring with Wazuh-manager

[Alduma08]

Hello, I've got a Fortigate firewall and I'm trying to monitor it's logs with Wazuh.

I can see the logs being monitored in /var/ossec/logs/archives/

But I can't find these logs in kibana. I don't know why.

[Zenidd]

Hello @Aldugama,

Seems like the Fortigate decoders are not correctly extracting the event fields so the Fortigate rules aren't being triggered. The fact that you can find the events in /var/ossec/logs/archives/archives.(log|json) shows that the events are flowing from the agent to the manager.

We can fix it by tuning the Fortigate log format and/or the Wazuh Fortigate decoders. Could you paste here several example events so I can test it in my lab environment?

After this issue is solved, for further questions (apart from this topic) please use our mailing list or the Wazuh #community Slack channel.

Regards, JP Sáez

[Alduma08]

Those are some of the logs we get from Fortigate. How could I modify the decoders? Because the Fortigate log format is not modifyable.

Forti.log

Un saludo.

[Zenidd]

Hello again @Aldugama,

I have written some custom decoders for your events so you can extract the most relevant fields. Here you have the steps to use them in your environment.

• You should create a new file inside /var/ossec/etc/decoders. While you can include these custom decoders in the /var/ossec/etc/decoders/local_decoder.xml file I think it's better to place them in a separate file.

1. Creating the new custom decoders file
# touch /var/ossec/etc/decoders/custom_fortigate_decoders.xml
-----------------------------------------------------------------------------------------------------------------------------
2. Time to paste the custom decoders inside the file. Please paste the decoders above inside  /var/ossec/etc/decoders/custom_fortigate_decoders.xml

<decoder name="fortigate-custom">
 <prematch>^date=\d\d\d\d-\d\d-\d\d time=\d\d:\d\d:\d\d devname=</prematch>
</decoder>

<decoder name="fortigate-custom1">
 <parent>fortigate-custom</parent>
 <regex>^date=(\d\d\d\d-\d\d-\d\d) time=(\d\d:\d\d:\d\d) devname=</regex>
 <order>date, time, srcip</order>
</decoder>

<decoder name="fortigate-custom1">
 <parent>fortigate-custom</parent>
 <regex offset="after_regex">"(\S+)" devid="(\S+)" logid="(\S+)" type="(\S+)" subtype="(\S+)"</regex>
 <order>devname, devid, logid, type, subtype</order>
</decoder>

<decoder name="fortigate-custom1">
 <parent>fortigate-custom</parent>
 <regex offset="after_regex"> eventtype="(\S+)"</regex>
 <order>eventtype</order>
</decoder>

<decoder name="fortigate-custom1">
 <parent>fortigate-custom</parent>
 <regex offset="after_regex"> level="(\S+)"</regex>
 <order>level</order>
</decoder>

<decoder name="fortigate-custom1">
 <parent>fortigate-custom</parent>
 <regex offset="after_regex"> vd="(\S+)"</regex>
 <order>vd</order>
</decoder>

<decoder name="fortigate-custom1">
 <parent>fortigate-custom</parent>
 <regex offset="after_regex"> eventtime=(\S+)</regex>
 <order>eventtime</order>
</decoder>

<decoder name="fortigate-custom1">
 <parent>fortigate-custom</parent>
 <regex offset="after_regex">srcip=(\S+) srcport=(\S+) srcintf="(\S+)" srcintfrole="(\S+)" dstip=(\S+) dstport=(\S+) dstintf="(\S+)" dstintfrole="(\S+)"</regex>
 <order>srcip, srcport, srcintf, srcintfrole, dstip, dstport, dstintf, dstintfrole</order>
</decoder>

<decoder name="fortigate-custom1">
 <parent>fortigate-custom</parent>
 <regex offset="after_regex">srcip=(\S+) srcname="(\S+)" srcport=(\S+) srcintf="(\S+)" srcintfrole="(\S+)" dstip=(\S+) dstport=(\S+) dstintf="(\S+)" dstintfrole="(\S+)"</regex>
 <order>srcip,srcname,srcport,srcintf,srcintfrole,dstip,dstport,dstintf,dstintfrole</order>
</decoder>

<decoder name="fortigate-custom1">
 <parent>fortigate-custom</parent>
 <regex offset="after_regex">srcip=(\S+) dstip=(\S+) srcport=(\S+) dstport=(\S+) srcintf="(\S+)" srcintfrole="(\S+)" dstintf="(\S+)" dstintfrole="(\S+)"</regex>
 <order>srcip,dstip,srcport,dstport,srcintf,srcintfrole,dstport,dstintf,dstintfrole</order>
</decoder>

<decoder name="fortigate-custom1">
 <parent>fortigate-custom</parent>
 <regex offset="after_regex">srcip=(\S+) dstip=(\S+) srcport=(\S+) dstport=(\S+)</regex>
 <order>srcip, dstip, srcport, dstport</order>
</decoder>

<decoder name="fortigate-custom1">
 <parent>fortigate-custom</parent>
 <regex offset="after_regex"> srcip=(\S+) </regex>
 <order>srcip</order>
</decoder>

<decoder name="fortigate-custom1">
 <parent>fortigate-custom</parent>
 <regex offset="after_regex"> dstip=(\S+) </regex>
 <order>dstip</order>
</decoder>
 -----------------------------------------------------------------------------------------------------------------------------
3. Let's adjust the permissions and owner for the custom decoder file
# chown ossec:ossec /var/ossec/etc/decoders/custom_fortigate_decoders.xml
# chmod 660 /var/ossec/etc/decoders/custom_fortigate_decoders.xml

• Now the Wazuh manager should be able to decode your FortiGate events. Rules are needed to create alerts over the decoded events:

I have created the rule above that groups the fortigate events. You should place it in your /var/ossec/etc/rules/local_rules.xml file. :

    <rule id="222000" level="0">
        <decoded_as>fortigate-custom</decoded_as>
        <description>Fortigate messages grouped.</description>
    </rule>

• To apply the changes you should restart the Wazuh manager.

Notes

• As the rule above is level 0 you won't see its alerts the alerts.json file. If you switch level="0" to level="3" you will see an alert for each FortiGate event. To avoid excessive noise you can create filter rules to just catch the alerts relevant for your environment.

• Your rules should point to the grouping one above. i.e:

Considering 1.1.1.1 IP as a malicious one

    <rule id="222001" level="8">
        <if_sid>222000</if_sid>
        <srcip>1.1.1.1</srcip>
        <description>Malicious IP alert</description>
    </rule>

You can count on me if you think there are missing fields in the decoders I wrote or if you need help writing useful rules.

Greetings, JP Sáez

[Alduma08]

Hello again,

I would like some help to write specific rules for Fortigate, so Wazuh can show just the important events.

Greetings, Alejandro.

[Zenidd]

Hello @Aldugama,

I'm porting the existing Fortigate rules to work over the custom decoders. Could you provide a good portion of your Fortigate logs so I can have examples to test the rules?

Greetings, JP Sáez

[Alduma08]

Hello @Zenidd ,
I left the logs in that google drive folder.
https://drive.google.com/drive/folders/1c2rctntCwW5O4uWHhJdcvZCBuDZWeP-d?usp=sharing

Greetings, Alejandro.

[Zenidd]

Hello @Aldugama,

After using your logs as an example, I have modified and extended the decoders I pasted above. I also ported the existing Fortigate rules to work with new decoders.

• Let's begin replacing the /var/ossec/etc/decoders/custom_fortigate_decoders.xml file content with the new decoders. Please, erase the content and paste the new ones:

<decoder name="fortigate-custom">
 <prematch>^date=\d\d\d\d-\d\d-\d\d time=\d\d:\d\d:\d\d devname=</prematch>
</decoder>

<decoder name="fortigate-custom1">
 <parent>fortigate-custom</parent>
 <regex>^date=(\d\d\d\d-\d\d-\d\d) time=(\d\d:\d\d:\d\d) devname=</regex>
 <order>date, time, srcip</order>
</decoder>

<decoder name="fortigate-custom1">
 <parent>fortigate-custom</parent>
 <regex offset="after_regex">"(\S+)" devid="(\S+)" logid="(\S+)" type="(\S+)" subtype="(\S+)" </regex>
 <order>devname, devid, logid, type, subtype</order>
</decoder>

<decoder name="fortigate-custom1">
 <parent>fortigate-custom</parent>
 <regex offset="after_regex"> eventtype="(\S+)"</regex>
 <order>eventtype</order>
</decoder>

<decoder name="fortigate-custom1">
 <parent>fortigate-custom</parent>
 <regex offset="after_regex">level="(\S+)" </regex>
 <order>level</order>
</decoder>

<decoder name="fortigate-custom1">
 <parent>fortigate-custom</parent>
 <regex offset="after_regex">vd="(\S+)" </regex>
 <order>vd</order>
</decoder>

<decoder name="fortigate-custom1">
 <parent>fortigate-custom</parent>
 <regex offset="after_regex">eventtime=(\S+) </regex>
 <order>eventtime</order>
</decoder>

<decoder name="fortigate-custom1">
 <parent>fortigate-custom</parent>
 <regex offset="after_regex">srcip=(\S+) srcport=(\S+) srcintf="(\S+)" srcintfrole="(\S+)" dstip=(\S+) dstport=(\S+) dstintf="(\S+)" dstintfrole="(\S+)" </regex>
 <order>srcip, srcport, srcintf, srcintfrole, dstip, dstport, dstintf, dstintfrole</order>
</decoder>

<decoder name="fortigate-custom1">
 <parent>fortigate-custom</parent>
 <regex offset="after_regex">srcip=(\S+) srcname="(\S+)" srcport=(\S+) srcintf="(\S+)" srcintfrole="(\S+)" dstip=(\S+) dstport=(\S+) dstintf="(\S+)" dstintfrole="(\S+)" </regex>
 <order>srcip,srcname,srcport,srcintf,srcintfrole,dstip,dstport,dstintf,dstintfrole</order>
</decoder>

<decoder name="fortigate-custom1">
 <parent>fortigate-custom</parent>
 <regex offset="after_regex">srcip=(\S+) dstip=(\S+) srcport=(\S+) dstport=(\S+) srcintf="(\S+)" srcintfrole="(\S+)" dstintf="(\S+)" dstintfrole="(\S+)" </regex>
 <order>srcip,dstip,srcport,dstport,srcintf,srcintfrole,dstport,dstintf,dstintfrole</order>
</decoder>

<decoder name="fortigate-custom1">
 <parent>fortigate-custom</parent>
 <regex offset="after_regex">srcip=(\S+) dstip=(\S+) srcport=(\S+) dstport=(\S+) </regex>
 <order>srcip, dstip, srcport, dstport</order>
</decoder>

<decoder name="fortigate-custom1">
 <parent>fortigate-custom</parent>
 <regex offset="after_regex">srcip="(\S+)"|srcip=(\S+) </regex>
 <order>srcip</order>
</decoder>

<decoder name="fortigate-custom1">
 <parent>fortigate-custom</parent>
 <regex offset="after_regex">dstip=(\S+) </regex>
 <order>dstip</order>
</decoder>

<decoder name="fortigate-custom1">
 <parent>fortigate-custom</parent>
 <regex offset="after_regex">action="(\S+)" </regex>
 <order>action</order>
</decoder>

<decoder name="fortigate-custom1">
 <parent>fortigate-custom</parent>
 <regex offset="after_regex">status="(\S+)" </regex>
 <order>status</order>
</decoder>

<decoder name="fortigate-custom1">
 <parent>fortigate-custom</parent>
 <regex offset="after_regex">msg="(\.+)"$</regex>
 <order>msg</order>
</decoder>

• In my message above, I asked you to place the rule

<rule id="222000" level="3">
        <decoded_as>fortigate-custom</decoded_as>
        <description>Fortigate messages grouped.</description>
    </rule>

inside the /var/ossec/etc/rules/local_rules.xml file. I would like you to erase this rule as we will include this and the ones I ported in a separate file.

• And now, let's create the new rules file, paste the custom rules inside and adjust the owner and permissions, as we did for the decoders:

1. Creating the new custom rules file
# touch /var/ossec/etc/rules/custom_fortigate_rules.xml
----------------------------------------------------------------------------------------------
2. Time to paste the custom rules inside the file. Please paste the rules above inside 
/var/ossec/etc/rules/custom_fortigate_rules.xml

<group name="fortigate,syslog,">
    <rule id="222000" level="0">
        <decoded_as>fortigate-custom</decoded_as>
        <description>Fortigate messages grouped.</description>
    </rule>

    <rule id="222014" level="4">
        <if_sid>222000</if_sid>
        <status>dpd_failure</status>
        <description>Fortigate: IP Sec DPD Failed.</description>
        <group>firewall_drop,pci_dss_1.4,gdpr_IV_35.7.d,hipaa_164.312.a.1,nist_800_53_SC.7,</group>
    </rule>

    <rule id="222015" level="7" frequency="18" timeframe="45" ignore="240">
        <if_matched_sid>222014</if_matched_sid>
        <same_source_ip />
        <description>Fortigate: Multiple Firewall drop events from same source.</description>
        <group>multiple_drops,pci_dss_1.4,pci_dss_10.6.1,gdpr_IV_35.7.d,hipaa_164.312.a.1,hipaa_164.312.b,nist_800_53_SC.7,nist_800_53_AU.6,</group>
    </rule>

    <rule id="222016" level="4">
        <if_sid>222000</if_sid>
        <action>login</action>
        <status>failed</status>
        <description>Fortigate: Login failed.</description>
        <group>authentication_failed,invalid_login,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,</group>
    </rule>

    <rule id="222017" level="7" frequency="18" timeframe="45" ignore="240">
        <if_matched_sid>222016</if_matched_sid>
        <same_source_ip />
        <options>alert_by_email</options>
        <description>Fortigate: Multiple failed login events from same source.</description>
        <group>authentication_failures,pci_dss_10.6.1,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.6,nist_800_53_AU.14,nist_800_53_AC.7,</group>
    </rule>

    <rule id="222022" level="3">
        <if_sid>222000</if_sid>
        <action>Edit</action>
        <description>Fortigate: Firewall configuration changes</description>
        <group>pci_dss_10.6.1,gpg13_4.13,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,</group>
    </rule>

    <rule id="222023" level="4" frequency="18" timeframe="45" ignore="240">
        <if_matched_sid>222000</if_matched_sid>
        <same_source_ip />
        <description>Fortigate: Multiple Firewall edit events from same source.</description>
        <group>pci_dss_10.6.1,gpg13_4.13,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,</group>
    </rule>

    <rule id="222024" level="4">
        <if_sid>222000</if_sid>
        <action>error</action>
        <description>Fortigate error message</description>
    </rule>

    <rule id="222026" level="3">
        <if_sid>222000</if_sid>
        <match>ui</match>
        <status>success</status>
        <action>login</action>
        <description>Fortigate: User successfully logged into firewall interface.</description>
        <group>pci_dss_10.6.1,gpg13_7.1,gpg13_7.2,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.6,</group>
    </rule>

    <rule id="222027" level="4" frequency="18" timeframe="45" ignore="240">
        <if_matched_sid>222000</if_matched_sid>
        <same_source_ip />
        <description>Fortigate: Multiple Firewall login events from same source.</description>
        <group>pci_dss_10.6.1,gpg13_7.1,gpg13_7.2,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,</group>
    </rule>

    <rule id="222028" level="11">
        <if_sid>222000</if_sid>
        <match>attack</match>
        <action>detected</action>
        <description>Fortigate Attack Detected</description>
        <group>attack,gdpr_IV_35.7.d,</group>
    </rule>

    <rule id="222029" level="3">
        <if_sid>222000</if_sid>
        <match>attack</match>
        <action>dropped</action>
        <description>Fortigate Attack Dropped</description>
        <group>attack,gdpr_IV_35.7.d,</group>
    </rule>

</group>

---------------------------------------------------------------------------------------------
3. Let's adjust the permissions and owner for the custom rules file
# chown ossec:ossec /var/ossec/etc/rules/custom_fortigate_rules.xml
# chmod 660 /var/ossec/etc/rules/custom_fortigate_rules.xml

I recommend you to check the custom rules, its syntax and think if there is something missing. I think that with these examples you can easily add your own rules. You can use /var/ossec/bin/ossec-logtest, our log testing binary where you can enter a logs and see if it triggers a decoder or/and an alert.

Let me know how it goes. Greetings,
JP Sáez

[Zenidd]

Hello again @Aldugama,

I'm closing this ticket due to inactivity. I hope your Fortigate logs are now being correctly ingested and checked against the ruleset. If you need further guidance do not hesitate to reopen this ticket.

On the other hand, for further questions please we would like you to use our #community Slack channel or the Wazuh mail list.

Greetings, JP Sáez

[peppelinux]

Hi @Zenidd
It would be great if these rules could be included in the standard wazuh-ruleset,
whhat do you think about that?

[Deki60]

Hello,
I allow myself to open this subject again. I integrated Fortigate on Wazuh with your rules thank you very much because the default fortigate rules of Wazuh do not send anything back. Just a question I tried to add the VPN logs for connections and web filtering to show blocked sites but impossible, did you succeed?

[EmperialX]

can you help me in creating logs decoder for my Fortigate and rules . it will be so helpful