New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fortigate log monitoring with Wazuh-manager #1884
Comments
Hello @Aldugama, Seems like the Fortigate decoders are not correctly extracting the event fields so the Fortigate rules aren't being triggered. The fact that you can find the events in We can fix it by tuning the Fortigate log format and/or the Wazuh Fortigate decoders. Could you paste here several example events so I can test it in my lab environment? After this issue is solved, for further questions (apart from this topic) please use our mailing list or the Wazuh #community Slack channel. Regards, JP Sáez |
Those are some of the logs we get from Fortigate. How could I modify the decoders? Because the Fortigate log format is not modifyable. Un saludo. |
Hello again @Aldugama, I have written some custom decoders for your events so you can extract the most relevant fields. Here you have the steps to use them in your environment.
I have created the rule above that groups the fortigate events. You should place it in your
Notes
You can count on me if you think there are missing fields in the decoders I wrote or if you need help writing useful rules. Greetings, JP Sáez |
Hello again, I would like some help to write specific rules for Fortigate, so Wazuh can show just the important events. Greetings, Alejandro. |
Hello @Aldugama, I'm porting the existing Fortigate rules to work over the custom decoders. Could you provide a good portion of your Fortigate logs so I can have examples to test the rules? Greetings, JP Sáez |
Hello @Zenidd , Greetings, Alejandro. |
Hello @Aldugama, After using your logs as an example, I have modified and extended the decoders I pasted above. I also ported the existing Fortigate rules to work with new decoders.
<decoder name="fortigate-custom">
<prematch>^date=\d\d\d\d-\d\d-\d\d time=\d\d:\d\d:\d\d devname=</prematch>
</decoder>
<decoder name="fortigate-custom1">
<parent>fortigate-custom</parent>
<regex>^date=(\d\d\d\d-\d\d-\d\d) time=(\d\d:\d\d:\d\d) devname=</regex>
<order>date, time, srcip</order>
</decoder>
<decoder name="fortigate-custom1">
<parent>fortigate-custom</parent>
<regex offset="after_regex">"(\S+)" devid="(\S+)" logid="(\S+)" type="(\S+)" subtype="(\S+)" </regex>
<order>devname, devid, logid, type, subtype</order>
</decoder>
<decoder name="fortigate-custom1">
<parent>fortigate-custom</parent>
<regex offset="after_regex"> eventtype="(\S+)"</regex>
<order>eventtype</order>
</decoder>
<decoder name="fortigate-custom1">
<parent>fortigate-custom</parent>
<regex offset="after_regex">level="(\S+)" </regex>
<order>level</order>
</decoder>
<decoder name="fortigate-custom1">
<parent>fortigate-custom</parent>
<regex offset="after_regex">vd="(\S+)" </regex>
<order>vd</order>
</decoder>
<decoder name="fortigate-custom1">
<parent>fortigate-custom</parent>
<regex offset="after_regex">eventtime=(\S+) </regex>
<order>eventtime</order>
</decoder>
<decoder name="fortigate-custom1">
<parent>fortigate-custom</parent>
<regex offset="after_regex">srcip=(\S+) srcport=(\S+) srcintf="(\S+)" srcintfrole="(\S+)" dstip=(\S+) dstport=(\S+) dstintf="(\S+)" dstintfrole="(\S+)" </regex>
<order>srcip, srcport, srcintf, srcintfrole, dstip, dstport, dstintf, dstintfrole</order>
</decoder>
<decoder name="fortigate-custom1">
<parent>fortigate-custom</parent>
<regex offset="after_regex">srcip=(\S+) srcname="(\S+)" srcport=(\S+) srcintf="(\S+)" srcintfrole="(\S+)" dstip=(\S+) dstport=(\S+) dstintf="(\S+)" dstintfrole="(\S+)" </regex>
<order>srcip,srcname,srcport,srcintf,srcintfrole,dstip,dstport,dstintf,dstintfrole</order>
</decoder>
<decoder name="fortigate-custom1">
<parent>fortigate-custom</parent>
<regex offset="after_regex">srcip=(\S+) dstip=(\S+) srcport=(\S+) dstport=(\S+) srcintf="(\S+)" srcintfrole="(\S+)" dstintf="(\S+)" dstintfrole="(\S+)" </regex>
<order>srcip,dstip,srcport,dstport,srcintf,srcintfrole,dstport,dstintf,dstintfrole</order>
</decoder>
<decoder name="fortigate-custom1">
<parent>fortigate-custom</parent>
<regex offset="after_regex">srcip=(\S+) dstip=(\S+) srcport=(\S+) dstport=(\S+) </regex>
<order>srcip, dstip, srcport, dstport</order>
</decoder>
<decoder name="fortigate-custom1">
<parent>fortigate-custom</parent>
<regex offset="after_regex">srcip="(\S+)"|srcip=(\S+) </regex>
<order>srcip</order>
</decoder>
<decoder name="fortigate-custom1">
<parent>fortigate-custom</parent>
<regex offset="after_regex">dstip=(\S+) </regex>
<order>dstip</order>
</decoder>
<decoder name="fortigate-custom1">
<parent>fortigate-custom</parent>
<regex offset="after_regex">action="(\S+)" </regex>
<order>action</order>
</decoder>
<decoder name="fortigate-custom1">
<parent>fortigate-custom</parent>
<regex offset="after_regex">status="(\S+)" </regex>
<order>status</order>
</decoder>
<decoder name="fortigate-custom1">
<parent>fortigate-custom</parent>
<regex offset="after_regex">msg="(\.+)"$</regex>
<order>msg</order>
</decoder>
<rule id="222000" level="3">
<decoded_as>fortigate-custom</decoded_as>
<description>Fortigate messages grouped.</description>
</rule>
1. Creating the new custom rules file
# touch /var/ossec/etc/rules/custom_fortigate_rules.xml
----------------------------------------------------------------------------------------------
2. Time to paste the custom rules inside the file. Please paste the rules above inside
/var/ossec/etc/rules/custom_fortigate_rules.xml
<group name="fortigate,syslog,">
<rule id="222000" level="0">
<decoded_as>fortigate-custom</decoded_as>
<description>Fortigate messages grouped.</description>
</rule>
<rule id="222014" level="4">
<if_sid>222000</if_sid>
<status>dpd_failure</status>
<description>Fortigate: IP Sec DPD Failed.</description>
<group>firewall_drop,pci_dss_1.4,gdpr_IV_35.7.d,hipaa_164.312.a.1,nist_800_53_SC.7,</group>
</rule>
<rule id="222015" level="7" frequency="18" timeframe="45" ignore="240">
<if_matched_sid>222014</if_matched_sid>
<same_source_ip />
<description>Fortigate: Multiple Firewall drop events from same source.</description>
<group>multiple_drops,pci_dss_1.4,pci_dss_10.6.1,gdpr_IV_35.7.d,hipaa_164.312.a.1,hipaa_164.312.b,nist_800_53_SC.7,nist_800_53_AU.6,</group>
</rule>
<rule id="222016" level="4">
<if_sid>222000</if_sid>
<action>login</action>
<status>failed</status>
<description>Fortigate: Login failed.</description>
<group>authentication_failed,invalid_login,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,</group>
</rule>
<rule id="222017" level="7" frequency="18" timeframe="45" ignore="240">
<if_matched_sid>222016</if_matched_sid>
<same_source_ip />
<options>alert_by_email</options>
<description>Fortigate: Multiple failed login events from same source.</description>
<group>authentication_failures,pci_dss_10.6.1,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.6,nist_800_53_AU.14,nist_800_53_AC.7,</group>
</rule>
<rule id="222022" level="3">
<if_sid>222000</if_sid>
<action>Edit</action>
<description>Fortigate: Firewall configuration changes</description>
<group>pci_dss_10.6.1,gpg13_4.13,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,</group>
</rule>
<rule id="222023" level="4" frequency="18" timeframe="45" ignore="240">
<if_matched_sid>222000</if_matched_sid>
<same_source_ip />
<description>Fortigate: Multiple Firewall edit events from same source.</description>
<group>pci_dss_10.6.1,gpg13_4.13,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,</group>
</rule>
<rule id="222024" level="4">
<if_sid>222000</if_sid>
<action>error</action>
<description>Fortigate error message</description>
</rule>
<rule id="222026" level="3">
<if_sid>222000</if_sid>
<match>ui</match>
<status>success</status>
<action>login</action>
<description>Fortigate: User successfully logged into firewall interface.</description>
<group>pci_dss_10.6.1,gpg13_7.1,gpg13_7.2,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.6,</group>
</rule>
<rule id="222027" level="4" frequency="18" timeframe="45" ignore="240">
<if_matched_sid>222000</if_matched_sid>
<same_source_ip />
<description>Fortigate: Multiple Firewall login events from same source.</description>
<group>pci_dss_10.6.1,gpg13_7.1,gpg13_7.2,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,</group>
</rule>
<rule id="222028" level="11">
<if_sid>222000</if_sid>
<match>attack</match>
<action>detected</action>
<description>Fortigate Attack Detected</description>
<group>attack,gdpr_IV_35.7.d,</group>
</rule>
<rule id="222029" level="3">
<if_sid>222000</if_sid>
<match>attack</match>
<action>dropped</action>
<description>Fortigate Attack Dropped</description>
<group>attack,gdpr_IV_35.7.d,</group>
</rule>
</group>
---------------------------------------------------------------------------------------------
3. Let's adjust the permissions and owner for the custom rules file
# chown ossec:ossec /var/ossec/etc/rules/custom_fortigate_rules.xml
# chmod 660 /var/ossec/etc/rules/custom_fortigate_rules.xml I recommend you to check the custom rules, its syntax and think if there is something missing. I think that with these examples you can easily add your own rules. You can use Let me know how it goes. Greetings, |
Hello again @Aldugama, I'm closing this ticket due to inactivity. I hope your Fortigate logs are now being correctly ingested and checked against the ruleset. If you need further guidance do not hesitate to reopen this ticket. On the other hand, for further questions please we would like you to use our #community Slack channel or the Wazuh mail list. Greetings, JP Sáez |
Hi @Zenidd |
Hello, |
can you help me in creating logs decoder for my Fortigate and rules . it will be so helpful |
Hello, I've got a Fortigate firewall and I'm trying to monitor it's logs with Wazuh.
I can see the logs being monitored in /var/ossec/logs/archives/
But I can't find these logs in kibana. I don't know why.
The text was updated successfully, but these errors were encountered: