firewall.fortinet
- Juan Tomás Alonso Nieto (Deactivated)
- Borja Moro Moreno
- Former user (Deleted)
- Former user (Deleted)
Check the reference vendor documentation here.
Introduction
The tags begin with firewall.fortinet identifies log events generated by the following Fortinet technologies:
Fortinet FortiGate
Fortinet Unified Threat Management (UTM)
There are a large number of firewall.fortinet tags to accommodate the wide range of log types possible.
Tag structure
The full tag must have at least two levels, although most require three or four levels. The first two are fixed as firewall.fortinet. The third level identifies the technology type. The fourth element is not always required but is usually fixed and may be automatically generated by the Devo relay rule.
Technology | Brand | Type | Subtype |
|---|---|---|---|
|
|
| may be fixed and required |
These are the valid tags and corresponding data tables that will receive the parsers' data:
Tags | Data tables |
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
For more information, read more about Devo tags.
Set up the Devo relay rule
You will need to define a relay rule that can correctly identify the event type and apply the corresponding tag. The events are identified by the source port that they are received on and by matching a format defined by a regular expression.
The relay rule is different depending on if you are using FortiAnalyzer to manage the logs or if you are simply using FortiGate.
If you are using FortiAnalyzer or FortiSASE
When the source conditions are met, the relay will apply a tag that begins with firewall.fortinet. A regular expression in the Source data field describes the format of the event data and the target tag definition uses capturing groups to form the 3rd and 4th levels of the tag.
Source port →
13003Source data →
type=\"{0,1}([^\s^\"]+)\"{0,1}\ssubtype=\"{0,1}([^\s^\"]+)\"{0,1}Target tag →
firewall.fortinet.\\D1.\\D2.noncsvCheck the Sent without syslog tag and Stop processing checkboxes
Note that this also applies to Fortinet versions > 5.6 when dealing with legacy-reliable mode.
If you are using just FortiGate
When the source conditions are met, the relay will apply a tag that begins with firewall.fortinet. A regular expression in the Source data field describes the format of the event data and will depend on the version of FortiGate you are using:
Depending on the format of the sent event data, you must enter a different regular expression in the Source data field:
Events are received in CSV format without quotes → ,
type=([^,]+),subtype=([^,]+)(,|$)Events are received in CSV format with double quotes →
,type=\"([^,]+)\",subtype=\"([^,]+)\"(,|$)
Data is then extracted from the event and used to create the third and fourth levels of the tag as needed. In the example below the rule is defined with the following settings:
If you are using Fortiedr
When the source conditions are met, the relay will apply a tag that begins with firewall.fortinet. All the events arriving at the designated port will have the tag firewall.fortinet.fortiedr.endpoint.
Source port →
13003Target tag →
firewall.fortinet.fortiedr.endpointCheck the Sent without syslog tag and Stop processing checkboxes
Configure the forwarding of Fortinet logs
Using FortiAnalyzer
For deployments that aggregate FortiGate log data using FortiAnalyzer, follow the vendor instructions to configure the Devo relay as a remote syslog server using either the admin console or the FortiAnalyzer CLI. In both cases, you only need to enter the IP address of the Devo relay and specify the port on which you created the relay rule.
Using FortiGate/FortiOS
You need to have the Devo Relay IP address and the listening port number on hand when you configure your FortiGate product. In our example, here and in the relay rule above, we are sending FortiGate log events to the relay in CSV format.
Using the FortiGate GUI, go to Log & Report → Log Settings and select Remote Logging and Archiving to configure the Devo relay as a remote syslog server.
Using the FortiGate CLI, enter the following commands setting the server to the Devo relay IP address and the port to the relay port on which you created the rule.
Configuring syslog server in FortiGate CLI
If version is higher 5.6 you need to enable mode: legacy-reliable
If the version is lower or equal to 5.6 you need to enable mode udp
Example for higher than 5.6:
config log syslogd setting
set status enable
set csv enable
set legacy-reliable
set facility local7
set server <relay_ip>
set port <relay_port>
endFor more details about FortiGate logging, see the vendor documentation.
Troubleshooting to configure your logs
In some scenarios with the structure shown below, it is required to consider a specific behavior:
<prio>message→ wheremessageis a set ofkey=valuepairs separated by a blank space
The first event field after <priority> is being processed as part of the hostchain field, as shown below:
<date> key1=value1/relayHost=relayIp <tag>: key2=value2 key3=value3... keyN=valueN
Therefore, when the priority is included, the relay also requires at least the hostname or IP of the device that is sending the logs (following a pattern similar to <prio> hostname message). Otherwise, the first fields after priority will not be correctly parsed.
Please, find below some references to Fortinet where the hostname can be added to the messages that are being sent to the relay:
Fortinet v.6.0.0: https://docs.fortinet.com/document/fortigate/6.0.0/cli-reference/260508/log-syslogd-syslogd2-syslogd3-syslogd4-setting
Fortinet v.7.4.1: https://docs.fortinet.com/document/fortigate/7.4.1/cli-reference/421620/config-log-syslogd4-setting
Table structure
These are the fields displayed in these tables: