Knowledge Doc: [ArcSight Standard Connectors] Parsing issue in Fortinet FortiGate Syslog SmartConnector Wrong Timezone

0 Likes

Summary
When Fortigate logs, the “time zone” field is not being used, therefore there may be time discrepancy between the indexed event and the real one.

Products
ArcSight Standard Connectors

Environment
SmartConnectors 8.4 and below

Situation
When parsing Fortigate logs, the “time zone” field is not being used, therefore there may be time discrepancy between the indexed event and the real one.

Consider two formats of events, the "fortigate_syslog" parser, and the "cef_syslog".

The following line is from the "syslog.properties" file in /user/agent folder:

syslog.subagentdef=
fortigate_host1\:fortigate_syslog,
fortigate_host2\:cef_syslog

Sample from device "fortigate_host1" (see field "tz"):
"<189>date=2023-04-17 time=17:40:26 devname="fw-devicename" devid="FG100xxxx" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" eventtime=1681746028064168644 tz="+0200" srcip=192.xx.xx.xx srcport=10125 srcintf="xxx.xxx" srcintfrole="undefined" dstip=172.20.0.250 dstport=53 dstintf="wanx" dstintfrole="wan" ...TRUNCATED..."

Sample from device "fortigate_host2" (see field "FTNTFGTtz"):
"<189>Apr 17 17:51:45 fortigate_host2 CEF:0|Fortinet|Fortigate|v7.2.4|00013|traffic:forward accept|3|deviceExternalId=FG1xxxxxx FTNTFGTeventtime=1681746705667344390 FTNTFGTtz=+0200 FTNTFGTlogid=0000000013 cat=traffic:forward FTNTFGTsubtype=forward FTNTFGTlevel=notice FTNTFGTvd=root src=172.xx.xx.xx spt=50461 deviceInboundInterface=port2 FTNTFGTsrcintfrole=undefined dst=xx.20.0.xx dpt=53 deviceOutboundInterface=port3 FTNTFGTdstintfrole=undefined ...TRUNCATED..."


Cause
The above timezone information in the events are not recognized and thus results in time discrepancy in events from different timezones when received at Logger/ESM dashboard.

Resolution
A fix for this has been confirmed, tested and to be implemented in the next parser release.


Knowledge Base Article Link


URL Name
KM000017342

Labels:

Support Tips/Knowledge Docs
Related
Recommended