Highlighted
Absent Member.
Absent Member.
420 views

Event parsing issue with Fortigate UTM connector /syslog udp

Hello,

In our environment we have deployed Fortigate / UTM Syslog connector which are collecting logs of every type from UTM appliance [Antivirus,traffic,system,dlp...].

For events of type utm and subtype virus [cat = utm:virus], where we have a file detected as infected by AV Engine we get a virus field in device raw logs which identify the signature of the event. See below the raw log from the device [before getting collected by connector]:

Nov 25 01:05:53 10.102.102.62 date=2013-07-24 time=18:06:56 devname=FortiGate-VM64 devid=********** logid=0211008192 type=utm subtype=virus eventtype=infected level=warning vd="root" msg="File is infected." status="blocked" service="http" srcip=x.x.x.x dstip=x.x.x.x srcport=60571 dstport=3128 srcintf="port3" dstintf="port2" policyid=x identidx=0 sessionid=327788 direction=N/A file="eicarcom2.zip" quarskip="No skip" virus="EICAR_TEST_FILE" dtype="Virus" ref="http://www.fortinet.com/ve?vid=2172" url="http://www.eicar.org/download/eicarcom2.zip" profile="default" profiletype="Antivirus_Profile" agent="Mozilla/5.0" ....

Now after connector collects this data, normalizes it, parse it and enrich the data and send to ESM, I could not see a lot of fields at ESM.

For ex: virus field should be mapped to device custom string1 as per smart connector guide for Fortigate. But I could not see cs1 getting populated on ESM.

There are other fields like file,quarskip which I could see in raw logs but not on ESM.

I suspect there is an issue with parsing of logs. Can someone please assist me with this?

Labels (3)
0 Likes
2 Replies
Highlighted
Acclaimed Contributor.
Acclaimed Contributor.

Re: Event parsing issue with Fortigate UTM connector /syslog udp

Hi Vishesh,

Is ur connector is up to date. Are you using the latest Connector Version and is the Forigate version is supported by ur Connector version(Check release guide.).

If everything is perfect and if you still face the same issue. You need to load a subagent parser on top of the Default.

Or you can gain access to ur base syslog parser and modify the Fortigate Parser section

0 Likes
Highlighted
Absent Member.
Absent Member.

Re: Event parsing issue with Fortigate UTM connector /syslog udp

Hi Balahasan,

Can you brief me how to modify the Fortigate parser section?

I have checked the release guide and everything looks OK to me.

It would be great if you can throw some lights on how can I modify/check parser section of standard connector.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.