Vice Admiral
Vice Admiral
668 views

Some fields of FortiGate logs doesn't parse correctly. Do I need to write Flex Connector?

Hi everyone
As you know for fortunate firewall devices log parsing, we must install Syslog daemon smart connector without any extra recommendations. But when I do this job, I found some fields after normalization and converting to CEF format does not extract correctly and missed. Also, I can see that expressions in the raw message field.

Do you agree with me for creating the flex connector at the beginning?
Or in other words, do I use methods like ”additional fields mapping” in the ArcSight Console or ”Using the ’rex’ & ’regex’ function command” in ArcSight Logger and Command Center ?

BR
Amir
Labels (2)
0 Likes
4 Replies
Commodore
Commodore

Hi @zargaran 

Could you post a sample raw event and specify which fields are not getting mapped?

You can do field mapping in multiple ways

Option 1:

Use 'additional fields mapping' from ArcSight Console.

Option 2:

Login to the agent server and navigate to the directory <Connector Home>/current/user/agent/aup/<Agent_ID>/fcp/custommappings/<DeviceVendor>/<Device Product>/

You may have to create the folders for Device Vendor and Device Product. In your case, 'Fortinet' and 'Fortigate'

Edit the file 'ngmappings.adatamappings.properties'

If the file is not present, create one with this name. If the agent server is Linux based, necessary privileges to be given for 'arcsight' user for reading this file.

Map the fields as below:

event.sourceAddress=src

event.destinationAddress=dst

If sample raw event is provided, I could help you better.

 

Regards

Ajith KS

 

0 Likes
Micro Focus Expert
Micro Focus Expert

Hello Amir,

 

As far as I know, you can configure Fortigate device to send events in CEF format starting from FortiOS version 5.6.10 (page 69 - FortiGate Logs can be sent to syslog servers in Common Event Format (CEF)):

https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/attachments/a18f8fa2-1a1b-11e9-9685-f8bc1258b856/FortiOS-5.6-What%27s_New.pdf

 

ArcSight Syslog SmartConnector is supporting FortiOS up to version 5.2:

https://community.microfocus.com/t5/ArcSight-Connectors/SmartConnector-for-Fortinet-FortiGate-Syslog/ta-p/1588676

 

If your FortiOS version is between 5.2 and 5.6, and you noticed a parsing issue, then you should create FlexAgent to process all unparsed events.

 

Mladen

 

 

0 Likes
Captain
Captain

In 90% similar cases, I faced with that customer just did not set log source as it should be. So you can check Forti' logging settings according to "SmartConnector for Fortinet FortiGate Syslog" configuration guide.

But this is what I thinking:

Do you agree with me for creating the flex connector at the beginning?

This is the best way, as for me. This is only my opinion. You will know all event processing steps, all parser tokens, all this details. And you will also able to make some quick changes in parser/agent settings. Even if you want to save a standart field mappings, just open an appropriate smart connector guide (usually at the last pages) and do as guide says.

Or in other words, do I use methods like ”additional fields mapping” in the ArcSight Console or ”Using the ’rex’ &amp; ’regex’ function command” in ArcSight Logger and Command Center ?

Forget about it, if you can do it by SmartConnector. Let SmartConnector do his job.

BUT you should be familiar with FllexConnectors, and know the difference how Micro Focus Support Team can help you with Standart Connector and Flex Connector (if any).

0 Likes
Fleet Admiral
Fleet Admiral

Hi,

We have faced the same issue and the solution was very easy and it is what other members recommend.

Using CEF.

From version 5.6, CEF is supported and then you don't need to build any flex, just a Syslog Daemon SmartConnector. It works perfectly.

It work so well that wow, we wait for an upgrade if the FW version does not support CEF.

Thanks
regards

Michael

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.