Absent Member.
Absent Member.
397 views

fortiweb logs

Hi

I have a fortiweb device. I need to instal a connector for collecting logs of it. I don't want to use flex connector.

my device support of CEF syslog, and I want to install a connector that get CEF syslog of fortiweb device.

If someone do this, PLEASE help me!

Labels (3)
0 Likes
10 Replies
Highlighted
Acclaimed Contributor.
Acclaimed Contributor.

Re: fortiweb logs

Its incredibly easy. CEF events are almost always sent via syslog, so simply install the "SmartConnector for Syslog" and you should be good to go. There are a few different variants for this, but you most likely require the "Syslog Daemon" version. Go to the HP Support site (Welcome - HP Software Support) login, use your SAID and you can go to the "ArcSight SmartConnectors" section and download the platform version you want (Windows, Linux etc) and you can install it from there.

However, I strongly recommend that you read the documentation around this and what you need to do to setup the SmartConnector and how you send the data to Logger, ESM or Express:

SmartConnector User’s Guide

ArcSight Common Event Format Syslog

Don't forget though, you need to setup and configure your Fortinet product to use CEF, so check the guides for this. There is some information here -

0 Likes
Highlighted
Absent Member.
Absent Member.

Re: fortiweb logs

Hi

I installed a syslog deamon connector and run this.

This connector is running in console.

and I see traffic between device and connector on port 514, on our analyzer.

But I could not see logs of this connector , and EPS of this connector is 0 , in console!

Why I can not see logs of this connector on console?!?!?

0 Likes
Highlighted
Established Member..
Established Member..

Re: fortiweb logs

Can you attach agent.wrapper.out log file here ?

I am assuming that ports are open and the log traffic is reaching to connector.

0 Likes
Highlighted
Absent Member.
Absent Member.

Re: fortiweb logs

Hi

I'm sorry. I can't send this file because of security policies.

As you probably know fortiweb in newer version makes this methods to send log as a CEF syslog. so how can I use this kind of methods? how to configure connector or manger to gather all events ?

0 Likes
Highlighted
Established Member..
Established Member..

Re: fortiweb logs

Do a tcpdump or wireshark on your connector server to see if you are recieving any traffic from your fortiweb machine to connector server.

If the logs are reaching till syslog connector daemon the connector should send that data to its destination irrespective of parsing capability.

0 Likes
Highlighted
Acclaimed Contributor.
Acclaimed Contributor.

Re: fortiweb logs

Just to follow on from what Anwar has said - if your connector is receiving events, you will see progress messages on the console as you run it! So you should see messages such as "New device identified on x.x.x.x" and so on. You should also have messages showing memory usage and so on. If you aren't getting any messages, you should see the EPS as zero or near to zero (a connector will send some health messages, so it shouldnt be no messages at all).

I would check if anything else is intercepting the UDP traffic though. Check your firewall settings (so its not blocked) and make sure that syslogd or rsyslogd isn't running. Strange, but the service on some platforms will intercept the traffic and still allow the other software to bind to the socket  - its just you get no traffic! So check firewall and anything else running on the port.

0 Likes
Highlighted
Absent Member.
Absent Member.

Re: fortiweb logs

but I think that manager don't get the syslogs of connector. All of my server connectors are in same zone , therefore I don't need to check the port 8443 that be open.

I installed another syslog daemon connector for cisco devices , and I have same problem with it in getting syslogs on manager beacause

- on console connector is running

- packets are send and received between cisco devices and connector server (check with wireshark and our firewalls)

- service of connectors are running on server connectors

BUT I don't success in getting syslogs on manager and viewing them on console

maybe need I say that my server connectors are windows and I run syslog daemon connector on them

0 Likes
Highlighted
Absent Member.
Absent Member.

Re: fortiweb logs

May be , manager can't get syslogs of connectors!?!? just syslog!!!! (I don't have any problems with windows, antiviruse, vulnerability scanner and so on . I have problem with SYSLOG DAEMON CONNCTOR ,only)

0 Likes
Highlighted
Absent Member.
Absent Member.

Re: fortiweb logs

Hi

That's right.

problem is that on my connector server, windows firewall turned on and I don't know.

0 Likes
Highlighted
Established Member..
Established Member..

Re: fortiweb logs

I'm sure thn you can mark this thread as answered now..

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.