Fortigate log monitoring with Wazuh-manager

[Alduma08]

Hello, I've got a Fortigate firewall and I'm trying to monitor it's logs with Wazuh.

I can see the logs being monitored in /var/ossec/logs/archives/

But I can't find these logs in kibana. I don't know why.

[Zenidd]

Hello @Aldugama,

Seems like the Fortigate decoders are not correctly extracting the event fields so the Fortigate rules aren't being triggered. The fact that you can find the events in /var/ossec/logs/archives/archives.(log|json) shows that the events are flowing from the agent to the manager.

We can fix it by tuning the Fortigate log format and/or the Wazuh Fortigate decoders. Could you paste here several example events so I can test it in my lab environment?

After this issue is solved, for further questions (apart from this topic) please use our mailing list or the Wazuh #community Slack channel.

Regards, JP Sáez

[Alduma08]

Those are some of the logs we get from Fortigate. How could I modify the decoders? Because the Fortigate log format is not modifyable.

Forti.log

Un saludo.

[Zenidd]

Hello again @Aldugama,

I have written some custom decoders for your events so you can extract the most relevant fields. Here you have the steps to use them in your environment.

• You should create a new file inside /var/ossec/etc/decoders. While you can include these custom decoders in the /var/ossec/etc/decoders/local_decoder.xml file I think it's better to place them in a separate file.

  
  1. Creating the new custom decoders file
  # touch /var/ossec/etc/decoders/custom_fortigate_decoders.xml
  -----------------------------------------------------------------------------------------------------------------------------
  2. Time to paste the custom decoders inside the file. Please paste the decoders above inside  /var/ossec/etc/decoders/custom_fortigate_decoders.xml

^date=\d\d\d\d-\d\d-\d\d time=\d\d:\d\d:\d\d devname= fortigate-custom ^date=(\d\d\d\d-\d\d-\d\d) time=(\d\d:\d\d:\d\d) devname= date, time, srcip fortigate-custom "(\S+)" devid="(\S+)" logid="(\S+)" type="(\S+)" subtype="(\S+)" devname, devid, logid, type, subtype fortigate-custom eventtype="(\S+)" eventtype fortigate-custom level="(\S+)" level fortigate-custom vd="(\S+)" vd fortigate-custom eventtime=(\S+) eventtime fortigate-custom srcip=(\S+) srcport=(\S+) srcintf="(\S+)" srcintfrole="(\S+)" dstip=(\S+) dstport=(\S+) dstintf="(\S+)" dstintfrole="(\S+)" srcip, srcport, srcintf, srcintfrole, dstip, dstport, dstintf, dstintfrole fortigate-custom srcip=(\S+) srcname="(\S+)" srcport=(\S+) srcintf="(\S+)" srcintfrole="(\S+)" dstip=(\S+) dstport=(\S+) dstintf="(\S+)" dstintfrole="(\S+)" srcip,srcname,srcport,srcintf,srcintfrole,dstip,dstport,dstintf,dstintfrole fortigate-custom srcip=(\S+) dstip=(\S+) srcport=(\S+) dstport=(\S+) srcintf="(\S+)" srcintfrole="(\S+)" dstintf="(\S+)" dstintfrole="(\S+)" srcip,dstip,srcport,dstport,srcintf,srcintfrole,dstport,dstintf,dstintfrole fortigate-custom srcip=(\S+) dstip=(\S+) srcport=(\S+) dstport=(\S+) srcip, dstip, srcport, dstport fortigate-custom srcip=(\S+) srcip fortigate-custom dstip=(\S+) dstip

---

3. Let's adjust the permissions and owner for the custom decoder file

   chown ossec:ossec /var/ossec/etc/decoders/custom_fortigate_decoders.xml

   chmod 660 /var/ossec/etc/decoders/custom_fortigate_decoders.xml

- Now the Wazuh manager should be able to decode your FortiGate events. Rules are needed to create alerts over the decoded events:

I have created the rule above that groups the fortigate events. You should place it in your `/var/ossec/etc/rules/local_rules.xml` file. :

<rule id="222000" level="0">
    <decoded_as>fortigate-custom</decoded_as>
    <description>Fortigate messages grouped.</description>
</rule>

- To apply the changes you should restart the Wazuh manager.

**Notes**
- As the rule above is level 0 you won't see its alerts the `alerts.json` file. If you switch level="0" to level="3" you will see an alert for each FortiGate event. To avoid excessive noise you can create filter rules to just catch the alerts relevant for your environment. 

 - Your rules should point to the grouping one above. i.e:

Considering 1.1.1.1 IP as a malicious one

<rule id="222001" level="8">
    <if_sid>222000</if_sid>
    <srcip>1.1.1.1</srcip>
    <description>Malicious IP alert</description>
</rule>

You can count on me if you think there are missing fields in the decoders I wrote or if you need help writing useful rules. 

Greetings, JP Sáez

[Alduma08]

Hello again,

I would like some help to write specific rules for Fortigate, so Wazuh can show just the important events.

Greetings, Alejandro.

[Zenidd]

Hello @Aldugama,

I'm porting the existing Fortigate rules to work over the custom decoders. Could you provide a good portion of your Fortigate logs so I can have examples to test the rules?

Greetings, JP Sáez

[Alduma08]

Hello @Zenidd , I left the logs in that google drive folder. https://drive.google.com/drive/folders/1c2rctntCwW5O4uWHhJdcvZCBuDZWeP-d?usp=sharing

Greetings, Alejandro.

[Zenidd]

Hello @Aldugama,

After using your logs as an example, I have modified and extended the decoders I pasted above. I also ported the existing Fortigate rules to work with new decoders.

• Let's begin replacing the /var/ossec/etc/decoders/custom_fortigate_decoders.xml file content with the new decoders. Please, erase the content and paste the new ones:

<decoder name="fortigate-custom">
 <prematch>^date=\d\d\d\d-\d\d-\d\d time=\d\d:\d\d:\d\d devname=</prematch>
</decoder>

<decoder name="fortigate-custom1">
 <parent>fortigate-custom</parent>
 <regex>^date=(\d\d\d\d-\d\d-\d\d) time=(\d\d:\d\d:\d\d) devname=</regex>
 <order>date, time, srcip</order>
</decoder>

<decoder name="fortigate-custom1">
 <parent>fortigate-custom</parent>
 <regex offset="after_regex">"(\S+)" devid="(\S+)" logid="(\S+)" type="(\S+)" subtype="(\S+)" </regex>
 <order>devname, devid, logid, type, subtype</order>
</decoder>

<decoder name="fortigate-custom1">
 <parent>fortigate-custom</parent>
 <regex offset="after_regex"> eventtype="(\S+)"</regex>
 <order>eventtype</order>
</decoder>

<decoder name="fortigate-custom1">
 <parent>fortigate-custom</parent>
 <regex offset="after_regex">level="(\S+)" </regex>
 <order>level</order>
</decoder>

<decoder name="fortigate-custom1">
 <parent>fortigate-custom</parent>
 <regex offset="after_regex">vd="(\S+)" </regex>
 <order>vd</order>
</decoder>

<decoder name="fortigate-custom1">
 <parent>fortigate-custom</parent>
 <regex offset="after_regex">eventtime=(\S+) </regex>
 <order>eventtime</order>
</decoder>

<decoder name="fortigate-custom1">
 <parent>fortigate-custom</parent>
 <regex offset="after_regex">srcip=(\S+) srcport=(\S+) srcintf="(\S+)" srcintfrole="(\S+)" dstip=(\S+) dstport=(\S+) dstintf="(\S+)" dstintfrole="(\S+)" </regex>
 <order>srcip, srcport, srcintf, srcintfrole, dstip, dstport, dstintf, dstintfrole</order>
</decoder>

<decoder name="fortigate-custom1">
 <parent>fortigate-custom</parent>
 <regex offset="after_regex">srcip=(\S+) srcname="(\S+)" srcport=(\S+) srcintf="(\S+)" srcintfrole="(\S+)" dstip=(\S+) dstport=(\S+) dstintf="(\S+)" dstintfrole="(\S+)" </regex>
 <order>srcip,srcname,srcport,srcintf,srcintfrole,dstip,dstport,dstintf,dstintfrole</order>
</decoder>

<decoder name="fortigate-custom1">
 <parent>fortigate-custom</parent>
 <regex offset="after_regex">srcip=(\S+) dstip=(\S+) srcport=(\S+) dstport=(\S+) srcintf="(\S+)" srcintfrole="(\S+)" dstintf="(\S+)" dstintfrole="(\S+)" </regex>
 <order>srcip,dstip,srcport,dstport,srcintf,srcintfrole,dstport,dstintf,dstintfrole</order>
</decoder>

<decoder name="fortigate-custom1">
 <parent>fortigate-custom</parent>
 <regex offset="after_regex">srcip=(\S+) dstip=(\S+) srcport=(\S+) dstport=(\S+) </regex>
 <order>srcip, dstip, srcport, dstport</order>
</decoder>

<decoder name="fortigate-custom1">
 <parent>fortigate-custom</parent>
 <regex offset="after_regex">srcip="(\S+)"|srcip=(\S+) </regex>
 <order>srcip</order>
</decoder>

<decoder name="fortigate-custom1">
 <parent>fortigate-custom</parent>
 <regex offset="after_regex">dstip=(\S+) </regex>
 <order>dstip</order>
</decoder>

<decoder name="fortigate-custom1">
 <parent>fortigate-custom</parent>
 <regex offset="after_regex">action="(\S+)" </regex>
 <order>action</order>
</decoder>

<decoder name="fortigate-custom1">
 <parent>fortigate-custom</parent>
 <regex offset="after_regex">status="(\S+)" </regex>
 <order>status</order>
</decoder>

<decoder name="fortigate-custom1">
 <parent>fortigate-custom</parent>
 <regex offset="after_regex">msg="(\.+)"$</regex>
 <order>msg</order>
</decoder>

• In my message above, I asked you to place the rule

  <rule id="222000" level="3">
      <decoded_as>fortigate-custom</decoded_as>
      <description>Fortigate messages grouped.</description>
  </rule>

  inside the /var/ossec/etc/rules/local_rules.xml file. I would like you to erase this rule as we will include this and the ones I ported in a separate file.

• And now, let's create the new rules file, paste the custom rules inside and adjust the owner and permissions, as we did for the decoders:

  
  1. Creating the new custom rules file
  # touch /var/ossec/etc/rules/custom_fortigate_rules.xml
  ----------------------------------------------------------------------------------------------
  2. Time to paste the custom rules inside the file. Please paste the rules above inside 
  /var/ossec/etc/rules/custom_fortigate_rules.xml

fortigate-custom Fortigate messages grouped. 222000 dpd_failure Fortigate: IP Sec DPD Failed. firewall_drop,pci_dss_1.4,gdpr_IV_35.7.d,hipaa_164.312.a.1,nist_800_53_SC.7, 222014 Fortigate: Multiple Firewall drop events from same source. multiple_drops,pci_dss_1.4,pci_dss_10.6.1,gdpr_IV_35.7.d,hipaa_164.312.a.1,hipaa_164.312.b,nist_800_53_SC.7,nist_800_53_AU.6, 222000 login failed Fortigate: Login failed. authentication_failed,invalid_login,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7, 222016 alert_by_email Fortigate: Multiple failed login events from same source. authentication_failures,pci_dss_10.6.1,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.6,nist_800_53_AU.14,nist_800_53_AC.7, 222000 Edit Fortigate: Firewall configuration changes pci_dss_10.6.1,gpg13_4.13,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6, 222000 Fortigate: Multiple Firewall edit events from same source. pci_dss_10.6.1,gpg13_4.13,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6, 222000 error Fortigate error message 222000 ui success login Fortigate: User successfully logged into firewall interface. pci_dss_10.6.1,gpg13_7.1,gpg13_7.2,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.6, 222000 Fortigate: Multiple Firewall login events from same source. pci_dss_10.6.1,gpg13_7.1,gpg13_7.2,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6, 222000 attack detected Fortigate Attack Detected attack,gdpr_IV_35.7.d, 222000 attack dropped Fortigate Attack Dropped attack,gdpr_IV_35.7.d,

---

3. Let's adjust the permissions and owner for the custom rules file

   chown ossec:ossec /var/ossec/etc/rules/custom_fortigate_rules.xml

   chmod 660 /var/ossec/etc/rules/custom_fortigate_rules.xml

   
   I recommend you to check the custom rules, its syntax and think if there is something missing. I think that with these examples you can easily add your own rules. You can use `/var/ossec/bin/ossec-logtest`, our log testing binary where you can enter a logs and see if it triggers a decoder or/and an alert.

Let me know how it goes. Greetings, JP Sáez

[Zenidd]

Hello again @Aldugama,

I'm closing this ticket due to inactivity. I hope your Fortigate logs are now being correctly ingested and checked against the ruleset. If you need further guidance do not hesitate to reopen this ticket.

On the other hand, for further questions please we would like you to use our #community Slack channel or the Wazuh mail list.

Greetings, JP Sáez

[peppelinux]

Hi @Zenidd It would be great if these rules could be included in the standard wazuh-ruleset, whhat do you think about that?

[Deki60]

Hello, I allow myself to open this subject again. I integrated Fortigate on Wazuh with your rules thank you very much because the default fortigate rules of Wazuh do not send anything back. Just a question I tried to add the VPN logs for connections and web filtering to show blocked sites but impossible, did you succeed?

[EmperialX]

can you help me in creating logs decoder for my Fortigate and rules . it will be so helpful