Closed Alduma08 closed 4 years ago
Hello @Aldugama,
Seems like the Fortigate decoders are not correctly extracting the event fields so the Fortigate rules aren't being triggered. The fact that you can find the events in /var/ossec/logs/archives/archives.(log|json)
shows that the events are flowing from the agent to the manager.
We can fix it by tuning the Fortigate log format and/or the Wazuh Fortigate decoders. Could you paste here several example events so I can test it in my lab environment?
After this issue is solved, for further questions (apart from this topic) please use our mailing list or the Wazuh #community Slack channel.
Regards, JP Sáez
Those are some of the logs we get from Fortigate. How could I modify the decoders? Because the Fortigate log format is not modifyable.
Un saludo.
Hello again @Aldugama,
I have written some custom decoders for your events so you can extract the most relevant fields. Here you have the steps to use them in your environment.
/var/ossec/etc/decoders
. While you can include these custom decoders in the /var/ossec/etc/decoders/local_decoder.xml
file I think it's better to place them in a separate file.
1. Creating the new custom decoders file
# touch /var/ossec/etc/decoders/custom_fortigate_decoders.xml
-----------------------------------------------------------------------------------------------------------------------------
2. Time to paste the custom decoders inside the file. Please paste the decoders above inside /var/ossec/etc/decoders/custom_fortigate_decoders.xml
- Now the Wazuh manager should be able to decode your FortiGate events. Rules are needed to create alerts over the decoded events:
I have created the rule above that groups the fortigate events. You should place it in your `/var/ossec/etc/rules/local_rules.xml` file. :
<rule id="222000" level="0">
<decoded_as>fortigate-custom</decoded_as>
<description>Fortigate messages grouped.</description>
</rule>
- To apply the changes you should restart the Wazuh manager.
**Notes**
- As the rule above is level 0 you won't see its alerts the `alerts.json` file. If you switch level="0" to level="3" you will see an alert for each FortiGate event. To avoid excessive noise you can create filter rules to just catch the alerts relevant for your environment.
- Your rules should point to the grouping one above. i.e:
Considering 1.1.1.1 IP as a malicious one
<rule id="222001" level="8">
<if_sid>222000</if_sid>
<srcip>1.1.1.1</srcip>
<description>Malicious IP alert</description>
</rule>
You can count on me if you think there are missing fields in the decoders I wrote or if you need help writing useful rules.
Greetings, JP Sáez
Hello again,
I would like some help to write specific rules for Fortigate, so Wazuh can show just the important events.
Greetings, Alejandro.
Hello @Aldugama,
I'm porting the existing Fortigate rules to work over the custom decoders. Could you provide a good portion of your Fortigate logs so I can have examples to test the rules?
Greetings, JP Sáez
Hello @Zenidd , I left the logs in that google drive folder. https://drive.google.com/drive/folders/1c2rctntCwW5O4uWHhJdcvZCBuDZWeP-d?usp=sharing
Greetings, Alejandro.
Hello @Aldugama,
After using your logs as an example, I have modified and extended the decoders I pasted above. I also ported the existing Fortigate rules to work with new decoders.
/var/ossec/etc/decoders/custom_fortigate_decoders.xml file
content with the new decoders. Please, erase the content and paste the new ones:<decoder name="fortigate-custom">
<prematch>^date=\d\d\d\d-\d\d-\d\d time=\d\d:\d\d:\d\d devname=</prematch>
</decoder>
<decoder name="fortigate-custom1">
<parent>fortigate-custom</parent>
<regex>^date=(\d\d\d\d-\d\d-\d\d) time=(\d\d:\d\d:\d\d) devname=</regex>
<order>date, time, srcip</order>
</decoder>
<decoder name="fortigate-custom1">
<parent>fortigate-custom</parent>
<regex offset="after_regex">"(\S+)" devid="(\S+)" logid="(\S+)" type="(\S+)" subtype="(\S+)" </regex>
<order>devname, devid, logid, type, subtype</order>
</decoder>
<decoder name="fortigate-custom1">
<parent>fortigate-custom</parent>
<regex offset="after_regex"> eventtype="(\S+)"</regex>
<order>eventtype</order>
</decoder>
<decoder name="fortigate-custom1">
<parent>fortigate-custom</parent>
<regex offset="after_regex">level="(\S+)" </regex>
<order>level</order>
</decoder>
<decoder name="fortigate-custom1">
<parent>fortigate-custom</parent>
<regex offset="after_regex">vd="(\S+)" </regex>
<order>vd</order>
</decoder>
<decoder name="fortigate-custom1">
<parent>fortigate-custom</parent>
<regex offset="after_regex">eventtime=(\S+) </regex>
<order>eventtime</order>
</decoder>
<decoder name="fortigate-custom1">
<parent>fortigate-custom</parent>
<regex offset="after_regex">srcip=(\S+) srcport=(\S+) srcintf="(\S+)" srcintfrole="(\S+)" dstip=(\S+) dstport=(\S+) dstintf="(\S+)" dstintfrole="(\S+)" </regex>
<order>srcip, srcport, srcintf, srcintfrole, dstip, dstport, dstintf, dstintfrole</order>
</decoder>
<decoder name="fortigate-custom1">
<parent>fortigate-custom</parent>
<regex offset="after_regex">srcip=(\S+) srcname="(\S+)" srcport=(\S+) srcintf="(\S+)" srcintfrole="(\S+)" dstip=(\S+) dstport=(\S+) dstintf="(\S+)" dstintfrole="(\S+)" </regex>
<order>srcip,srcname,srcport,srcintf,srcintfrole,dstip,dstport,dstintf,dstintfrole</order>
</decoder>
<decoder name="fortigate-custom1">
<parent>fortigate-custom</parent>
<regex offset="after_regex">srcip=(\S+) dstip=(\S+) srcport=(\S+) dstport=(\S+) srcintf="(\S+)" srcintfrole="(\S+)" dstintf="(\S+)" dstintfrole="(\S+)" </regex>
<order>srcip,dstip,srcport,dstport,srcintf,srcintfrole,dstport,dstintf,dstintfrole</order>
</decoder>
<decoder name="fortigate-custom1">
<parent>fortigate-custom</parent>
<regex offset="after_regex">srcip=(\S+) dstip=(\S+) srcport=(\S+) dstport=(\S+) </regex>
<order>srcip, dstip, srcport, dstport</order>
</decoder>
<decoder name="fortigate-custom1">
<parent>fortigate-custom</parent>
<regex offset="after_regex">srcip="(\S+)"|srcip=(\S+) </regex>
<order>srcip</order>
</decoder>
<decoder name="fortigate-custom1">
<parent>fortigate-custom</parent>
<regex offset="after_regex">dstip=(\S+) </regex>
<order>dstip</order>
</decoder>
<decoder name="fortigate-custom1">
<parent>fortigate-custom</parent>
<regex offset="after_regex">action="(\S+)" </regex>
<order>action</order>
</decoder>
<decoder name="fortigate-custom1">
<parent>fortigate-custom</parent>
<regex offset="after_regex">status="(\S+)" </regex>
<order>status</order>
</decoder>
<decoder name="fortigate-custom1">
<parent>fortigate-custom</parent>
<regex offset="after_regex">msg="(\.+)"$</regex>
<order>msg</order>
</decoder>
In my message above, I asked you to place the rule
<rule id="222000" level="3">
<decoded_as>fortigate-custom</decoded_as>
<description>Fortigate messages grouped.</description>
</rule>
inside the /var/ossec/etc/rules/local_rules.xml
file. I would like you to erase this rule as we will include this and the ones I ported in a separate file.
And now, let's create the new rules file, paste the custom rules inside and adjust the owner and permissions, as we did for the decoders:
1. Creating the new custom rules file
# touch /var/ossec/etc/rules/custom_fortigate_rules.xml
----------------------------------------------------------------------------------------------
2. Time to paste the custom rules inside the file. Please paste the rules above inside
/var/ossec/etc/rules/custom_fortigate_rules.xml
I recommend you to check the custom rules, its syntax and think if there is something missing. I think that with these examples you can easily add your own rules. You can use `/var/ossec/bin/ossec-logtest`, our log testing binary where you can enter a logs and see if it triggers a decoder or/and an alert.
Let me know how it goes. Greetings, JP Sáez
Hello again @Aldugama,
I'm closing this ticket due to inactivity. I hope your Fortigate logs are now being correctly ingested and checked against the ruleset. If you need further guidance do not hesitate to reopen this ticket.
On the other hand, for further questions please we would like you to use our #community Slack channel or the Wazuh mail list.
Greetings, JP Sáez
Hi @Zenidd It would be great if these rules could be included in the standard wazuh-ruleset, whhat do you think about that?
Hello, I allow myself to open this subject again. I integrated Fortigate on Wazuh with your rules thank you very much because the default fortigate rules of Wazuh do not send anything back. Just a question I tried to add the VPN logs for connections and web filtering to show blocked sites but impossible, did you succeed?
can you help me in creating logs decoder for my Fortigate and rules . it will be so helpful
Hello, I've got a Fortigate firewall and I'm trying to monitor it's logs with Wazuh.
I can see the logs being monitored in /var/ossec/logs/archives/
But I can't find these logs in kibana. I don't know why.