question

JuanOrjuela-6898 avatar image
0 Votes"
JuanOrjuela-6898 asked SaurabhSharma-msft commented

Where is the appliance name/ip when sending Fortigate (CEF) logs to Sentinel?

I have two different fortigate that stream logs to a CEF collector (linux oms agent). The agent relays the info to logs analytics workspace that has azure sentinel and it does process them. When querying the logs I do not have a way to know from which appliance the event is coming. When I capture what the fortinet is sending (at the cef collector with tcpdump) something similar to this appears:

Jun 10 22:12:21 APPLIANCE_NAME CEF:0|Fortinet|Fortigate|v6.2.4|00013|traffic:forward close|3|deviceExternalId=FG100D3G15808468 FTNTFGTlogid=0000000013 cat=traffic:forward FTNTFGTsubtype=forward FTNTFGTlevel=notice FTNTFGTvd=root FTNTFGTeventtime=1591845141442844111 FTNTFGTtz=-0500 src=192.168.12.7 spt=59648 deviceInboundInterface=port3 FTNTFGTsrcintfrole=undefined dst=99.99.99.99 dpt=995 deviceOutboundInterface=port10 FTNTFGTdstintfrole=wan FTNTFGTsrcuuid=2819709e-a92c-51e7-aaee-8d5fe21947ab FTNTFGTdstuuid=144dd486-1a2e-51e5-ae3c-46083ccbcd10 externalId=110369543 proto=6 act=close FTNTFGTpolicyid=180 FTNTFGTpolicytype=policy FTNTFGTpoluuid=be9f5024-50d3-51e9-ba7c-584c1a07444f app=POP3S FTNTFGTdstcountry=United States FTNTFGTsrccountry=Reserved FTNTFGTtrandisp=snat sourceTranslatedAddress=88.88.88.88 sourceTranslatedPort=59648 FTNTFGTappid=27561 FTNTFGTapp=POP3S FTNTFGTappcat=Email FTNTFGTapprisk=medium FTNTFGTapplist=SUP_PM_QA_TRAIN FTNTFGTappact=detected FTNTFGTduration=4 out=1503 in=1236 FTNTFGTsentpkt=18 FTNTFGTrcvdpkt=17 FTNTFGTutmaction=allow FTNTFGTcountapp=1


but APPLIANCE_NAME and IP is not recorded in the event that appears in the logs analytcis workspace

Is there any way to display that info?














azure-monitormicrosoft-sentinel
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

SaurabhSharma-msft avatar image
0 Votes"
SaurabhSharma-msft answered

@JuanOrjuela-6898 When I check the FortiGate document, I do not see any appliance_name field and Appliance_Name seems hostname of the fortigate. Also, there is no IP field gets exported to CEF log field as per the documentation. (see screenshot below).
9810-fortis-cef-log.png

Do you get Appliance_Name anywhere in the logs which you want to get sent to Sentinel ?



fortis-cef-log.png (20.7 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JuanOrjuela-6898 avatar image
0 Votes"
JuanOrjuela-6898 answered SaurabhSharma-msft commented

I started logging to a file from rsyslog also and this is what I get:

 Jun 11 21:21:18 XXXXX_Miami CEF: 0|Fortinet|Fortigate|v6.2.3|00020|traffic:forward accept|3|deviceExternalId=FGT3HD3915805616 FTNTFGTlogid=0000000020 cat=traffic:forward FTNTFGTsubtype=forward FTNTFGTlevel=notice FTNTFGTvd=root FTNTFGTeventtime=1591928479063045578 FTNTFGTtz=-0500 src=192.168.5.55 spt=59415 deviceInboundInterface=port2 FTNTFGTsrcintfrole=lan dst=10.208.88.30 dpt=1433 deviceOutboundInterface=port3 FTNTFGTdstintfrole=undefined FTNTFGTsrcuuid=6512069e-1b00-51e5-da4b-77658b7aee03 FTNTFGTdstuuid=6512069e-1b00-51e5-da4b-77658b7aee03 externalId=116110501 proto=6 act=accept FTNTFGTpolicyid=60 FTNTFGTpolicytype=policy FTNTFGTpoluuid=c2c683a0-c9c2-51e7-097d-3e015d58eaf6 app=MS-SQL FTNTFGTdstcountry=Reserved FTNTFGTsrccountry=Reserved FTNTFGTtrandisp=noop FTNTFGTduration=23503 out=77046 in=89424 FTNTFGTsentpkt=1593 FTNTFGTrcvdpkt=1584 FTNTFGTappcat=unscanned FTNTFGTsentdelta=372 FTNTFGTrcvddelta=372

So where there is XXXXX_Miami that is the host or the appliance name. This XXXXX_Miami does not appear any where on the logs on azure.

9904-annotation-2020-06-11-223223.png





· 18
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@JuanOrjuela-6898 I am checking this internally with the product team and get back to you once I hear back from them.

0 Votes 0 ·

hello @SaurabhSharma-msft,


any updateson this issue ?


kindest regards


0 Votes 0 ·

@JuanOrjuela-6898 Sorry for the delay but I am still following up with the team. I will let you know as soon as I get any pointers from them.

0 Votes 0 ·
Show more comments