Forum Discussion
Azure Sentinel Fortinet Data Connector issues
I am having issues using the Fortinet Data Connector.
I have followed the configuration details given, and configured the rsyslog daemon on the syslog server, as well as the omsagent, however I am receiving syslog events in to Azure Sentinel, and not CommonSecurityLog events, from the data being ingested.
I suspect this is because there is no communication between the rsyslog daemon and the omsagent, but I cannot work out why. To test that comms elsewhere were working, I configured omsagent to collect syslog data on local4 facility, within the log analytics workspace advanced settings, and these are now collected - but obviously there's no parser currently configured that understands the fields within the syslog messages received, and ideally I'd like to work out why rsyslog is not communicating on port 25226:
The following command was run to give security-config-omsagent.conf the following config:
sudo bash -c "printf 'local4.debug @127.0.0.1:25226:msg, contains, "Fortinet" @127.0.0.1:25226' > /etc/rsyslog.d/security-config-omsagent.conf"
However, the syslog events being received do not contain "Fortinet", but even if I change this to ":msg, contains, *.* @127.0.0.1:25226'" in the config, I'm still not seeing any logs under the Fortinet data connector/commonsecuritylog events in Sentinel.
I've confirmed using wireshark that syslog events are being received from the firewalls. I can also confirm that syslog data from facility local4 is being received in Sentinel - so the omsagent is working, it appears the rsyslog daemon is not, but I cannot understand how to resolve this issue.
Any assistance would be gratefully received.
I resolved the issue for us.
First I had to upgrade the Fortinet OS to 5.6.x so that it supported CEF output format.
Then I had to ensure that on the analytics workspace page, under Advanced Settings>Data>Syslog that syslog was added:Then altered the security-config-omsagent.conf with escape characters (that are missing from the copy-paste command within the Sentinel Data Connector page for Fortinet:
The command given:
sudo bash -c "printf 'local4.debug @127.0.0.1:25226:msg, contains, "Fortinet" @127.0.0.1:25226' > /etc/rsyslog.d/security-config-omsagent.conf"
The new amended command I ran:
sudo bash -c "printf 'local4.debug @127.0.0.1:25226:msg, contains, \"Fortinet\" @127.0.0.1:25226' > /etc/rsyslog.d/security-config-omsagent.conf"
However, I have noted that since I had this issue, Microsoft have updated their configuration documentation, and it is completely different now. So, what fixed it for me, might not fix it for you.
I was asked by MS Support to send them the following data:
Netstat -anp | grep syslog
Netstat -anp | grep oms
Netstat -anp | grep ruby
Tcpdump -nni any port 25244 or port 25246 ( just a few lines if present)
Tcpdump -nni any port 514 ( just a few lines if present)
tail -f /var/opt/microsoft/omsagent/log/omsagent.log
tail -f /var/log/syslog or this path $WorkDirectory /var/spool/rsyslog
And to check the following:
That the Log Analytics workspace is set to standard
Data collection is set to All Events
That the Log Analytics Workspace has syslog enabled
Hopefully you get to a resolution and some of the above helps you troubleshoot.
did you add the Set format cef below?? sounds like you might be missing CEF format.
from https://docs.microsoft.com/en-us/azure/sentinel/connect-fortinet
config log syslogd setting
set format cef
set facility <facility_name>
set port 514
set reliable disable
set server <ip_address_of_Receiver>
set status enable end