Forum Discussion

srthomson's avatar
srthomson
Brass Contributor
Oct 01, 2019

Azure Sentinel Fortinet Data Connector issues

I am having issues using the Fortinet Data Connector.

 

I have followed the configuration details given, and configured the rsyslog daemon on the syslog server, as well as the omsagent, however I am receiving syslog events in to Azure Sentinel, and not CommonSecurityLog events, from the data being ingested.

 

I suspect this is because there is no communication between the rsyslog daemon and the omsagent, but I cannot work out why. To test that comms elsewhere were working, I configured omsagent to collect syslog data on local4 facility, within the log analytics workspace advanced settings, and these are now collected - but obviously there's no parser currently configured that understands the fields within the syslog messages received, and ideally I'd like to work out why rsyslog is not communicating on port 25226:

 

 

The following command was run to give security-config-omsagent.conf the following config:

 

sudo bash -c "printf 'local4.debug @127.0.0.1:25226:msg, contains, "Fortinet" @127.0.0.1:25226' > /etc/rsyslog.d/security-config-omsagent.conf"

 

However, the syslog events being received do not contain "Fortinet", but even if I change this to ":msg, contains, *.* @127.0.0.1:25226'" in the config, I'm still not seeing any logs under the Fortinet data connector/commonsecuritylog events in Sentinel.

 

I've confirmed using wireshark that syslog events are being received from the firewalls. I can also confirm that syslog data from facility local4 is being received in Sentinel - so the omsagent is working, it appears the rsyslog daemon is not, but I cannot understand how to resolve this issue.

 

Any assistance would be gratefully received.

 

 

  • pingutux 

     

    I resolved the issue for us.

     

    First I had to upgrade the Fortinet OS to 5.6.x so that it supported CEF output format.
    Then I had to ensure that on the analytics workspace page, under Advanced Settings>Data>Syslog that syslog was added:

     

     

    Then altered the security-config-omsagent.conf with escape characters (that are missing from the copy-paste command within the Sentinel Data Connector page for Fortinet:

     

    The command given:

    sudo bash -c "printf 'local4.debug @127.0.0.1:25226:msg, contains, "Fortinet" @127.0.0.1:25226' > /etc/rsyslog.d/security-config-omsagent.conf"

     

    The new amended command I ran:

    sudo bash -c "printf 'local4.debug @127.0.0.1:25226:msg, contains, \"Fortinet\" @127.0.0.1:25226' > /etc/rsyslog.d/security-config-omsagent.conf"

     

    However, I have noted that since I had this issue, Microsoft have updated their configuration documentation, and it is completely different now. So, what fixed it for me, might not fix it for you.

     

    I was asked by MS Support to send them the following data:

     

    Netstat -anp | grep syslog

    Netstat -anp | grep oms

    Netstat -anp | grep ruby

    Tcpdump -nni any port 25244 or port 25246 ( just a few lines if present)

    Tcpdump -nni any port 514 ( just a few lines if present)

    tail -f /var/opt/microsoft/omsagent/log/omsagent.log

    tail -f /var/log/syslog or this path $WorkDirectory /var/spool/rsyslog

     

    And to check the following:

     

    That the Log Analytics workspace is set to standard

     

    Data collection is set to All Events

     

    That the Log Analytics Workspace has syslog enabled

     

    Hopefully you get to a resolution and some of the above helps you troubleshoot.

Resources