Forum Discussion
Azure Sentinel Fortinet Data Connector issues
I resolved the issue for us.
First I had to upgrade the Fortinet OS to 5.6.x so that it supported CEF output format.
Then I had to ensure that on the analytics workspace page, under Advanced Settings>Data>Syslog that syslog was added:Then altered the security-config-omsagent.conf with escape characters (that are missing from the copy-paste command within the Sentinel Data Connector page for Fortinet:
The command given:
sudo bash -c "printf 'local4.debug @127.0.0.1:25226:msg, contains, "Fortinet" @127.0.0.1:25226' > /etc/rsyslog.d/security-config-omsagent.conf"
The new amended command I ran:
sudo bash -c "printf 'local4.debug @127.0.0.1:25226:msg, contains, \"Fortinet\" @127.0.0.1:25226' > /etc/rsyslog.d/security-config-omsagent.conf"
However, I have noted that since I had this issue, Microsoft have updated their configuration documentation, and it is completely different now. So, what fixed it for me, might not fix it for you.
I was asked by MS Support to send them the following data:
Netstat -anp | grep syslog
Netstat -anp | grep oms
Netstat -anp | grep ruby
Tcpdump -nni any port 25244 or port 25246 ( just a few lines if present)
Tcpdump -nni any port 514 ( just a few lines if present)
tail -f /var/opt/microsoft/omsagent/log/omsagent.log
tail -f /var/log/syslog or this path $WorkDirectory /var/spool/rsyslog
And to check the following:
That the Log Analytics workspace is set to standard
Data collection is set to All Events
That the Log Analytics Workspace has syslog enabled
Hopefully you get to a resolution and some of the above helps you troubleshoot.
Microsoft
did you add the Set format cef below?? sounds like you might be missing CEF format.
from https://docs.microsoft.com/en-us/azure/sentinel/connect-fortinet
config log syslogd setting
set format cef
set facility <facility_name>
set port 514
set reliable disable
set server <ip_address_of_Receiver>
set status enable end
- Thanks, that option isn't available on our firewalls, we have to run "set csv disable" instead.
- Nicholas DiCola (SECURITY JEDI)
we only support CEF.. can you upgrade your firewall os?? to get this option?
I have upgraded the OS on the firewall, so now we are receiving CEF format syslogs, which is great.
The logs are being received on port 514 on the syslog server, confirmed by running:sudo tcpdump -A -ni any port 514 -vv
However, when I try and confirm if there's traffic being passed to port 25226, there's nothing:
Yet the configurations are correct, for rsyslog:
And for the OMS Agent:
However, the data is successfully being sent via oms agent for syslog data on port 25224:
Which is being received in to Azure Sentinel fine. I've then removed the syslog data capture on local4 facility, so that the "local4.=alert;...." of the above screenshot'd config file is no longer evident, and syslog is no longer captured:
The omsagent.d security_events.conf file settings:
I literally can't see what the issue is at all, and need some assistance please.
