Forum Discussion
Solved
Azure Sentinel Fortinet Data Connector issues
I am having issues using the Fortinet Data Connector. I have followed the configuration details given, and configured the rsyslog daemon on the syslog server, as well as the omsagent, however I a...
I resolved the issue for us.
First I had to upgrade the Fortinet OS to 5.6.x so that it supported CEF output format.
Then I had to ensure that on the analytics workspace page, under Advanced Settings>Data>Syslog that syslog was added:Then altered the security-config-omsagent.conf with escape characters (that are missing from the copy-paste command within the Sentinel Data Connector page for Fortinet:
The command given:
sudo bash -c "printf 'local4.debug @127.0.0.1:25226:msg, contains, "Fortinet" @127.0.0.1:25226' > /etc/rsyslog.d/security-config-omsagent.conf"
The new amended command I ran:
sudo bash -c "printf 'local4.debug @127.0.0.1:25226:msg, contains, \"Fortinet\" @127.0.0.1:25226' > /etc/rsyslog.d/security-config-omsagent.conf"
However, I have noted that since I had this issue, Microsoft have updated their configuration documentation, and it is completely different now. So, what fixed it for me, might not fix it for you.
I was asked by MS Support to send them the following data:
Netstat -anp | grep syslog
Netstat -anp | grep oms
Netstat -anp | grep ruby
Tcpdump -nni any port 25244 or port 25246 ( just a few lines if present)
Tcpdump -nni any port 514 ( just a few lines if present)
tail -f /var/opt/microsoft/omsagent/log/omsagent.log
tail -f /var/log/syslog or this path $WorkDirectory /var/spool/rsyslog
And to check the following:
That the Log Analytics workspace is set to standard
Data collection is set to All Events
That the Log Analytics Workspace has syslog enabled
Hopefully you get to a resolution and some of the above helps you troubleshoot.
Thanks, that option isn't available on our firewalls, we have to run "set csv disable" instead.
Nicholas DiCola (SECURITY JEDI)
Microsoft
Microsoftwe only support CEF.. can you upgrade your firewall os?? to get this option?
I have upgraded the OS on the firewall, so now we are receiving CEF format syslogs, which is great.
The logs are being received on port 514 on the syslog server, confirmed by running:sudo tcpdump -A -ni any port 514 -vv
However, when I try and confirm if there's traffic being passed to port 25226, there's nothing:
Yet the configurations are correct, for rsyslog:
And for the OMS Agent:
However, the data is successfully being sent via oms agent for syslog data on port 25224:
Which is being received in to Azure Sentinel fine. I've then removed the syslog data capture on local4 facility, so that the "local4.=alert;...." of the above screenshot'd config file is no longer evident, and syslog is no longer captured:
The omsagent.d security_events.conf file settings:
I literally can't see what the issue is at all, and need some assistance please.
srthomson Hi !
I have exactly the same issue, and we still did not have any answer : even with MS team.
In my opinion the agent might have so trouble, but no logs helps to confirm that.
I will keep you informed if we find a way to make it work,
(sorry for my english, it's not my mother tongue)
I resolved the issue for us.
First I had to upgrade the Fortinet OS to 5.6.x so that it supported CEF output format.
Then I had to ensure that on the analytics workspace page, under Advanced Settings>Data>Syslog that syslog was added:Then altered the security-config-omsagent.conf with escape characters (that are missing from the copy-paste command within the Sentinel Data Connector page for Fortinet:
The command given:
sudo bash -c "printf 'local4.debug @127.0.0.1:25226:msg, contains, "Fortinet" @127.0.0.1:25226' > /etc/rsyslog.d/security-config-omsagent.conf"
The new amended command I ran:
sudo bash -c "printf 'local4.debug @127.0.0.1:25226:msg, contains, \"Fortinet\" @127.0.0.1:25226' > /etc/rsyslog.d/security-config-omsagent.conf"
However, I have noted that since I had this issue, Microsoft have updated their configuration documentation, and it is completely different now. So, what fixed it for me, might not fix it for you.
I was asked by MS Support to send them the following data:
Netstat -anp | grep syslog
Netstat -anp | grep oms
Netstat -anp | grep ruby
Tcpdump -nni any port 25244 or port 25246 ( just a few lines if present)
Tcpdump -nni any port 514 ( just a few lines if present)
tail -f /var/opt/microsoft/omsagent/log/omsagent.log
tail -f /var/log/syslog or this path $WorkDirectory /var/spool/rsyslog
And to check the following:
That the Log Analytics workspace is set to standard
Data collection is set to All Events
That the Log Analytics Workspace has syslog enabled
Hopefully you get to a resolution and some of the above helps you troubleshoot.
- Nicholas DiCola (SECURITY JEDI)
Hi
Im confused with this "Which is being received in to Azure Sentinel fine. I've then removed the syslog data capture on local4 facility, so that the "local4.=alert;...." of the above screenshot'd config file is no longer evident, and syslog is no longer captured:"
so it was working, then you remove the local4 data in 95-omsagent??? if it was working, why remove it?
- Because that's not the right ingestion method - it should be being parsed in sentinel as CommonSecurityLog, not syslog. Once you change the firewall output to CEF, the syslog method doesn't work.
