Forum Discussion
Azure Sentinel Fortinet Data Connector issues
- Nov 06, 2019
I resolved the issue for us.
First I had to upgrade the Fortinet OS to 5.6.x so that it supported CEF output format.
Then I had to ensure that on the analytics workspace page, under Advanced Settings>Data>Syslog that syslog was added:Then altered the security-config-omsagent.conf with escape characters (that are missing from the copy-paste command within the Sentinel Data Connector page for Fortinet:
The command given:
sudo bash -c "printf 'local4.debug @127.0.0.1:25226:msg, contains, "Fortinet" @127.0.0.1:25226' > /etc/rsyslog.d/security-config-omsagent.conf"
The new amended command I ran:
sudo bash -c "printf 'local4.debug @127.0.0.1:25226:msg, contains, \"Fortinet\" @127.0.0.1:25226' > /etc/rsyslog.d/security-config-omsagent.conf"
However, I have noted that since I had this issue, Microsoft have updated their configuration documentation, and it is completely different now. So, what fixed it for me, might not fix it for you.
I was asked by MS Support to send them the following data:
Netstat -anp | grep syslog
Netstat -anp | grep oms
Netstat -anp | grep ruby
Tcpdump -nni any port 25244 or port 25246 ( just a few lines if present)
Tcpdump -nni any port 514 ( just a few lines if present)
tail -f /var/opt/microsoft/omsagent/log/omsagent.log
tail -f /var/log/syslog or this path $WorkDirectory /var/spool/rsyslog
And to check the following:
That the Log Analytics workspace is set to standard
Data collection is set to All Events
That the Log Analytics Workspace has syslog enabled
Hopefully you get to a resolution and some of the above helps you troubleshoot.
Hi
Im confused with this "Which is being received in to Azure Sentinel fine. I've then removed the syslog data capture on local4 facility, so that the "local4.=alert;...." of the above screenshot'd config file is no longer evident, and syslog is no longer captured:"
so it was working, then you remove the local4 data in 95-omsagent??? if it was working, why remove it?
- Nicholas DiCola (SECURITY JEDI)Oct 17, 2019Microsoft
got it. i missed that it was going to syslog not Commonsecuritylog.
silly question. since removing the config from 95-omsagent have your restarted syslog and OMS agent??
- srthomsonOct 17, 2019Brass ContributorSilly question, but one I appreciate, yes. After every config change, both are restarted to pull through the config changes.