Forum Discussion
srthomson
Oct 01, 2019Brass Contributor
Azure Sentinel Fortinet Data Connector issues
I am having issues using the Fortinet Data Connector. I have followed the configuration details given, and configured the rsyslog daemon on the syslog server, as well as the omsagent, however I a...
- Nov 06, 2019
I resolved the issue for us.
First I had to upgrade the Fortinet OS to 5.6.x so that it supported CEF output format.
Then I had to ensure that on the analytics workspace page, under Advanced Settings>Data>Syslog that syslog was added:Then altered the security-config-omsagent.conf with escape characters (that are missing from the copy-paste command within the Sentinel Data Connector page for Fortinet:
The command given:
sudo bash -c "printf 'local4.debug @127.0.0.1:25226:msg, contains, "Fortinet" @127.0.0.1:25226' > /etc/rsyslog.d/security-config-omsagent.conf"
The new amended command I ran:
sudo bash -c "printf 'local4.debug @127.0.0.1:25226:msg, contains, \"Fortinet\" @127.0.0.1:25226' > /etc/rsyslog.d/security-config-omsagent.conf"
However, I have noted that since I had this issue, Microsoft have updated their configuration documentation, and it is completely different now. So, what fixed it for me, might not fix it for you.
I was asked by MS Support to send them the following data:
Netstat -anp | grep syslog
Netstat -anp | grep oms
Netstat -anp | grep ruby
Tcpdump -nni any port 25244 or port 25246 ( just a few lines if present)
Tcpdump -nni any port 514 ( just a few lines if present)
tail -f /var/opt/microsoft/omsagent/log/omsagent.log
tail -f /var/log/syslog or this path $WorkDirectory /var/spool/rsyslog
And to check the following:
That the Log Analytics workspace is set to standard
Data collection is set to All Events
That the Log Analytics Workspace has syslog enabled
Hopefully you get to a resolution and some of the above helps you troubleshoot.
Nicholas DiCola (SECURITY JEDI)
Microsoft
Oct 17, 2019got it. i missed that it was going to syslog not Commonsecuritylog.
silly question. since removing the config from 95-omsagent have your restarted syslog and OMS agent??
srthomson
Oct 17, 2019Brass Contributor
Silly question, but one I appreciate, yes. After every config change, both are restarted to pull through the config changes.