Forum Discussion

Brass Contributor

Oct 01, 2019

Solved

Azure Sentinel Fortinet Data Connector issues

I am having issues using the Fortinet Data Connector. I have followed the configuration details given, and configured the rsyslog daemon on the syslog server, as well as the omsagent, however I a...

srthomson
Nov 06, 2019
pingutux

I resolved the issue for us.

First I had to upgrade the Fortinet OS to 5.6.x so that it supported CEF output format.
Then I had to ensure that on the analytics workspace page, under Advanced Settings>Data>Syslog that syslog was added:

Then altered the security-config-omsagent.conf with escape characters (that are missing from the copy-paste command within the Sentinel Data Connector page for Fortinet:

The command given:
sudo bash -c "printf 'local4.debug @127.0.0.1:25226:msg, contains, "Fortinet" @127.0.0.1:25226' > /etc/rsyslog.d/security-config-omsagent.conf"

The new amended command I ran:
sudo bash -c "printf 'local4.debug @127.0.0.1:25226:msg, contains, \"Fortinet\" @127.0.0.1:25226' > /etc/rsyslog.d/security-config-omsagent.conf"

However, I have noted that since I had this issue, Microsoft have updated their configuration documentation, and it is completely different now. So, what fixed it for me, might not fix it for you.

I was asked by MS Support to send them the following data:

Netstat -anp | grep syslog
Netstat -anp | grep oms
Netstat -anp | grep ruby
Tcpdump -nni any port 25244 or port 25246 ( just a few lines if present)
Tcpdump -nni any port 514 ( just a few lines if present)
tail -f /var/opt/microsoft/omsagent/log/omsagent.log
tail -f /var/log/syslog or this path $WorkDirectory /var/spool/rsyslog

And to check the following:

That the Log Analytics workspace is set to standard

Data collection is set to All Events

That the Log Analytics Workspace has syslog enabled

Hopefully you get to a resolution and some of the above helps you troubleshoot.

srthomson

Brass Contributor

Oct 16, 2019

I have upgraded the OS on the firewall, so now we are receiving CEF format syslogs, which is great.
The logs are being received on port 514 on the syslog server, confirmed by running:

sudo tcpdump -A -ni any port 514 -vv

However, when I try and confirm if there's traffic being passed to port 25226, there's nothing:

Yet the configurations are correct, for rsyslog:

And for the OMS Agent:

However, the data is successfully being sent via oms agent for syslog data on port 25224:

Which is being received in to Azure Sentinel fine. I've then removed the syslog data capture on local4 facility, so that the "local4.=alert;...." of the above screenshot'd config file is no longer evident, and syslog is no longer captured:

The omsagent.d security_events.conf file settings:

I literally can't see what the issue is at all, and need some assistance please.

pingutux

Copper Contributor

Nov 05, 2019

srthomson Hi !

I have exactly the same issue, and we still did not have any answer : even with MS team.

In my opinion the agent might have so trouble, but no logs helps to confirm that.

I will keep you informed if we find a way to make it work,

(sorry for my english, it's not my mother tongue)

srthomson
Brass Contributor
Nov 06, 2019
pingutux

I resolved the issue for us.

First I had to upgrade the Fortinet OS to 5.6.x so that it supported CEF output format.
Then I had to ensure that on the analytics workspace page, under Advanced Settings>Data>Syslog that syslog was added:

Then altered the security-config-omsagent.conf with escape characters (that are missing from the copy-paste command within the Sentinel Data Connector page for Fortinet:

The command given:
sudo bash -c "printf 'local4.debug @127.0.0.1:25226:msg, contains, "Fortinet" @127.0.0.1:25226' > /etc/rsyslog.d/security-config-omsagent.conf"

The new amended command I ran:
sudo bash -c "printf 'local4.debug @127.0.0.1:25226:msg, contains, \"Fortinet\" @127.0.0.1:25226' > /etc/rsyslog.d/security-config-omsagent.conf"

However, I have noted that since I had this issue, Microsoft have updated their configuration documentation, and it is completely different now. So, what fixed it for me, might not fix it for you.

I was asked by MS Support to send them the following data:

Netstat -anp | grep syslog
Netstat -anp | grep oms
Netstat -anp | grep ruby
Tcpdump -nni any port 25244 or port 25246 ( just a few lines if present)
Tcpdump -nni any port 514 ( just a few lines if present)
tail -f /var/opt/microsoft/omsagent/log/omsagent.log
tail -f /var/log/syslog or this path $WorkDirectory /var/spool/rsyslog

And to check the following:

That the Log Analytics workspace is set to standard

Data collection is set to All Events

That the Log Analytics Workspace has syslog enabled

Hopefully you get to a resolution and some of the above helps you troubleshoot.
- Mei
  Microsoft
  Jul 02, 2020
  srthomson I am setting up the Linux syslog agent to collect Fortinet logs then forward to omsagent to Sentinel. But checking the rsyslog status, I got errors like:
  
  cannot connect to 127.0.0.1:25226: Permission denied [v8.1911.0-3.el8 try https://www.rsyslog.com/e/2027 ]
  
  The related configuration files are correct but still got this error. Do you have any suggestions?
  
  Thanks!
  - nirjhar_roy
    Copper Contributor
    May 16, 2021
    Mei in the /etc/rsyslog.d/security-config-omsagent.conf
    you will see @@127.0.0.1:25226 . Remove one "@" and make it @127.0.0.1:25226 .
- pingutux
  Copper Contributor
  Nov 06, 2019
  srthomson I owe you and the MS support a Beer ---- It's working !!!
  
  What I've done is
  - Correcting the security-config-omsagent.conf
  - Adding the syslog facility
  - Restart both services
  
  You made my day !
  - srthomson
    Brass Contributor
    Nov 06, 2019
    My pleasure, glad I helped. I struggled for days trying to troubleshoot.