SOLVED

Azure Sentinel Fortinet Data Connector issues

Brass Contributor

I am having issues using the Fortinet Data Connector.

 

I have followed the configuration details given, and configured the rsyslog daemon on the syslog server, as well as the omsagent, however I am receiving syslog events in to Azure Sentinel, and not CommonSecurityLog events, from the data being ingested.

 

I suspect this is because there is no communication between the rsyslog daemon and the omsagent, but I cannot work out why. To test that comms elsewhere were working, I configured omsagent to collect syslog data on local4 facility, within the log analytics workspace advanced settings, and these are now collected - but obviously there's no parser currently configured that understands the fields within the syslog messages received, and ideally I'd like to work out why rsyslog is not communicating on port 25226:

 

netstat-an.PNG

 

The following command was run to give security-config-omsagent.conf the following config:

 

sudo bash -c "printf 'local4.debug @127.0.0.1:25226:msg, contains, "Fortinet" @127.0.0.1:25226' > /etc/rsyslog.d/security-config-omsagent.conf"

 

However, the syslog events being received do not contain "Fortinet", but even if I change this to ":msg, contains, *.* @127.0.0.1:25226'" in the config, I'm still not seeing any logs under the Fortinet data connector/commonsecuritylog events in Sentinel.

 

I've confirmed using wireshark that syslog events are being received from the firewalls. I can also confirm that syslog data from facility local4 is being received in Sentinel - so the omsagent is working, it appears the rsyslog daemon is not, but I cannot understand how to resolve this issue.

 

Any assistance would be gratefully received.

 

 

14 Replies

@srthomson 

 

did you add the Set format cef below?? sounds like you might be missing CEF format.

 

from https://docs.microsoft.com/en-us/azure/sentinel/connect-fortinet

config log syslogd setting

set format cef

set facility <facility_name>

set port 514

set reliable disable

set server <ip_address_of_Receiver>

set status enable end

Thanks, that option isn't available on our firewalls, we have to run "set csv disable" instead.

@srthomson 

we only support CEF.. can you upgrade your firewall os?? to get this option?

I have upgraded the OS on the firewall, so now we are receiving CEF format syslogs, which is great.
The logs are being received on port 514 on the syslog server, confirmed by running:

 

sudo tcpdump -A -ni any port 514 -vv

CEF_Firewall.PNG

 

 

However, when I try and confirm if there's traffic being passed to port 25226, there's nothing:

 

Port_25226_Nothing.PNG

 

Yet the configurations are correct, for rsyslog:

 

rsyslog_config.PNG

 

And for the OMS Agent:

 

Security-config-omsagent-config.PNG

 

However, the data is successfully being sent via oms agent for syslog data on port 25224:

 

Syslog_25224.PNG

  

Which is being received in to Azure Sentinel fine. I've then removed the syslog data capture on local4 facility, so that the "local4.=alert;...." of the above screenshot'd config file is no longer evident, and syslog is no longer captured:

 

95-omsagent-config.PNG

 

The omsagent.d security_events.conf file settings:

 

security_conf-omsagent.PNG

 

I literally can't see what the issue is at all, and need some assistance please.

@srthomson 

Hi

Im confused with this "Which is being received in to Azure Sentinel fine. I've then removed the syslog data capture on local4 facility, so that the "local4.=alert;...." of the above screenshot'd config file is no longer evident, and syslog is no longer captured:"

 

so it was working, then you remove the local4 data in 95-omsagent???  if it was working, why remove it?

Because that's not the right ingestion method - it should be being parsed in sentinel as CommonSecurityLog, not syslog. Once you change the firewall output to CEF, the syslog method doesn't work.

@srthomson 

got it. i missed that it was going to syslog not Commonsecuritylog.

 

silly question.  since removing the config from 95-omsagent have your restarted syslog and OMS agent??

Silly question, but one I appreciate, yes. After every config change, both are restarted to pull through the config changes.

@srthomson Hi ! 

 

I have exactly the same issue, and we still did not have any answer : even with MS team. 

 

In my opinion the agent might have so trouble, but no logs helps to confirm that. 

 

I will keep you informed if we find a way to make it work, 

 

(sorry for my english, it's not my mother tongue) 

best response confirmed by srthomson (Brass Contributor)
Solution

@pingutux 

 

I resolved the issue for us.

 

First I had to upgrade the Fortinet OS to 5.6.x so that it supported CEF output format.
Then I had to ensure that on the analytics workspace page, under Advanced Settings>Data>Syslog that syslog was added:

 

syslog.PNG

 

Then altered the security-config-omsagent.conf with escape characters (that are missing from the copy-paste command within the Sentinel Data Connector page for Fortinet:

 

The command given:

sudo bash -c "printf 'local4.debug @127.0.0.1:25226:msg, contains, "Fortinet" @127.0.0.1:25226' > /etc/rsyslog.d/security-config-omsagent.conf"

 

The new amended command I ran:

sudo bash -c "printf 'local4.debug @127.0.0.1:25226:msg, contains, \"Fortinet\" @127.0.0.1:25226' > /etc/rsyslog.d/security-config-omsagent.conf"

 

However, I have noted that since I had this issue, Microsoft have updated their configuration documentation, and it is completely different now. So, what fixed it for me, might not fix it for you.

 

I was asked by MS Support to send them the following data:

 

Netstat -anp | grep syslog

Netstat -anp | grep oms

Netstat -anp | grep ruby

Tcpdump -nni any port 25244 or port 25246 ( just a few lines if present)

Tcpdump -nni any port 514 ( just a few lines if present)

tail -f /var/opt/microsoft/omsagent/log/omsagent.log

tail -f /var/log/syslog or this path $WorkDirectory /var/spool/rsyslog

 

And to check the following:

 

That the Log Analytics workspace is set to standard

LogAnalyticsWorkspaceSetting.png

 

Data collection is set to All Events

DataCollectionAllEvents.png

 

That the Log Analytics Workspace has syslog enabled

syslog.PNG

 

Hopefully you get to a resolution and some of the above helps you troubleshoot.

@srthomson I owe you and the MS support a Beer ---- It's working !!!

 

What I've done is

- Correcting the security-config-omsagent.conf 

- Adding the syslog facility

- Restart both services 

 

You made my day !

 

clipboard_image_0.png

My pleasure, glad I helped. I struggled for days trying to troubleshoot.

@srthomson  I am setting up the Linux syslog agent to collect Fortinet logs then forward to omsagent to Sentinel. But checking the rsyslog status, I got errors like:

cannot connect to 127.0.0.1:25226: Permission denied [v8.1911.0-3.el8 try https://www.rsyslog.com/e/2027 ]

The related configuration files are correct but still got this error. Do you have any suggestions?

 

Thanks!

@Mei in the /etc/rsyslog.d/security-config-omsagent.conf
you will see @@127.0.0.1:25226 . Remove one "@" and make it @127.0.0.1:25226 .
1 best response

Accepted Solutions
best response confirmed by srthomson (Brass Contributor)
Solution

@pingutux 

 

I resolved the issue for us.

 

First I had to upgrade the Fortinet OS to 5.6.x so that it supported CEF output format.
Then I had to ensure that on the analytics workspace page, under Advanced Settings>Data>Syslog that syslog was added:

 

syslog.PNG

 

Then altered the security-config-omsagent.conf with escape characters (that are missing from the copy-paste command within the Sentinel Data Connector page for Fortinet:

 

The command given:

sudo bash -c "printf 'local4.debug @127.0.0.1:25226:msg, contains, "Fortinet" @127.0.0.1:25226' > /etc/rsyslog.d/security-config-omsagent.conf"

 

The new amended command I ran:

sudo bash -c "printf 'local4.debug @127.0.0.1:25226:msg, contains, \"Fortinet\" @127.0.0.1:25226' > /etc/rsyslog.d/security-config-omsagent.conf"

 

However, I have noted that since I had this issue, Microsoft have updated their configuration documentation, and it is completely different now. So, what fixed it for me, might not fix it for you.

 

I was asked by MS Support to send them the following data:

 

Netstat -anp | grep syslog

Netstat -anp | grep oms

Netstat -anp | grep ruby

Tcpdump -nni any port 25244 or port 25246 ( just a few lines if present)

Tcpdump -nni any port 514 ( just a few lines if present)

tail -f /var/opt/microsoft/omsagent/log/omsagent.log

tail -f /var/log/syslog or this path $WorkDirectory /var/spool/rsyslog

 

And to check the following:

 

That the Log Analytics workspace is set to standard

LogAnalyticsWorkspaceSetting.png

 

Data collection is set to All Events

DataCollectionAllEvents.png

 

That the Log Analytics Workspace has syslog enabled

syslog.PNG

 

Hopefully you get to a resolution and some of the above helps you troubleshoot.

View solution in original post