Oct 01 2019 01:43 AM
I am having issues using the Fortinet Data Connector.
I have followed the configuration details given, and configured the rsyslog daemon on the syslog server, as well as the omsagent, however I am receiving syslog events in to Azure Sentinel, and not CommonSecurityLog events, from the data being ingested.
I suspect this is because there is no communication between the rsyslog daemon and the omsagent, but I cannot work out why. To test that comms elsewhere were working, I configured omsagent to collect syslog data on local4 facility, within the log analytics workspace advanced settings, and these are now collected - but obviously there's no parser currently configured that understands the fields within the syslog messages received, and ideally I'd like to work out why rsyslog is not communicating on port 25226:
The following command was run to give security-config-omsagent.conf the following config:
sudo bash -c "printf 'local4.debug @127.0.0.1:25226:msg, contains, "Fortinet" @127.0.0.1:25226' > /etc/rsyslog.d/security-config-omsagent.conf"
However, the syslog events being received do not contain "Fortinet", but even if I change this to ":msg, contains, *.* @127.0.0.1:25226'" in the config, I'm still not seeing any logs under the Fortinet data connector/commonsecuritylog events in Sentinel.
I've confirmed using wireshark that syslog events are being received from the firewalls. I can also confirm that syslog data from facility local4 is being received in Sentinel - so the omsagent is working, it appears the rsyslog daemon is not, but I cannot understand how to resolve this issue.
Any assistance would be gratefully received.
Oct 03 2019 10:15 AM
did you add the Set format cef below?? sounds like you might be missing CEF format.
from https://docs.microsoft.com/en-us/azure/sentinel/connect-fortinet
config log syslogd setting
set format cef
set facility <facility_name>
set port 514
set reliable disable
set server <ip_address_of_Receiver>
set status enable end
Oct 03 2019 10:42 AM
Oct 03 2019 11:26 AM
we only support CEF.. can you upgrade your firewall os?? to get this option?
Oct 16 2019 10:09 AM - edited Oct 16 2019 10:21 AM
Oct 16 2019 10:09 AM - edited Oct 16 2019 10:21 AM
I have upgraded the OS on the firewall, so now we are receiving CEF format syslogs, which is great.
The logs are being received on port 514 on the syslog server, confirmed by running:
sudo tcpdump -A -ni any port 514 -vv
However, when I try and confirm if there's traffic being passed to port 25226, there's nothing:
Yet the configurations are correct, for rsyslog:
And for the OMS Agent:
However, the data is successfully being sent via oms agent for syslog data on port 25224:
Which is being received in to Azure Sentinel fine. I've then removed the syslog data capture on local4 facility, so that the "local4.=alert;...." of the above screenshot'd config file is no longer evident, and syslog is no longer captured:
The omsagent.d security_events.conf file settings:
I literally can't see what the issue is at all, and need some assistance please.
Oct 16 2019 08:49 PM
Hi
Im confused with this "Which is being received in to Azure Sentinel fine. I've then removed the syslog data capture on local4 facility, so that the "local4.=alert;...." of the above screenshot'd config file is no longer evident, and syslog is no longer captured:"
so it was working, then you remove the local4 data in 95-omsagent??? if it was working, why remove it?
Oct 17 2019 12:36 AM
Oct 17 2019 08:27 AM
got it. i missed that it was going to syslog not Commonsecuritylog.
silly question. since removing the config from 95-omsagent have your restarted syslog and OMS agent??
Oct 17 2019 08:29 AM
Nov 05 2019 12:48 PM
@srthomson Hi !
I have exactly the same issue, and we still did not have any answer : even with MS team.
In my opinion the agent might have so trouble, but no logs helps to confirm that.
I will keep you informed if we find a way to make it work,
(sorry for my english, it's not my mother tongue)
Nov 06 2019 01:36 AM - edited Nov 06 2019 01:39 AM
Solution
I resolved the issue for us.
First I had to upgrade the Fortinet OS to 5.6.x so that it supported CEF output format.
Then I had to ensure that on the analytics workspace page, under Advanced Settings>Data>Syslog that syslog was added:
Then altered the security-config-omsagent.conf with escape characters (that are missing from the copy-paste command within the Sentinel Data Connector page for Fortinet:
The command given:
sudo bash -c "printf 'local4.debug @127.0.0.1:25226:msg, contains, "Fortinet" @127.0.0.1:25226' > /etc/rsyslog.d/security-config-omsagent.conf"
The new amended command I ran:
sudo bash -c "printf 'local4.debug @127.0.0.1:25226:msg, contains, \"Fortinet\" @127.0.0.1:25226' > /etc/rsyslog.d/security-config-omsagent.conf"
However, I have noted that since I had this issue, Microsoft have updated their configuration documentation, and it is completely different now. So, what fixed it for me, might not fix it for you.
I was asked by MS Support to send them the following data:
Netstat -anp | grep syslog
Netstat -anp | grep oms
Netstat -anp | grep ruby
Tcpdump -nni any port 25244 or port 25246 ( just a few lines if present)
Tcpdump -nni any port 514 ( just a few lines if present)
tail -f /var/opt/microsoft/omsagent/log/omsagent.log
tail -f /var/log/syslog or this path $WorkDirectory /var/spool/rsyslog
And to check the following:
That the Log Analytics workspace is set to standard
Data collection is set to All Events
That the Log Analytics Workspace has syslog enabled
Hopefully you get to a resolution and some of the above helps you troubleshoot.
Nov 06 2019 04:50 AM
@srthomson I owe you and the MS support a Beer ---- It's working !!!
What I've done is
- Correcting the security-config-omsagent.conf
- Adding the syslog facility
- Restart both services
You made my day !
Nov 06 2019 05:51 AM
Jul 02 2020 11:47 PM
@srthomson I am setting up the Linux syslog agent to collect Fortinet logs then forward to omsagent to Sentinel. But checking the rsyslog status, I got errors like:
cannot connect to 127.0.0.1:25226: Permission denied [v8.1911.0-3.el8 try https://www.rsyslog.com/e/2027 ]
The related configuration files are correct but still got this error. Do you have any suggestions?
Thanks!
May 16 2021 11:03 AM
Nov 06 2019 01:36 AM - edited Nov 06 2019 01:39 AM
Solution
I resolved the issue for us.
First I had to upgrade the Fortinet OS to 5.6.x so that it supported CEF output format.
Then I had to ensure that on the analytics workspace page, under Advanced Settings>Data>Syslog that syslog was added:
Then altered the security-config-omsagent.conf with escape characters (that are missing from the copy-paste command within the Sentinel Data Connector page for Fortinet:
The command given:
sudo bash -c "printf 'local4.debug @127.0.0.1:25226:msg, contains, "Fortinet" @127.0.0.1:25226' > /etc/rsyslog.d/security-config-omsagent.conf"
The new amended command I ran:
sudo bash -c "printf 'local4.debug @127.0.0.1:25226:msg, contains, \"Fortinet\" @127.0.0.1:25226' > /etc/rsyslog.d/security-config-omsagent.conf"
However, I have noted that since I had this issue, Microsoft have updated their configuration documentation, and it is completely different now. So, what fixed it for me, might not fix it for you.
I was asked by MS Support to send them the following data:
Netstat -anp | grep syslog
Netstat -anp | grep oms
Netstat -anp | grep ruby
Tcpdump -nni any port 25244 or port 25246 ( just a few lines if present)
Tcpdump -nni any port 514 ( just a few lines if present)
tail -f /var/opt/microsoft/omsagent/log/omsagent.log
tail -f /var/log/syslog or this path $WorkDirectory /var/spool/rsyslog
And to check the following:
That the Log Analytics workspace is set to standard
Data collection is set to All Events
That the Log Analytics Workspace has syslog enabled
Hopefully you get to a resolution and some of the above helps you troubleshoot.