Fortigate logs with wazuh #5365
-
|
Hello guys. I started to use Wazuh and it is really amazing. I have a question. I forwarded my fortigate logs with syslog to wazuh. When i check tcpdump i can see logs are coming but i could not find anything about logs in either archive.log or in web interface. After research i understood that i need custom ruleset and decoders but i assume wazuh now have ruleset and decoders ( in var/ossec/.. i saw forti related decoders and rules) What should i do? Any help would be appreciated. Thank you. |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 2 replies
-
|
Hi @uguraaygun , The tcpdump utility is capable of detecting events even when they are being blocked by SELinux or firewalld. In order to open port 514 for inbound connections on firewall you may run the following commands: We do have some rules and decoder for Fortigate, but if you're still not seeing events then you may enable the archives on the manager's For guidance on creating rules and decoders you may follow this part of the Wazuh documentation: https://documentation.wazuh.com/current/user-manual/ruleset/custom.html And of course if you run into any other issue don't hesitate to let us know and we'll be glad to help. |
Beta Was this translation helpful? Give feedback.
-
|
Thank you i have managed to solve the issue. But i have one more question. I want to create action for fortigate ( for example, a user tried ssl-vpn too many times, i want to blacklist his/her ip from fortigate but i want it as a rule based action.) Can we create actions on wazuh side ? can wazuh connect fortigate via ssh or other protocols ? |
Beta Was this translation helpful? Give feedback.
-
|
Hi @uguraaygun , If you have a specific requirement to run these actions on a Wazuh agent instead of the manager then you can use Active Responses instead, here is a guide on creating custom AR scripts. |
Beta Was this translation helpful? Give feedback.
Hi @uguraaygun ,
If you're seeing the events with
tcpdumpbut not on either thearchives.logorarchives.jsoneither archives have not been enabled or the events are being blocked by the operating system's firewall.The tcpdump utility is capable of detecting events even when they are being blocked by SELinux or firewalld.
In order to open port 514 for inbound connections on firewall you may run the following commands:
We do have some rules and decoder for Fortigate, but if you're still not seeing events then you may enable the archives on the manager's
ossec.confby enabling either <logall> or <logall_json> …