Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiNAC-F 7.2.0 Administration Guide
    7.2.0
    7.6.0
    7.4.0
    7.2.0

    Security event parsers

    Security event parsers

    Note

    FortiNAC-OS Requirement: "syslog" option must be included in the "set allowaccess" command. See Open ports for details.

    You can customize parsing of syslog messages for generating security events. When a syslog message is received from a device, the message is parsed using the format specified in the security event parser. You can also define severity level mappings between the vendor and FortiNAC.

    In Topology, you will see enabled security event parsers listed as options when configuring a pingable device to parse incoming security events. See Add or modify a pingable device.

    To access security event parsers, select System > Settings > System Communication > Security Event Parsers.

    Settings

    Field

    Definition

    Table columns

    Name

    The name of the security event parser.

    Enabled

    A green check mark indicates that the security event parser is enabled. A red circle indicates that the security event parser is disabled. When enabled, the security event parser is available in Topology. When disabled, the security event parser is not available.

    Vendor

    The name of the vendor of the device that generated the event.

    Format

    Message format for the security event parser. Supported formats include:

    CSV: Message is a series of data fields typically separated by commas. Comma separated value. Other characters can be used to separate data fields.

    TAG/VALUE: Message is a series of fields each with a tag and a value. For example, the message could contain the following : cip=192.168.10.182. cip is the tag indicating that this is the IP address of the user causing the problem. 192.168.10.182 is the value associated with that tag.

    CEF: Message is a series of fields, some in a standard position, others with a tag and a value. For example the message could contain the following:

    src=192.168.10.182. src is the tag indicating that this is the IP address of the user causing the problem. 192.168.10.182 is the value associated with that tag.

    CSV Delimiter

    Character used to separate the fields in the security event parser. Most common options include: space, comma (,) and pipe (|).

    This field is not available for the TAG/VALUE format.

    Tag Delimiter

    Character used to separate field name and value in the security event parser. This field is not available for the CSV format. A space is used as the delimiter.

    Source/IP Column

    The name of the field or number of the column containing the source IP address.

    Destination IP Column

    The IP address of the host or device the source host was communicating with.

    Type Column

    The type of security event received.

    Subtype Column

    The subtype of the security event.

    Threat ID Column

    A unique identifying code supplied by the vendor for the specific type of threat or event that occurred.

    Description Column

    A description supplied by the security appliance of the event.

    Severity Column

    Name of the field or number of the column containing the severity.

    Right click options

    Modify

    Modify the selected parser.

    Delete

    Deletes the selected parser.

    Copy

    Click to copy information from the selected parser to create a new security parser.

    In Use

    Shows which devices in Topology are currently using the parser.

    Test

    Allows you to test the security event parser by entering a syslog message received from a device.

    Enable

    Enables the parser.

    Disable

    Disables the parser.

    Buttons

    Add

    Add a parser.

    Export

    Exports the data displayed to a file in the default downloads location. File types include CSV, Excel, PDF, or RTF. Low, Medium and High severity levels are not included in the exported data. See Export data.
    Add or modify a security event parser

    The security event parser allows you to customize parsing of syslog messages for generating security events.

    1. Click System > Settings.
    2. In Flat View, select Security Event Parsers from the tree.
    3. Select the Enabled check box to enable the security event parser.
    4. Enter a Name for the security event parser.
    5. (Optional) To build the security parser using a received syslog message, click Populate from Received Syslog.
    6. Use the table below to enter the file information.
    Settings

    Field

    Definition

    Populate from Received Syslog

    Allows you to select a current syslog message to build the security event parser.

    Note

    You must select the format of the selected syslog file from the Format drop-down list.

    Enabled

    Enables the security parser to be available as an option when configuring a pingable device to parse incoming security events

    Name

    Enter the name of the security event parser.

    Vendor

    Enter the name of the vendor of the device that will generated the event.

    Format

    Select the message format for the security event parser. Supported formats include:

    CSV: Message is a series of data fields typically separated by commas. Comma separated value. Other characters can be used to separate data fields.

    TAG/VALUE: Message is a series of fields each with a tag and a value. For example, the message could contain the following : cip=192.168.10.182. cip is the tag indicating that this is the IP address of the user causing the problem. 192.168.10.182 is the value associated with that tag.

    CEF: Message is a series of fields, some in a standard position, others with a tag and a value. For example the message could contain the following:

    src=192.168.10.182. src is the tag indicating that this is the IP address of the user causing the problem. 192.168.10.182 is the value associated with that tag.

    Data fields

    Entire Column/Tag

    When you select Entire Column/Tag in the Data Fields drop-down list, enter the name of the field or number of the column containing the value. The entire value will be used to create the security event.

    Partial Column/Tag

    When you select Partial Column/Tag in the Data Fields drop-down list, you can build a regular expression that lets you to define which parts of the column to use when creating the security event.

    Note

    Refer to websites such as http://www.regular-expressions.info/ and https://www.debuggex.com/ for additional information about building regular expressions.

    Source/IP Column

    Enter the name of the field or number of the column containing the source IP address. The entire value will be used to create the security event.

    Destination IP Column

    Enter the IP address of the host or device the source host was communicating with.

    Type Column

    Enter the type of security event received.

    Subtype Column

    Enter the subtype of the security event.

    Threat ID Column

    Enter the unique identifying code supplied by the vendor for the specific type of threat or event that occurred.

    Description Column

    Enter the description supplied by the security appliance of the event.

    Severity Column

    Enter the name of the field or number of the column containing the severity.

    Severity mappings

    Source Value

    The severity value provided by the vendor.

    Severity Value

    The severity value in FortiNAC to be mapped to the source value.

    Add

    Click to add a severity level mapping.

    Add Range

    Click to map a single severity value in FortiNAC to a range of values provided by the source.

    Modify

    Click to modify a severity mapping.

    Delete

    Click to delete a severity mapping.
    Previous
    Next

    Security event parsers

    Security event parsers

    Note

    FortiNAC-OS Requirement: "syslog" option must be included in the "set allowaccess" command. See Open ports for details.

    You can customize parsing of syslog messages for generating security events. When a syslog message is received from a device, the message is parsed using the format specified in the security event parser. You can also define severity level mappings between the vendor and FortiNAC.

    In Topology, you will see enabled security event parsers listed as options when configuring a pingable device to parse incoming security events. See Add or modify a pingable device.

    To access security event parsers, select System > Settings > System Communication > Security Event Parsers.

    Settings

    Field

    Definition

    Table columns

    Name

    The name of the security event parser.

    Enabled

    A green check mark indicates that the security event parser is enabled. A red circle indicates that the security event parser is disabled. When enabled, the security event parser is available in Topology. When disabled, the security event parser is not available.

    Vendor

    The name of the vendor of the device that generated the event.

    Format

    Message format for the security event parser. Supported formats include:

    CSV: Message is a series of data fields typically separated by commas. Comma separated value. Other characters can be used to separate data fields.

    TAG/VALUE: Message is a series of fields each with a tag and a value. For example, the message could contain the following : cip=192.168.10.182. cip is the tag indicating that this is the IP address of the user causing the problem. 192.168.10.182 is the value associated with that tag.

    CEF: Message is a series of fields, some in a standard position, others with a tag and a value. For example the message could contain the following:

    src=192.168.10.182. src is the tag indicating that this is the IP address of the user causing the problem. 192.168.10.182 is the value associated with that tag.

    CSV Delimiter

    Character used to separate the fields in the security event parser. Most common options include: space, comma (,) and pipe (|).

    This field is not available for the TAG/VALUE format.

    Tag Delimiter

    Character used to separate field name and value in the security event parser. This field is not available for the CSV format. A space is used as the delimiter.

    Source/IP Column

    The name of the field or number of the column containing the source IP address.

    Destination IP Column

    The IP address of the host or device the source host was communicating with.

    Type Column

    The type of security event received.

    Subtype Column

    The subtype of the security event.

    Threat ID Column

    A unique identifying code supplied by the vendor for the specific type of threat or event that occurred.

    Description Column

    A description supplied by the security appliance of the event.

    Severity Column

    Name of the field or number of the column containing the severity.

    Right click options

    Modify

    Modify the selected parser.

    Delete

    Deletes the selected parser.

    Copy

    Click to copy information from the selected parser to create a new security parser.

    In Use

    Shows which devices in Topology are currently using the parser.

    Test

    Allows you to test the security event parser by entering a syslog message received from a device.

    Enable

    Enables the parser.

    Disable

    Disables the parser.

    Buttons

    Add

    Add a parser.

    Export

    Exports the data displayed to a file in the default downloads location. File types include CSV, Excel, PDF, or RTF. Low, Medium and High severity levels are not included in the exported data. See Export data.
    Add or modify a security event parser

    The security event parser allows you to customize parsing of syslog messages for generating security events.

    1. Click System > Settings.
    2. In Flat View, select Security Event Parsers from the tree.
    3. Select the Enabled check box to enable the security event parser.
    4. Enter a Name for the security event parser.
    5. (Optional) To build the security parser using a received syslog message, click Populate from Received Syslog.
    6. Use the table below to enter the file information.
    Settings

    Field

    Definition

    Populate from Received Syslog

    Allows you to select a current syslog message to build the security event parser.

    Note

    You must select the format of the selected syslog file from the Format drop-down list.

    Enabled

    Enables the security parser to be available as an option when configuring a pingable device to parse incoming security events

    Name

    Enter the name of the security event parser.

    Vendor

    Enter the name of the vendor of the device that will generated the event.

    Format

    Select the message format for the security event parser. Supported formats include:

    CSV: Message is a series of data fields typically separated by commas. Comma separated value. Other characters can be used to separate data fields.

    TAG/VALUE: Message is a series of fields each with a tag and a value. For example, the message could contain the following : cip=192.168.10.182. cip is the tag indicating that this is the IP address of the user causing the problem. 192.168.10.182 is the value associated with that tag.

    CEF: Message is a series of fields, some in a standard position, others with a tag and a value. For example the message could contain the following:

    src=192.168.10.182. src is the tag indicating that this is the IP address of the user causing the problem. 192.168.10.182 is the value associated with that tag.

    Data fields

    Entire Column/Tag

    When you select Entire Column/Tag in the Data Fields drop-down list, enter the name of the field or number of the column containing the value. The entire value will be used to create the security event.

    Partial Column/Tag

    When you select Partial Column/Tag in the Data Fields drop-down list, you can build a regular expression that lets you to define which parts of the column to use when creating the security event.

    Note

    Refer to websites such as http://www.regular-expressions.info/ and https://www.debuggex.com/ for additional information about building regular expressions.

    Source/IP Column

    Enter the name of the field or number of the column containing the source IP address. The entire value will be used to create the security event.

    Destination IP Column

    Enter the IP address of the host or device the source host was communicating with.

    Type Column

    Enter the type of security event received.

    Subtype Column

    Enter the subtype of the security event.

    Threat ID Column

    Enter the unique identifying code supplied by the vendor for the specific type of threat or event that occurred.

    Description Column

    Enter the description supplied by the security appliance of the event.

    Severity Column

    Enter the name of the field or number of the column containing the severity.

    Severity mappings

    Source Value

    The severity value provided by the vendor.

    Severity Value

    The severity value in FortiNAC to be mapped to the source value.

    Add

    Click to add a severity level mapping.

    Add Range

    Click to map a single severity value in FortiNAC to a range of values provided by the source.

    Modify

    Click to modify a severity mapping.

    Delete

    Click to delete a severity mapping.
    Previous
    Next