Syslog files

Syslog files

FortiNAC-OS Requirement: "syslog" option must be included in the "set allowaccess" command. See Open ports for details.

You can choose to send output from IPS/IDS devices to FortiNAC. Syslog Files that you create and store under Syslog Management are used by FortiNAC to parse the information received from these external devices and generate an event. The event can contain any or all of the fields contained in the syslog output.

Default files

Default files include:

FireEye
FortiOS4
FortiOS5
Palo Alto Networks Firewall
Sourcefire IPS
StoneGate IPS
TippingPoint SMS
Top Layer IPS

Each of these files has corresponding events in the events list. You can add configurations for other Syslog files if they conform to either the CSV, CEF or TAG/VALUE formats.

Events and alarms

When those new Syslog configurations are added, corresponding events and alarms are created in the Events List. See Events and alarms list for a complete list of events that can be tracked.

If a syslog message is received for a host that has more than one adapter, an event is generated for each adapter. Therefore a single host could generate multiple events and alarms.

Device model

You must model any device that sends Syslog information to FortiNAC in the Inventory. See Add or modify a pingable device for detailed instructions.

Navigation

To access the Syslog Management view, select System > Settings > System Communication > Syslog Files.

Settings

Field

Definition

Table configuration

Enable Buttons

Enables or disables the selected Syslog file. If a file is disabled it is not used when processing inbound syslog messages.

Table columns

Name

The name of the syslog file. This is a unique name for this syslog definition.

This value is required.

Enabled

A green check mark indicates that the file is enabled. A red circle indicates that the file is disabled.

Label

The label for the Event or Alarm that will be generated.

This value is required.

Format

Message format for the Syslog file. Supported formats include:

CSV: Message is a series of data fields typically separated by commas. Comma separated value. Other characters can be used to separate data fields.
TAG/VALUE: Message is series of fields each with a tag and a value. For example, the message could contain the following : cip=192.168.10.182. cip is the tag indicating that this is the IP address of the user causing the problem. 192.168.10.182 is the value associated with that tag.
CEF: Message is a series of fields, some in a standard position, others with a tag and a value. For example the message could contain the following: src=192.168.10.182. src is the tag indicating that this is the IP address of the user causing the problem. 192.168.10.182 is the value associated with that tag.

Delimiter

Character used to separate the fields in the syslog message. Options include: space, comma (,) and pipe (|).

This field is not available for the TAG/VALUE format. A space is used as the delimiter.

IP Tag/Column

Name of the field or number of the column containing the source IP address.

This value is required.

Filter Tag/
Column

Name of the field or number of the column containing the filter.

This value is required.

Filter Value

The value contained in the filter column or field. Only entries that contain matching data will be used.

This value is required.

Severity Tag/Column

Name of the field or number of the column containing the severity.

This value is required.

Low Severity Values

Entries containing one of these matching values in the severity field or column cause a Low Severity event to be generated. For CSV format, multiple values are entered separated by commas.

Medium
Severity Values

Entries containing one of these matching values in the severity column will cause a Medium Severity event to be generated. For CSV format, multiple values are entered separated by commas.

High Severity Values

Entries containing one of these matching values in the severity field or column cause a High Severity event to be generated. For CSV format, multiple values are entered separated by commas.

Event Tag/
Column

Names of the fields or numbers of the columns used when populating items from the syslog entry into the Event Format.

Event Format

Message that is displayed when the event is generated. The text is generated from the items listed in the Event Tag field in the order they appear.

Right click options

Add

Opens the Add Syslog Files dialog.

Delete

Deletes the selected action.

Modify

Opens the Modify Security Action window for the selected action.

In Use

Shows if the Syslog File is in use or not

Show Audit Log

Opens the admin auditing log showing all changes made to the selected item.

For information about the admin auditing log, see Audit Logs.

You must have permission to view the admin auditing log. See Add an administrator profile.

Enable

Enables the syslog file.

Disable

Disables the syslog file.

Buttons

Export

Exports the data displayed to a file in the default downloads location. File types include CSV, Excel, PDF, or RTF. Low, Medium and High severity levels are not included in the exported data. See Export data.

Inbound file formats

There are three supported syslog formats, CSV, TAG/VALUE and CEF. The CSV syslog output format is a comma-separated entry with seven items. Identify each item in the entry by its column number when you create the Event Message format. The TAG/VALUE syslog output format is a set of messages where the TAG indicates the name of the program or process that generated the message and the VALUE is the content of the message. The CEF syslog output format uses tags to mark the data so that it can be located by the device receiving the syslog file.

Example:

Denied,10,192.168.1.1,00:10:8B:A7:EF:AA,IPS Sensor,214,P2P-TCP-BitTorrent-Network-Connect

Column Number	Description	Data From Example
1	Action taken by IPS/IDS	Denied
2	Alert Severity	10
3	Source IP address	192.168.1.1
4	Source MAC address	00:10:8B:A7:EF:AA
5	Component ID	IPS Sensor
6	Rule ID	214
7	Situation	P2P-TCP-BitTorrent-Network-Connect

Example:

<38>Apr 14 09:48:55 192.168.5.199 IPS5500-1000: id=060001 pt=TLN-TM prot=TCP cip=192.168.10.182 cprt=49161 sip=192.168.10.10 sprt=445 atck=tln-001017 disp=mitigate ckt=1 src=extern msg="NETWK: TCP Connection With Missed Setup"

Only the fields used by Syslog Management are defined in the table.

Values within the TAG/VALUE syslog must not contain spaces, unless the value is contained within double-quotes ("), such as msg="NETWK: TCP Connection With Missed Setup."

TAG Name	Description	VALUE From Example
cip	IP address of the host	192.168.10.182
prot	Protocol	TCP
atck	Filter - severity	tln-001017
TLN-	Filter	tln-
msg	Message	"NETWK: TCP Connection With Missed Setup"

Example:

CEF:0|FireEye|MPS|5.1.0.55701|MC|malware-callback|9|src=195.2.252.157 spt=80 smac=00:0d:66:4d:fc:00 rt=May 08 2010 14:24:45 dst=128.12.95.64 dpt=0 dmac=00:18:74:1c:a1:80 cn1Label=vlan cn1=0 cn2Label=sid cn2=33331600 cs1Label=sname cs1=Trojan.Piptea.2 msg= https://mil.fireeye.com/edp.php?sname\=Trojan.Piptea.2 cs4Label=link cs4= https://172.16.127.7/event_stream/events?event_id\=111 cs5Label=ccName cs5=195.2.252.157 cn3Label=ccPort cn3=80 proto=tcp shost=rescomp-09-149735.Standard.EDU dvcHost=mslms dvc=172.16.127.7 externalId=111

The first part of the message has a common format and is not tagged. It follows the format shown below. Other fields are customized.

This only an example and does not list all of the possible combinations of data that can be used to generate events and alarms.

TAG Name	Description	VALUE From Example
src	IP address of the host	195.2.252.157
Severity	Severity	9
Name	Event Name	malware-callback
proto	Transport Protocol	tcp
cs1	Signature Name	Trojan Piptea 2

Add or modify a syslog file

Refer to for file format information.

The asterisk (*) wildcard can be used at the beginning and end of all values you enter.

Click System > Settings.
Select Syslog Files from the tree.
Click Add or select an existing Syslog File from the list and click Modify.
Check the Processing Enabled check box to enable this Syslog file.
Enter a Name for the Syslog File.
Use the table below to enter the file information.
Click OK to save the new Syslog file.
You need to add the IDS/IPS device if it is not already in the Inventory. See Add or modify a pingable device for detailed instructions.

Settings

All possible fields are shown in the table. Fields on the Add or Modify dialog will vary depending on whether you chose CSV or TAG/VALUE format.

Field

Definition

Name

The name of the syslog file. This is a unique name for this syslog definition. This value is required.

Processing Enabled

Enables/disables processing of this type of inbound syslog messages.

Event Label

The label for the Event or Alarm that will be generated by FortiNAC. This value is required.

Format

Supported message formats include:

CSV: Message is a series of data fields typically separated by commas. Comma separated value. Other characters can be used to separate data fields.
TAG/VALUE: Message is series of fields each with a tag and a value. For example, the message could contain the following: cip=192.168.10.182. cip is the tag indicating that this is the IP address of the user causing the problem. 192.168.10.1182 is the value associated with that tag.
CEF: Message is a series of fields, some in a standard position, others with a tag and a value. For example the message could contain the following: src=192.168.10.182. src is the tag indicating that this is the IP address of the user causing the problem. 192.168.10.182 is the value associated with that tag.

IP Tag
IP Column

Name of the field or number of the column containing the source IP address. This value is required.

Filter Tag

Filter Column

Name of the field or number of the column containing the filter.

This value is required. If left blank, there will be no matches and no syslog data is sent to FortiNAC.

Filter Values

The values contained in the filter column or field. Only entries that contain matching data will be used. This value is required.

If left blank, everything is a match.

Severity Tag/Column

Name of the field or number of the column containing the severity. This value is required.

Severity Values

Entries containing one of these matching values in the severity field or column cause a Low, Medium or High Severity event to be generated. For CSV format, separate values with commas if entering more than one possible value.

Event Tag

Event Column

The names of the fields or numbers of the columns used when populating items from the syslog entry into the Event Format.

Entire Syslog

Insert %syslog% as an event column in the location where you want the syslog message to appear in the event.

Event Format

Message that is displayed when the event is generated. The text is generated from the items listed in the event tag parameter in the order they appear.

Delete a syslog file

Click System > Settings.
Expand the System Communication folder.
Select Syslog Files from the tree.
Select the file to delete and click Delete.
The program asks if you are sure. Click Yes to continue.

Examples of syslog messages

Here are some examples of syslog messages that are returned from FortiNAC. In these examples, the Syslog server is configured as follows:

Type: Syslog
IP address: a.b.c.d
Port: 514
Facility: Authorization

Event	Description	Syslog Message
Login Success	This is the event that is logged with a user logs into the admin UI.	02-28-2014 08:16:04 Auth.Notice 192.168.34.31 Feb 27 22:16:14 : 2014/02/27 22:16:14 EST,1,545570,Login Success,0,12,,,,,User root logged in.
Map IP To MAC Failure	This is a legacy event logged when a scheduled task runs (these are no longer used for IP-MAC) and the ARP is not read.	--
Probe - Map IP To MAC Failure	This is the event when we fail to poll and L3 device for IP->MAC (reading Arp Cache) L3 Polling	02-28-2014 09:00:14 Auth.Notice 192.168.34.31 Feb 27 23:00:24 : 2014/02/27 23:00:24 EST,1,545702,Probe - MAP IP To MAC Failure,0,28,,Switch,192.168.34.1,,Failed to read IP address mappings from device Switch.
User Logged Out	This is the event that is logs when a user logs out of the admin UI.	02-28-2014 08:48:55 Auth.Notice 192.168.34.31 Feb 27 22:49:04 : 2014/02/27 22:49:04 EST,1,545670,User Logged Out,0,12,,,,,User root Logged Out.
User Logged off Host	This event is logged when a user logs off a host	02-28-2014 08:44:25 Auth.Notice 192.168.34.31 Feb 27 22:44:34 : 2014/02/27 22:44:34 EST,1,545655,User Logged off Host,0,4155,,,,,"User Man, Bat logged off session 1 on host BRADSUPP7-LT
User Logged onto Host	This event is logged when a user logs onto a host	02-28-2014 08:37:58 Auth.Notice 192.168.34.31 Feb 27 22:38:07 : 2014/02/27 22:38:07 EST,1,545633,User Logged onto Host,0,4155,,,,,"User Man, Bat logged onto session 1 on host BRADSUPP7-LT"
User Remotely Connected to Host	An event that is logged when a user remotely connected to a terminal session on a host using the PA	--
User Locked Session	This event is logged when a user locks his workstation	02-28-2014 08:49:53 Auth.Notice 192.168.34.31 Feb 27 22:50:03 : 2014/02/27 22:50:03 EST,1,545681,User Locked Session,0,4155,,,,,"User Man, Bat locked session 2 on host BRADSUPP7-LT"
User Unlocked Session	This event is logged when a user unlocks his workstation	02-28-2014 08:52:07 Auth.Notice 192.168.34.31 Feb 27 22:52:16 : 2014/02/27 22:52:16 EST,1,545691,User Unlocked Session,0,4155,,,,,"User Man, Bat unlocked session 2 on host BRADSUPP7-LT"

Syslog files

FortiNAC-OS Requirement: "syslog" option must be included in the "set allowaccess" command. See Open ports for details.

Default files

Default files include:

FireEye
FortiOS4
FortiOS5
Palo Alto Networks Firewall
Sourcefire IPS
StoneGate IPS
TippingPoint SMS
Top Layer IPS

Each of these files has corresponding events in the events list. You can add configurations for other Syslog files if they conform to either the CSV, CEF or TAG/VALUE formats.

Events and alarms

When those new Syslog configurations are added, corresponding events and alarms are created in the Events List. See Events and alarms list for a complete list of events that can be tracked.

If a syslog message is received for a host that has more than one adapter, an event is generated for each adapter. Therefore a single host could generate multiple events and alarms.

Device model

You must model any device that sends Syslog information to FortiNAC in the Inventory. See Add or modify a pingable device for detailed instructions.

Navigation

To access the Syslog Management view, select System > Settings > System Communication > Syslog Files.

Settings

Field

Definition

Table configuration

Enable Buttons

Enables or disables the selected Syslog file. If a file is disabled it is not used when processing inbound syslog messages.

Table columns

Name

The name of the syslog file. This is a unique name for this syslog definition.

This value is required.

Enabled

A green check mark indicates that the file is enabled. A red circle indicates that the file is disabled.

Label

The label for the Event or Alarm that will be generated.

This value is required.

Format

Message format for the Syslog file. Supported formats include:

CSV: Message is a series of data fields typically separated by commas. Comma separated value. Other characters can be used to separate data fields.
TAG/VALUE: Message is series of fields each with a tag and a value. For example, the message could contain the following : cip=192.168.10.182. cip is the tag indicating that this is the IP address of the user causing the problem. 192.168.10.182 is the value associated with that tag.
CEF: Message is a series of fields, some in a standard position, others with a tag and a value. For example the message could contain the following: src=192.168.10.182. src is the tag indicating that this is the IP address of the user causing the problem. 192.168.10.182 is the value associated with that tag.

Delimiter

Character used to separate the fields in the syslog message. Options include: space, comma (,) and pipe (|).

This field is not available for the TAG/VALUE format. A space is used as the delimiter.

IP Tag/Column

Name of the field or number of the column containing the source IP address.

This value is required.

Filter Tag/
Column

Name of the field or number of the column containing the filter.

This value is required.

Filter Value

The value contained in the filter column or field. Only entries that contain matching data will be used.

This value is required.

Severity Tag/Column

Name of the field or number of the column containing the severity.

This value is required.

Low Severity Values

Entries containing one of these matching values in the severity field or column cause a Low Severity event to be generated. For CSV format, multiple values are entered separated by commas.

Medium
Severity Values

Entries containing one of these matching values in the severity column will cause a Medium Severity event to be generated. For CSV format, multiple values are entered separated by commas.

High Severity Values

Entries containing one of these matching values in the severity field or column cause a High Severity event to be generated. For CSV format, multiple values are entered separated by commas.

Event Tag/
Column

Names of the fields or numbers of the columns used when populating items from the syslog entry into the Event Format.

Event Format

Message that is displayed when the event is generated. The text is generated from the items listed in the Event Tag field in the order they appear.

Right click options

Add

Opens the Add Syslog Files dialog.

Delete

Deletes the selected action.

Modify

Opens the Modify Security Action window for the selected action.

In Use

Shows if the Syslog File is in use or not

Show Audit Log

Opens the admin auditing log showing all changes made to the selected item.

For information about the admin auditing log, see Audit Logs.

You must have permission to view the admin auditing log. See Add an administrator profile.

Enable

Enables the syslog file.

Disable

Disables the syslog file.

Buttons

Export

Inbound file formats

Example:

Denied,10,192.168.1.1,00:10:8B:A7:EF:AA,IPS Sensor,214,P2P-TCP-BitTorrent-Network-Connect

Column Number	Description	Data From Example
1	Action taken by IPS/IDS	Denied
2	Alert Severity	10
3	Source IP address	192.168.1.1
4	Source MAC address	00:10:8B:A7:EF:AA
5	Component ID	IPS Sensor
6	Rule ID	214
7	Situation	P2P-TCP-BitTorrent-Network-Connect

Example:

Only the fields used by Syslog Management are defined in the table.

Values within the TAG/VALUE syslog must not contain spaces, unless the value is contained within double-quotes ("), such as msg="NETWK: TCP Connection With Missed Setup."

TAG Name	Description	VALUE From Example
cip	IP address of the host	192.168.10.182
prot	Protocol	TCP
atck	Filter - severity	tln-001017
TLN-	Filter	tln-
msg	Message	"NETWK: TCP Connection With Missed Setup"

Example:

The first part of the message has a common format and is not tagged. It follows the format shown below. Other fields are customized.

This only an example and does not list all of the possible combinations of data that can be used to generate events and alarms.

TAG Name	Description	VALUE From Example
src	IP address of the host	195.2.252.157
Severity	Severity	9
Name	Event Name	malware-callback
proto	Transport Protocol	tcp
cs1	Signature Name	Trojan Piptea 2

Add or modify a syslog file

Refer to for file format information.

The asterisk (*) wildcard can be used at the beginning and end of all values you enter.

Click System > Settings.
Select Syslog Files from the tree.
Click Add or select an existing Syslog File from the list and click Modify.
Check the Processing Enabled check box to enable this Syslog file.
Enter a Name for the Syslog File.
Use the table below to enter the file information.
Click OK to save the new Syslog file.
You need to add the IDS/IPS device if it is not already in the Inventory. See Add or modify a pingable device for detailed instructions.

Settings

All possible fields are shown in the table. Fields on the Add or Modify dialog will vary depending on whether you chose CSV or TAG/VALUE format.

Field

Definition

Name

The name of the syslog file. This is a unique name for this syslog definition. This value is required.

Processing Enabled

Enables/disables processing of this type of inbound syslog messages.

Event Label

The label for the Event or Alarm that will be generated by FortiNAC. This value is required.

Format

Supported message formats include:

CSV: Message is a series of data fields typically separated by commas. Comma separated value. Other characters can be used to separate data fields.
TAG/VALUE: Message is series of fields each with a tag and a value. For example, the message could contain the following: cip=192.168.10.182. cip is the tag indicating that this is the IP address of the user causing the problem. 192.168.10.1182 is the value associated with that tag.
CEF: Message is a series of fields, some in a standard position, others with a tag and a value. For example the message could contain the following: src=192.168.10.182. src is the tag indicating that this is the IP address of the user causing the problem. 192.168.10.182 is the value associated with that tag.

IP Tag
IP Column

Name of the field or number of the column containing the source IP address. This value is required.

Filter Tag

Filter Column

Name of the field or number of the column containing the filter.

This value is required. If left blank, there will be no matches and no syslog data is sent to FortiNAC.

Filter Values

The values contained in the filter column or field. Only entries that contain matching data will be used. This value is required.

If left blank, everything is a match.

Severity Tag/Column

Name of the field or number of the column containing the severity. This value is required.

Severity Values

Event Tag

Event Column

The names of the fields or numbers of the columns used when populating items from the syslog entry into the Event Format.

Entire Syslog

Insert %syslog% as an event column in the location where you want the syslog message to appear in the event.

Event Format

Message that is displayed when the event is generated. The text is generated from the items listed in the event tag parameter in the order they appear.

Delete a syslog file

Click System > Settings.
Expand the System Communication folder.
Select Syslog Files from the tree.
Select the file to delete and click Delete.
The program asks if you are sure. Click Yes to continue.

Examples of syslog messages

Here are some examples of syslog messages that are returned from FortiNAC. In these examples, the Syslog server is configured as follows:

Type: Syslog
IP address: a.b.c.d
Port: 514
Facility: Authorization

Event	Description	Syslog Message
Login Success	This is the event that is logged with a user logs into the admin UI.	02-28-2014 08:16:04 Auth.Notice 192.168.34.31 Feb 27 22:16:14 : 2014/02/27 22:16:14 EST,1,545570,Login Success,0,12,,,,,User root logged in.
Map IP To MAC Failure	This is a legacy event logged when a scheduled task runs (these are no longer used for IP-MAC) and the ARP is not read.	--
Probe - Map IP To MAC Failure	This is the event when we fail to poll and L3 device for IP->MAC (reading Arp Cache) L3 Polling	02-28-2014 09:00:14 Auth.Notice 192.168.34.31 Feb 27 23:00:24 : 2014/02/27 23:00:24 EST,1,545702,Probe - MAP IP To MAC Failure,0,28,,Switch,192.168.34.1,,Failed to read IP address mappings from device Switch.
User Logged Out	This is the event that is logs when a user logs out of the admin UI.	02-28-2014 08:48:55 Auth.Notice 192.168.34.31 Feb 27 22:49:04 : 2014/02/27 22:49:04 EST,1,545670,User Logged Out,0,12,,,,,User root Logged Out.
User Logged off Host	This event is logged when a user logs off a host	02-28-2014 08:44:25 Auth.Notice 192.168.34.31 Feb 27 22:44:34 : 2014/02/27 22:44:34 EST,1,545655,User Logged off Host,0,4155,,,,,"User Man, Bat logged off session 1 on host BRADSUPP7-LT
User Logged onto Host	This event is logged when a user logs onto a host	02-28-2014 08:37:58 Auth.Notice 192.168.34.31 Feb 27 22:38:07 : 2014/02/27 22:38:07 EST,1,545633,User Logged onto Host,0,4155,,,,,"User Man, Bat logged onto session 1 on host BRADSUPP7-LT"
User Remotely Connected to Host	An event that is logged when a user remotely connected to a terminal session on a host using the PA	--
User Locked Session	This event is logged when a user locks his workstation	02-28-2014 08:49:53 Auth.Notice 192.168.34.31 Feb 27 22:50:03 : 2014/02/27 22:50:03 EST,1,545681,User Locked Session,0,4155,,,,,"User Man, Bat locked session 2 on host BRADSUPP7-LT"
User Unlocked Session	This event is logged when a user unlocks his workstation	02-28-2014 08:52:07 Auth.Notice 192.168.34.31 Feb 27 22:52:16 : 2014/02/27 22:52:16 EST,1,545691,User Unlocked Session,0,4155,,,,,"User Man, Bat unlocked session 2 on host BRADSUPP7-LT"

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Unified SASE

Single Vendor SASE

Cloud Network Security

Secure Endpoint Connectivity

Web Application / API Protection

Security Operations

Security Operations Automation

Identity

Early Detection & Prevention

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Communication & Surveillance

Unified SASE

Single Vendor SASE

Secure Endpoint Connectivity

Cloud Network Security

Cloud-Native Security

Web Application / API Protection

Security Operations

Security Operations Automation

Endpoint

Data Protection

Identity

Email

Early Detection & Prevention

Expert Services

Edge Firewall

Orchestration & management

SD Branch

Application Delivery

Single Vendor SASE

Secure Endpoint Connectivity

Secure Private Access

Thin Edge

Identity

Application Gateway

Enterprise Asset Management

Endpoint Agent

Agentless Security Posture

Identity

Wireless

Switching

Identity

Privilege Acccess Management

Next Generation Firewall

Orchestration & management

Expert Services

All

All

Account Management

SAAS Management

SAAS Application Security

Managed Services

Platform as a service (PAAS)

Other SAAS Services

4D Pillars

Cloud

Popular Solutions

Administration Guide

Syslog files

Default files

Events and alarms

Device model

Navigation

Settings

Inbound file formats

Example:

Example:

Example:

Add or modify a syslog file

Settings