Syslog files
FortiNAC-OS Requirement: "syslog" option must be included in the "set allowaccess" command. See Open ports for details. |
You can choose to send output from IPS/IDS devices to FortiNAC. Syslog Files that you create and store under Syslog Management are used by FortiNAC to parse the information received from these external devices and generate an event. The event can contain any or all of the fields contained in the syslog output.
Default files
Default files include:
- FireEye
- FortiOS4
- FortiOS5
- Palo Alto Networks Firewall
- Sourcefire IPS
- StoneGate IPS
- TippingPoint SMS
- Top Layer IPS
Each of these files has corresponding events in the events list. You can add configurations for other Syslog files if they conform to either the CSV, CEF or TAG/VALUE formats.
Events and alarms
When those new Syslog configurations are added, corresponding events and alarms are created in the Events List. See Events and alarms list for a complete list of events that can be tracked.
If a syslog message is received for a host that has more than one adapter, an event is generated for each adapter. Therefore a single host could generate multiple events and alarms.
Device model
You must model any device that sends Syslog information to FortiNAC in the Inventory. See Add or modify a pingable device for detailed instructions.
Navigation
To access the Syslog Management view, select System > Settings > System Communication > Syslog Files.
Settings
Field |
Definition |
||
Table configuration |
|||
Enable Buttons |
Enables or disables the selected Syslog file. If a file is disabled it is not used when processing inbound syslog messages. |
||
Table columns |
|||
Name |
The name of the syslog file. This is a unique name for this syslog definition. This value is required. |
||
Enabled |
A green check mark indicates that the file is enabled. A red circle indicates that the file is disabled. |
||
Label |
The label for the Event or Alarm that will be generated. This value is required. |
||
Format |
Message format for the Syslog file. Supported formats include:
|
||
Delimiter |
Character used to separate the fields in the syslog message. Options include: space, comma (,) and pipe (|). This field is not available for the TAG/VALUE format. A space is used as the delimiter. |
||
IP Tag/Column |
Name of the field or number of the column containing the source IP address. This value is required. |
||
Filter Tag/ |
Name of the field or number of the column containing the filter. This value is required. |
||
Filter Value |
The value contained in the filter column or field. Only entries that contain matching data will be used. This value is required. |
||
Severity Tag/Column |
Name of the field or number of the column containing the severity. This value is required. |
||
Low Severity Values |
Entries containing one of these matching values in the severity field or column cause a Low Severity event to be generated. For CSV format, multiple values are entered separated by commas. |
||
Medium |
Entries containing one of these matching values in the severity column will cause a Medium Severity event to be generated. For CSV format, multiple values are entered separated by commas. |
||
High Severity Values |
Entries containing one of these matching values in the severity field or column cause a High Severity event to be generated. For CSV format, multiple values are entered separated by commas. |
||
Event Tag/ |
Names of the fields or numbers of the columns used when populating items from the syslog entry into the Event Format. |
||
Event Format |
Message that is displayed when the event is generated. The text is generated from the items listed in the Event Tag field in the order they appear. |
||
Right click options |
|||
Add |
Opens the Add Syslog Files dialog. |
||
Delete |
Deletes the selected action. |
||
Modify |
Opens the Modify Security Action window for the selected action. |
||
In Use |
Shows if the Syslog File is in use or not |
||
Show Audit Log |
Opens the admin auditing log showing all changes made to the selected item. For information about the admin auditing log, see Audit Logs.
|
||
Enable |
Enables the syslog file. |
||
Disable |
Disables the syslog file. |
Inbound file formats
There are three supported syslog formats, CSV, TAG/VALUE and CEF. The CSV syslog output format is a comma-separated entry with seven items. Identify each item in the entry by its column number when you create the Event Message format. The TAG/VALUE syslog output format is a set of messages where the TAG indicates the name of the program or process that generated the message and the VALUE is the content of the message. The CEF syslog output format uses tags to mark the data so that it can be located by the device receiving the syslog file.
Example:
Denied,10,192.168.1.1,00:10:8B:A7:EF:AA,IPS Sensor,214,P2P-TCP-BitTorrent-Network-Connect
Column Number |
Description |
Data From Example |
1 |
Action taken by IPS/IDS |
Denied |
2 |
Alert Severity |
10 |
3 |
Source IP address |
192.168.1.1 |
4 |
Source MAC address |
00:10:8B:A7:EF:AA |
5 |
Component ID |
IPS Sensor |
6 |
Rule ID |
214 |
7 |
Situation |
P2P-TCP-BitTorrent-Network-Connect |
Example:
<38>Apr 14 09:48:55 192.168.5.199 IPS5500-1000: id=060001 pt=TLN-TM prot=TCP cip=192.168.10.182 cprt=49161 sip=192.168.10.10 sprt=445 atck=tln-001017 disp=mitigate ckt=1 src=extern msg="NETWK: TCP Connection With Missed Setup"
Only the fields used by Syslog Management are defined in the table. |
Values within the TAG/VALUE syslog must not contain spaces, unless the value is contained within double-quotes ("), such as msg="NETWK: TCP Connection With Missed Setup." |
TAG Name |
Description |
VALUE From Example |
cip |
IP address of the host |
192.168.10.182 |
prot |
Protocol |
TCP |
atck |
Filter - severity |
tln-001017 |
TLN- |
Filter |
tln- |
msg |
Message |
"NETWK: TCP Connection With Missed Setup" |
Example:
CEF:0|FireEye|MPS|5.1.0.55701|MC|malware-callback|9|src=195.2.252.157 spt=80 smac=00:0d:66:4d:fc:00 rt=May 08 2010 14:24:45 dst=128.12.95.64 dpt=0 dmac=00:18:74:1c:a1:80 cn1Label=vlan cn1=0 cn2Label=sid cn2=33331600 cs1Label=sname cs1=Trojan.Piptea.2 msg= https://mil.fireeye.com/edp.php?sname\=Trojan.Piptea.2 cs4Label=link cs4= https://172.16.127.7/event_stream/events?event_id\=111 cs5Label=ccName cs5=195.2.252.157 cn3Label=ccPort cn3=80 proto=tcp shost=rescomp-09-149735.Standard.EDU dvcHost=mslms dvc=172.16.127.7 externalId=111
The first part of the message has a common format and is not tagged. It follows the format shown below. Other fields are customized.
CEF:Version|Device Vendor|Device Product|Device Version|Signature ID|Name|Severity|Extension
This only an example and does not list all of the possible combinations of data that can be used to generate events and alarms. |
TAG Name |
Description |
VALUE From Example |
src |
IP address of the host |
195.2.252.157 |
Severity |
Severity |
9 |
Name |
Event Name |
malware-callback |
proto |
Transport Protocol |
tcp |
cs1 |
Signature Name |
Trojan Piptea 2 |
Add or modify a syslog file
Refer to for file format information.
The asterisk (*) wildcard can be used at the beginning and end of all values you enter. |
- Click System > Settings.
- Select Syslog Files from the tree.
- Click Add or select an existing Syslog File from the list and click Modify.
- Check the Processing Enabled check box to enable this Syslog file.
- Enter a Name for the Syslog File.
- Use the table below to enter the file information.
- Click OK to save the new Syslog file.
- You need to add the IDS/IPS device if it is not already in the Inventory. See Add or modify a pingable device for detailed instructions.
Settings
All possible fields are shown in the table. Fields on the Add or Modify dialog will vary depending on whether you chose CSV or TAG/VALUE format. |
Field |
Definition |
||
Name |
The name of the syslog file. This is a unique name for this syslog definition. This value is required. |
||
Processing Enabled |
Enables/disables processing of this type of inbound syslog messages. |
||
Event Label |
The label for the Event or Alarm that will be generated by FortiNAC. This value is required. |
||
Format |
Supported message formats include:
|
||
IP Tag |
Name of the field or number of the column containing the source IP address. This value is required. |
||
Filter Tag Filter Column |
Name of the field or number of the column containing the filter.
|
||
Filter Values |
The values contained in the filter column or field. Only entries that contain matching data will be used. This value is required. If left blank, everything is a match. |
||
Severity Tag/Column |
Name of the field or number of the column containing the severity. This value is required. |
||
Severity Values |
Entries containing one of these matching values in the severity field or column cause a Low, Medium or High Severity event to be generated. For CSV format, separate values with commas if entering more than one possible value. |
||
Event Tag Event Column |
The names of the fields or numbers of the columns used when populating items from the syslog entry into the Event Format. |
||
Entire Syslog |
Insert |
||
Event Format |
Message that is displayed when the event is generated. The text is generated from the items listed in the event tag parameter in the order they appear. |
Delete a syslog file
- Click System > Settings.
- Expand the System Communication folder.
- Select Syslog Files from the tree.
- Select the file to delete and click Delete.
- The program asks if you are sure. Click Yes to continue.
Examples of syslog messages
Here are some examples of syslog messages that are returned from FortiNAC. In these examples, the Syslog server is configured as follows:
- Type: Syslog
- IP address: a.b.c.d
- Port: 514
- Facility: Authorization
Event |
Description |
Syslog Message |
---|---|---|
Login Success |
This is the event that is logged with a user logs into the admin UI. |
02-28-2014 08:16:04 Auth.Notice 192.168.34.31 Feb 27 22:16:14 : 2014/02/27 22:16:14 EST,1,545570,Login Success,0,12,,,,,User root logged in. |
Map IP To MAC Failure |
This is a legacy event logged when a scheduled task runs (these are no longer used for IP-MAC) and the ARP is not read. |
-- |
Probe - Map IP To MAC Failure |
This is the event when we fail to poll and L3 device for IP->MAC (reading Arp Cache) L3 Polling |
02-28-2014 09:00:14 Auth.Notice 192.168.34.31 Feb 27 23:00:24 : 2014/02/27 23:00:24 EST,1,545702,Probe - MAP IP To MAC Failure,0,28,,Switch,192.168.34.1,,Failed to read IP address mappings from device Switch. |
User Logged Out |
This is the event that is logs when a user logs out of the admin UI. |
02-28-2014 08:48:55 Auth.Notice 192.168.34.31 Feb 27 22:49:04 : 2014/02/27 22:49:04 EST,1,545670,User Logged Out,0,12,,,,,User root Logged Out. |
User Logged off Host |
This event is logged when a user logs off a host |
02-28-2014 08:44:25 Auth.Notice 192.168.34.31 Feb 27 22:44:34 : 2014/02/27 22:44:34 EST,1,545655,User Logged off Host,0,4155,,,,,"User Man, Bat logged off session 1 on host BRADSUPP7-LT |
User Logged onto Host |
This event is logged when a user logs onto a host |
02-28-2014 08:37:58 Auth.Notice 192.168.34.31 Feb 27 22:38:07 : 2014/02/27 22:38:07 EST,1,545633,User Logged onto Host,0,4155,,,,,"User Man, Bat logged onto session 1 on host BRADSUPP7-LT" |
User Remotely Connected to Host |
An event that is logged when a user remotely connected to a terminal session on a host using the PA |
-- |
User Locked Session |
This event is logged when a user locks his workstation |
02-28-2014 08:49:53 Auth.Notice 192.168.34.31 Feb 27 22:50:03 : 2014/02/27 22:50:03 EST,1,545681,User Locked Session,0,4155,,,,,"User Man, Bat locked session 2 on host BRADSUPP7-LT" |
User Unlocked Session |
This event is logged when a user unlocks his workstation |
02-28-2014 08:52:07 Auth.Notice 192.168.34.31 Feb 27 22:52:16 : 2014/02/27 22:52:16 EST,1,545691,User Unlocked Session,0,4155,,,,,"User Man, Bat unlocked session 2 on host BRADSUPP7-LT" |