Fortinet black logo

Administration Guide

Security event parsers

Copy Link
Copy Doc ID 1ce38eeb-8119-11eb-9995-00505692583a:353748
Download PDF

Security event parsers

You can customize parsing of syslog messages for generating security events. When a syslog message is received from a device, the message is parsed using the format specified in the security event parser. You can also define severity level mappings between the vendor and FortiNAC.

In Topology, you will see enabled security event parsers listed as options when configuring a pingable device to parse incoming security events. See Add or modify a pingable device.

To access security event parsers, select System > Settings > System Communication > Security Event Parsers.

Settings

Field

Definition

Table columns

Name

The name of the security event parser.

Enabled

A green check mark indicates that the security event parser is enabled. A red circle indicates that the security event parser is disabled. When enabled, the security event parser is available in Topology. When disabled, the security event parser is not available.

Vendor

The name of the vendor of the device that generated the event.

Format

Message format for the security event parser. Supported formats include:

CSV: Message is a series of data fields typically separated by commas. Comma separated value. Other characters can be used to separate data fields.

TAG/VALUE: Message is a series of fields each with a tag and a value. For example, the message could contain the following : cip=192.168.10.182. cip is the tag indicating that this is the IP address of the user causing the problem. 192.168.10.182 is the value associated with that tag.

CEF: Message is a series of fields, some in a standard position, others with a tag and a value. For example the message could contain the following:

src=192.168.10.182. src is the tag indicating that this is the IP address of the user causing the problem. 192.168.10.182 is the value associated with that tag.

CSV Delimiter

Character used to separate the fields in the security event parser. Most common options include: space, comma (,) and pipe (|).

This field is not available for the TAG/VALUE format.

Tag Delimiter

Character used to separate field name and value in the security event parser. This field is not available for the CSV format. A space is used as the delimiter.

Source/IP Column

The name of the field or number of the column containing the source IP address.

Destination IP Column

The IP address of the host or device the source host was communicating with.

Type Column

The type of security event received.

Subtype Column

The subtype of the security event.

Threat ID Column

A unique identifying code supplied by the vendor for the specific type of threat or event that occurred.

Description Column

A description supplied by the security appliance of the event.

Severity Column

Name of the field or number of the column containing the severity.

Right click options

Modify

Modify the selected parser.

Delete

Deletes the selected parser.

Copy

Click to copy information from the selected parser to create a new security parser.

In Use

Shows which devices in Topology are currently using the parser.

Test

Allows you to test the security event parser by entering a syslog message received from a device.

Enable

Enables the parser.

Disable

Disables the parser.

Buttons

Add

Add a parser.

Export

Exports the data displayed to a file in the default downloads location. File types include CSV, Excel, PDF, or RTF. Low, Medium and High severity levels are not included in the exported data. See Export data.

Add or modify a security event parser

The security event parser allows you to customize parsing of syslog messages for generating security events.

  1. Click System > Settings.
  2. In Flat View, select Security Event Parsers from the tree.
  3. Select the Enabled check box to enable the security event parser.
  4. Enter a Name for the security event parser.
  5. (Optional) To build the security parser using a received syslog message, click Populate from Received Syslog.
  6. Use the table below to enter the file information.
Settings

Field

Definition

Populate from Received Syslog

Allows you to select a current syslog message to build the security event parser.

Note

You must select the format of the selected syslog file from the Format drop-down list.

Enabled

Enables the security parser to be available as an option when configuring a pingable device to parse incoming security events

Name

Enter the name of the security event parser.

Vendor

Enter the name of the vendor of the device that will generated the event.

Format

Select the message format for the security event parser. Supported formats include:

CSV: Message is a series of data fields typically separated by commas. Comma separated value. Other characters can be used to separate data fields.

TAG/VALUE: Message is a series of fields each with a tag and a value. For example, the message could contain the following : cip=192.168.10.182. cip is the tag indicating that this is the IP address of the user causing the problem. 192.168.10.182 is the value associated with that tag.

CEF: Message is a series of fields, some in a standard position, others with a tag and a value. For example the message could contain the following:

src=192.168.10.182. src is the tag indicating that this is the IP address of the user causing the problem. 192.168.10.182 is the value associated with that tag.

Data fields

Entire Column/Tag

When you select Entire Column/Tag in the Data Fields drop-down list, enter the name of the field or number of the column containing the value. The entire value will be used to create the security event.

Partial Column/Tag

When you select Partial Column/Tag in the Data Fields drop-down list, you can build a regular expression that lets you to define which parts of the column to use when creating the security event.

Note

Refer to websites such as http://www.regular-expressions.info/ and https://www.debuggex.com/ for additional information about building regular expressions.

Source/IP Column

Enter the name of the field or number of the column containing the source IP address. The entire value will be used to create the security event.

Destination IP Column

Enter the IP address of the host or device the source host was communicating with.

Type Column

Enter the type of security event received.

Subtype Column

Enter the subtype of the security event.

Threat ID Column

Enter the unique identifying code supplied by the vendor for the specific type of threat or event that occurred.

Description Column

Enter the description supplied by the security appliance of the event.

Severity Column

Enter the name of the field or number of the column containing the severity.

Severity mappings

Source Value

The severity value provided by the vendor.

Severity Value

The severity value in FortiNAC to be mapped to the source value.

Add

Click to add a severity level mapping.

Add Range

Click to map a single severity value in FortiNAC to a range of values provided by the source.

Modify

Click to modify a severity mapping.

Delete

Click to delete a severity mapping.

Security event parsers

You can customize parsing of syslog messages for generating security events. When a syslog message is received from a device, the message is parsed using the format specified in the security event parser. You can also define severity level mappings between the vendor and FortiNAC.

In Topology, you will see enabled security event parsers listed as options when configuring a pingable device to parse incoming security events. See Add or modify a pingable device.

To access security event parsers, select System > Settings > System Communication > Security Event Parsers.

Settings

Field

Definition

Table columns

Name

The name of the security event parser.

Enabled

A green check mark indicates that the security event parser is enabled. A red circle indicates that the security event parser is disabled. When enabled, the security event parser is available in Topology. When disabled, the security event parser is not available.

Vendor

The name of the vendor of the device that generated the event.

Format

Message format for the security event parser. Supported formats include:

CSV: Message is a series of data fields typically separated by commas. Comma separated value. Other characters can be used to separate data fields.

TAG/VALUE: Message is a series of fields each with a tag and a value. For example, the message could contain the following : cip=192.168.10.182. cip is the tag indicating that this is the IP address of the user causing the problem. 192.168.10.182 is the value associated with that tag.

CEF: Message is a series of fields, some in a standard position, others with a tag and a value. For example the message could contain the following:

src=192.168.10.182. src is the tag indicating that this is the IP address of the user causing the problem. 192.168.10.182 is the value associated with that tag.

CSV Delimiter

Character used to separate the fields in the security event parser. Most common options include: space, comma (,) and pipe (|).

This field is not available for the TAG/VALUE format.

Tag Delimiter

Character used to separate field name and value in the security event parser. This field is not available for the CSV format. A space is used as the delimiter.

Source/IP Column

The name of the field or number of the column containing the source IP address.

Destination IP Column

The IP address of the host or device the source host was communicating with.

Type Column

The type of security event received.

Subtype Column

The subtype of the security event.

Threat ID Column

A unique identifying code supplied by the vendor for the specific type of threat or event that occurred.

Description Column

A description supplied by the security appliance of the event.

Severity Column

Name of the field or number of the column containing the severity.

Right click options

Modify

Modify the selected parser.

Delete

Deletes the selected parser.

Copy

Click to copy information from the selected parser to create a new security parser.

In Use

Shows which devices in Topology are currently using the parser.

Test

Allows you to test the security event parser by entering a syslog message received from a device.

Enable

Enables the parser.

Disable

Disables the parser.

Buttons

Add

Add a parser.

Export

Exports the data displayed to a file in the default downloads location. File types include CSV, Excel, PDF, or RTF. Low, Medium and High severity levels are not included in the exported data. See Export data.

Add or modify a security event parser

The security event parser allows you to customize parsing of syslog messages for generating security events.

  1. Click System > Settings.
  2. In Flat View, select Security Event Parsers from the tree.
  3. Select the Enabled check box to enable the security event parser.
  4. Enter a Name for the security event parser.
  5. (Optional) To build the security parser using a received syslog message, click Populate from Received Syslog.
  6. Use the table below to enter the file information.
Settings

Field

Definition

Populate from Received Syslog

Allows you to select a current syslog message to build the security event parser.

Note

You must select the format of the selected syslog file from the Format drop-down list.

Enabled

Enables the security parser to be available as an option when configuring a pingable device to parse incoming security events

Name

Enter the name of the security event parser.

Vendor

Enter the name of the vendor of the device that will generated the event.

Format

Select the message format for the security event parser. Supported formats include:

CSV: Message is a series of data fields typically separated by commas. Comma separated value. Other characters can be used to separate data fields.

TAG/VALUE: Message is a series of fields each with a tag and a value. For example, the message could contain the following : cip=192.168.10.182. cip is the tag indicating that this is the IP address of the user causing the problem. 192.168.10.182 is the value associated with that tag.

CEF: Message is a series of fields, some in a standard position, others with a tag and a value. For example the message could contain the following:

src=192.168.10.182. src is the tag indicating that this is the IP address of the user causing the problem. 192.168.10.182 is the value associated with that tag.

Data fields

Entire Column/Tag

When you select Entire Column/Tag in the Data Fields drop-down list, enter the name of the field or number of the column containing the value. The entire value will be used to create the security event.

Partial Column/Tag

When you select Partial Column/Tag in the Data Fields drop-down list, you can build a regular expression that lets you to define which parts of the column to use when creating the security event.

Note

Refer to websites such as http://www.regular-expressions.info/ and https://www.debuggex.com/ for additional information about building regular expressions.

Source/IP Column

Enter the name of the field or number of the column containing the source IP address. The entire value will be used to create the security event.

Destination IP Column

Enter the IP address of the host or device the source host was communicating with.

Type Column

Enter the type of security event received.

Subtype Column

Enter the subtype of the security event.

Threat ID Column

Enter the unique identifying code supplied by the vendor for the specific type of threat or event that occurred.

Description Column

Enter the description supplied by the security appliance of the event.

Severity Column

Enter the name of the field or number of the column containing the severity.

Severity mappings

Source Value

The severity value provided by the vendor.

Severity Value

The severity value in FortiNAC to be mapped to the source value.

Add

Click to add a severity level mapping.

Add Range

Click to map a single severity value in FortiNAC to a range of values provided by the source.

Modify

Click to modify a severity mapping.

Delete

Click to delete a severity mapping.