Security event parsers
You can customize parsing of syslog messages for generating security events. When a syslog message is received from a device, the message is parsed using the format specified in the security event parser. You can also define severity level mappings between the vendor and FortiNAC.
In Topology, you will see enabled security event parsers listed as options when configuring a pingable device to parse incoming security events. See Add or modify a pingable device.
To access security event parsers, select System > Settings > System Communication > Security Event Parsers.
Settings
Field |
Definition |
Table columns |
|
Name |
The name of the security event parser. |
Enabled |
A green check mark indicates that the security event parser is enabled. A red circle indicates that the security event parser is disabled. When enabled, the security event parser is available in Topology. When disabled, the security event parser is not available. |
Vendor |
The name of the vendor of the device that generated the event. |
Format |
Message format for the security event parser. Supported formats include: CSV: Message is a series of data fields typically separated by commas. Comma separated value. Other characters can be used to separate data fields. TAG/VALUE: Message is a series of fields each with a tag and a value. For example, the message could contain the following : cip=192.168.10.182. cip is the tag indicating that this is the IP address of the user causing the problem. 192.168.10.182 is the value associated with that tag. CEF: Message is a series of fields, some in a standard position, others with a tag and a value. For example the message could contain the following: src=192.168.10.182. src is the tag indicating that this is the IP address of the user causing the problem. 192.168.10.182 is the value associated with that tag. |
CSV Delimiter |
Character used to separate the fields in the security event parser. Most common options include: space, comma (,) and pipe (|). This field is not available for the TAG/VALUE format. |
Tag Delimiter |
Character used to separate field name and value in the security event parser. This field is not available for the CSV format. A space is used as the delimiter. |
Source/IP Column |
The name of the field or number of the column containing the source IP address. |
Destination IP Column |
The IP address of the host or device the source host was communicating with. |
Type Column |
The type of security event received. |
Subtype Column |
The subtype of the security event. |
Threat ID Column |
A unique identifying code supplied by the vendor for the specific type of threat or event that occurred. |
Description Column |
A description supplied by the security appliance of the event. |
Severity Column |
Name of the field or number of the column containing the severity. |
Right click options |
|
Modify |
Modify the selected parser. |
Delete |
Deletes the selected parser. |
Copy |
Click to copy information from the selected parser to create a new security parser. |
In Use |
Shows which devices in Topology are currently using the parser. |
Test |
Allows you to test the security event parser by entering a syslog message received from a device. |
Enable |
Enables the parser. |
Disable |
Disables the parser. |
Buttons |
|
Add |
Add a parser. |
Export |
Exports the data displayed to a file in the default downloads location. File types include CSV, Excel, PDF, or RTF. Low, Medium and High severity levels are not included in the exported data. See Export data. |
Add or modify a security event parser
The security event parser allows you to customize parsing of syslog messages for generating security events.
- Click System > Settings.
- In Flat View, select Security Event Parsers from the tree.
- Select the Enabled check box to enable the security event parser.
- Enter a Name for the security event parser.
- (Optional) To build the security parser using a received syslog message, click Populate from Received Syslog.
- Use the table below to enter the file information.
Settings
Field |
Definition |
||
---|---|---|---|
Populate from Received Syslog |
Allows you to select a current syslog message to build the security event parser.
|
||
Enabled |
Enables the security parser to be available as an option when configuring a pingable device to parse incoming security events |
||
Name |
Enter the name of the security event parser. |
||
Vendor |
Enter the name of the vendor of the device that will generated the event. |
||
Format |
Select the message format for the security event parser. Supported formats include: CSV: Message is a series of data fields typically separated by commas. Comma separated value. Other characters can be used to separate data fields. TAG/VALUE: Message is a series of fields each with a tag and a value. For example, the message could contain the following : cip=192.168.10.182. cip is the tag indicating that this is the IP address of the user causing the problem. 192.168.10.182 is the value associated with that tag. CEF: Message is a series of fields, some in a standard position, others with a tag and a value. For example the message could contain the following: src=192.168.10.182. src is the tag indicating that this is the IP address of the user causing the problem. 192.168.10.182 is the value associated with that tag. |
||
Data fields |
|||
Entire Column/Tag |
When you select Entire Column/Tag in the Data Fields drop-down list, enter the name of the field or number of the column containing the value. The entire value will be used to create the security event. |
||
Partial Column/Tag |
When you select Partial Column/Tag in the Data Fields drop-down list, you can build a regular expression that lets you to define which parts of the column to use when creating the security event.
|
||
Source/IP Column |
Enter the name of the field or number of the column containing the source IP address. The entire value will be used to create the security event. |
||
Destination IP Column |
Enter the IP address of the host or device the source host was communicating with. |
||
Type Column |
Enter the type of security event received. |
||
Subtype Column |
Enter the subtype of the security event. |
||
Threat ID Column |
Enter the unique identifying code supplied by the vendor for the specific type of threat or event that occurred. |
||
Description Column |
Enter the description supplied by the security appliance of the event. |
||
Severity Column |
Enter the name of the field or number of the column containing the severity. |
||
Severity mappings |
|||
Source Value |
The severity value provided by the vendor. |
||
Severity Value |
The severity value in FortiNAC to be mapped to the source value. |
||
Add |
Click to add a severity level mapping. |
||
Add Range |
Click to map a single severity value in FortiNAC to a range of values provided by the source. |
||
Modify |
Click to modify a severity mapping. |
||
Delete |
Click to delete a severity mapping. |