Fortinet black logo

Syslog v1.1.0

Copy Link
Copy Doc ID 0e07358c-64a9-4b44-a703-b855bf863144:1

About the connector

The Syslog connector sets up listeners for syslog messages, supporting both TCP and UDP transmission, and when a message is received, triggers the FortiSOAR™ playbooks for automated creation of alerts and other predefined response actions.

Version information

Connector Version: 1.1.0

FortiSOAR™ Version Tested on: 5.0.0

Authored By: Fortinet

Certified: Yes

Release Notes for version 1.1.0

Following enhancements have been made to the Syslog Connector in version 1.1.0:

  • Enhanced the Syslog listeners to start automatically after a machine reboot, a uwsgi restart or a process kill.
  • Added support for configuring Syslog data ingestion using the FortiSOAR™ Data Ingestion Wizard, a new feature in FortiSOAR™ 5.0.0. The following two playbooks have been added for data ingestion: Syslog > Ingest and > Syslog> Fetch.
    Note: Since CEF is the most common format for Syslog messages, in FortiSOAR™ 5.0.0, the default data ingestion playbooks parse the message as CEF. If the Syslog messages from your server are non-CEF complaint, you can modify the “Parse CEF” step in the > Syslog> Fetch playbook in the Syslog collection of playbooks shipped with the connector, before you configure Data Ingestion. The Syslog connector also provides “Parse Message” action to parse RFC 3164 and RFC 5424 formatted messages and convert these message formats to CEF format, instead of using the “Parse CEF” step.

Installing the connector

For the procedure to install a connector, click here.

Prerequisites to configuring the connector

  • The syslog rpm has a dependency on the lsof package. If you are installing the rpm offline, you must install the lsof rpm prior configuring the syslog connector on the FortiSOAR™ instance.
  • You must open the ports in the firewall on the FortiSOAR™ instance on which you want the Syslog listeners to run.

Configuring the connector

For the procedure to configure a connector, click here.

Configuration parameters

In FortiSOAR™, on the Connectors page, click the Syslog connector row, and in the Configure tab enter the required configuration details.

Parameter Description
Listener Protocol Protocol that is used by the listener. Specify either TCP or UDP.
Listener Port Port on which the listener starts. Since the listener is started as a non-root user, ensure that you provide a port higher than 1024.
CyberSponse Endpoint (/api/triggers/1/ will be prepended) API Trigger URL for the playbook to be triggered when a Syslog message is received.
Filter String (Only messages containing this text would be forwarded to CyOPs) (Optional) Filter messages retrieved from Syslog based on the string that you have specified in this field.

Actions supported by the connector

The following automated operations can be included in playbooks:

  • Parse Message: Parses a Syslog message that follows the specifications provided in RFC 3164 or RFC 5424.
  • Start Listener: Starts the listener for a specified configuration.
  • Stop Listener: Stops the listener for a specified configuration.
  • Restart Listener: Restarts the listener for a specified configuration.

Note: You can also restart listeners for all configurations by Deactivating and Activating the connector on the Connectors page in FortiSOAR™ (Automation > Connectors).

operation: Parse Message

Input parameters

Parameter Description
Message Format Specify whether the message to be parsed is in the RFC 3164 or RFC 5424 format.

Note: The message complying to both the RFC 3164 or RFC 5424 specifications can be parsed.

Output

This function parses the Syslog message and returns a JSON with the message fields.

The output contains the following populated JSON schema:
{
"header": "",
"message": ""
}

operation: Start Listener

Input parameters

None.

Use this function to start the listener for a given configuration. Note that the listener for a configuration is started by default as soon as the configuration is added, or if the connector is activated.

Output

The JSON output contains the status code and a message.

The output contains the following populated JSON schema:
{
"status": 0,
"message": ""
}

operation: Stop Listener

Input parameters

None.

Use this function to stop the listener for a given configuration. Note that the listener for a configuration is started by default as soon as the configuration is deleted, or if the connector is deactivated.

Output

The JSON output contains the status code and a message.

The output contains the following populated JSON schema:
{
"status": 0,
"message": ""
}

operation: Restart Listener

Input parameters

None.

Use this function to restart the listener for a given configuration.

Output

The JSON output contains the status code and a message.

The output contains the following populated JSON schema:
{
"status": 0,
"message": ""
}

Included playbooks

The Sample - Syslog - 1.1.0 playbook collection comes bundled with the Syslog connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Syslog connector.

  • Parse RFC 3164 formatted message
  • Parse RFC 5424 formatted message
  • Stop Start Listener for a Configuration
  • > Syslog> Fetch
  • Syslog > Ingest

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.

Troubleshooting

FortiSOAR™ playbook is not triggered when a message is sent

This could be due to one of the following reasons:

  1. The message does not reach the listener because the firewall blocks incoming requests on a port.
  2. The API trigger specified in the playbook and the one specified in the configuration do not match.
  3. The FortiSOAR™ credentials specified in the configuration are incorrect.

The listener logs are written to /var/log/cyops/cyops-integrations/syslog/listener.log. Check this log file for the exact reason for the failure.

Previous
Next

About the connector

The Syslog connector sets up listeners for syslog messages, supporting both TCP and UDP transmission, and when a message is received, triggers the FortiSOAR™ playbooks for automated creation of alerts and other predefined response actions.

Version information

Connector Version: 1.1.0

FortiSOAR™ Version Tested on: 5.0.0

Authored By: Fortinet

Certified: Yes

Release Notes for version 1.1.0

Following enhancements have been made to the Syslog Connector in version 1.1.0:

Installing the connector

For the procedure to install a connector, click here.

Prerequisites to configuring the connector

Configuring the connector

For the procedure to configure a connector, click here.

Configuration parameters

In FortiSOAR™, on the Connectors page, click the Syslog connector row, and in the Configure tab enter the required configuration details.

Parameter Description
Listener Protocol Protocol that is used by the listener. Specify either TCP or UDP.
Listener Port Port on which the listener starts. Since the listener is started as a non-root user, ensure that you provide a port higher than 1024.
CyberSponse Endpoint (/api/triggers/1/ will be prepended) API Trigger URL for the playbook to be triggered when a Syslog message is received.
Filter String (Only messages containing this text would be forwarded to CyOPs) (Optional) Filter messages retrieved from Syslog based on the string that you have specified in this field.

Actions supported by the connector

The following automated operations can be included in playbooks:

Note: You can also restart listeners for all configurations by Deactivating and Activating the connector on the Connectors page in FortiSOAR™ (Automation > Connectors).

operation: Parse Message

Input parameters

Parameter Description
Message Format Specify whether the message to be parsed is in the RFC 3164 or RFC 5424 format.

Note: The message complying to both the RFC 3164 or RFC 5424 specifications can be parsed.

Output

This function parses the Syslog message and returns a JSON with the message fields.

The output contains the following populated JSON schema:
{
"header": "",
"message": ""
}

operation: Start Listener

Input parameters

None.

Use this function to start the listener for a given configuration. Note that the listener for a configuration is started by default as soon as the configuration is added, or if the connector is activated.

Output

The JSON output contains the status code and a message.

The output contains the following populated JSON schema:
{
"status": 0,
"message": ""
}

operation: Stop Listener

Input parameters

None.

Use this function to stop the listener for a given configuration. Note that the listener for a configuration is started by default as soon as the configuration is deleted, or if the connector is deactivated.

Output

The JSON output contains the status code and a message.

The output contains the following populated JSON schema:
{
"status": 0,
"message": ""
}

operation: Restart Listener

Input parameters

None.

Use this function to restart the listener for a given configuration.

Output

The JSON output contains the status code and a message.

The output contains the following populated JSON schema:
{
"status": 0,
"message": ""
}

Included playbooks

The Sample - Syslog - 1.1.0 playbook collection comes bundled with the Syslog connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Syslog connector.

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.

Troubleshooting

FortiSOAR™ playbook is not triggered when a message is sent

This could be due to one of the following reasons:

  1. The message does not reach the listener because the firewall blocks incoming requests on a port.
  2. The API trigger specified in the playbook and the one specified in the configuration do not match.
  3. The FortiSOAR™ credentials specified in the configuration are incorrect.

The listener logs are written to /var/log/cyops/cyops-integrations/syslog/listener.log. Check this log file for the exact reason for the failure.

Previous
Next