Hi, I noticed a problem with the Fortinet integration.
I have an Elastic Agent 8.3 installed on a virtual machine. The policy for this Agent is composed of system and the fortinet integration. Our fortianalyzer is sending logs to this Agent.
With the issues around Fortinet, I tried to enable some alerts but I realized that all the data is not parsed. In the field event.original, I have lots of information (i.e. user, msg ...) that are not transformed into fields. Most information is but not everything.
Example :
Here's the event.original
field :
<185>logver=700080418 timestamp=1666075617 devname="xxxxcluster" devid="xxxx"
vd="root" date=2022-10-18 time=08:46:57 eventtime=1666075617815719860 tz="+0200"
logid="0100032002" type="event" subtype="system" level="alert"
logdesc="Admin login failed" sn="0" user="userxxxx" ui="https(xxxx)"
method="https" srcip=xxxx dstip=xxxx action="login" status="failed" reason="name_invalid"
msg="Administrator userxxxx login failed from https(xxxx) because of invalid user name"
As we can see, we have user, logdesc, ui, status, reason
which are pretty important fields.
Here's the json log in Elastic :
{
"_index": ".ds-logs-fortinet.fortimanager-default-2022.10.17-000019",
"_id": "xc7Y6YMBVz1dgWzkfUw9",
"_version": 1,
"_score": 0,
"_source": {
"rsa": {
"internal": {
"messageid": "generic_fortinetmgr_1"
},
"time": {
"event_time_str": "1666075617815719860",
"event_time": "2022-10-18T06:46:57.000Z"
},
"misc": {
"vsys": "root",
"severity": "alert",
"event_type": "event",
"reference_id": "0100032002",
"action": [
"login"
],
"event_source": "xxxx",
"category": "system",
"hardware_id": "xxxx"
}
},
"agent": {
"name": "VM",
"id": "c84127c2-0b46-4a7a-be4b-e6645eba6281",
"type": "filebeat",
"ephemeral_id": "9846deb4-1c9d-43d0-8d1b-3739cedd1ff7",
"version": "8.3.3"
},
"log": {
"level": "alert",
"source": {
"address": "xxxx"
},
"syslog": {
"severity": {
"code": 1
},
"priority": 185,
"facility": {
"code": 23
}
}
},
"destination": {
"ip": "xxxxdstip"
},
"elastic_agent": {
"id": "c84127c2-0b46-4a7a-be4b-e6645eba6281",
"version": "8.3.3",
"snapshot": false
},
"source": {
"ip": "xxxx"
},
"tags": [
"preserve_original_event",
"fortinet-fortimanager",
"forwarded"
],
"observer": {
"product": "FortiManager",
"vendor": "Fortinet",
"type": "Configuration"
},
"input": {
"type": "tcp"
},
"@timestamp": "2022-10-18T06:46:57.000Z",
"ecs": {
"version": "8.3.0"
},
"related": {
"hosts": [
"xxxx"
],
"ip": [
"xxxxdestip",
"xxxxsrcip"
]
},
"data_stream": {
"namespace": "default",
"type": "logs",
"dataset": "fortinet.fortimanager"
},
"event": {
"agent_id_status": "verified",
"ingested": "2022-10-18T06:47:02Z",
"original": "<185>logver=700080418 timestamp=1666075617 devname=\"xxxxclust\"
devid=\"xxxx\" vd=\"root\" date=2022-10-18 time=08:46:57 eventtime=1666075617815719860
tz=\"+0200\" logid=\"0100032002\" type=\"event\" subtype=\"system\" level=\"alert\"
logdesc=\"Admin login failed\" sn=\"0\" user=\"userxxxx\" ui=\"https(xxxx)\" method=\"https\"
srcip=xxxx dstip=xxxx action=\"login\" status=\"failed\" reason=\"name_invalid\"
msg=\"Administrator userxxxx login failed from https(xxxx) because of invalid user name\"",
"code": "0100032002",
"timezone": "+02:00",
"action": "login",
"dataset": "fortinet.fortimanager"
}
},
"fields": {
"elastic_agent.version": [
"8.3.3"
],
"rsa.misc.reference_id": [
"0100032002"
],
"rsa.misc.severity": [
"alert"
],
"rsa.misc.action": [
"login"
],
"observer.vendor": [
"Fortinet"
],
"agent.type": [
"filebeat"
],
"rsa.misc.category": [
"system"
],
"event.module": [
"fortinet"
],
"related.ip": [
"xxxxdestip",
"xxxxsrcip"
],
"rsa.misc.hardware_id": [
"xxxx"
],
"log.level": [
"alert"
],
"source.ip": [
"xxxxsrcip"
],
"observer.product": [
"FortiManager"
],
"agent.name": [
"VM"
],
"elastic_agent.snapshot": [
false
],
"event.agent_id_status": [
"verified"
],
"log.syslog.priority": [
185
],
"event.timezone": [
"+02:00"
],
"rsa.misc.event_type": [
"event"
],
"office_hours": [
true
],
"event.original": [
"<185>logver=700080418 timestamp=1666075617 devname=\"xxxx\" devid=\"xxxx\"
vd=\"root\" date=2022-10-18 time=08:46:57 eventtime=1666075617815719860 tz=\"+0200\"
logid=\"0100032002\" type=\"event\" subtype=\"system\" level=\"alert\"
logdesc=\"Admin login failed\" sn=\"0\" user=\"xxxxuser\" ui=\"https(xxxx)\" method=\"https\"
srcip=xxxxsrcip dstip=xxxxdestip action=\"login\" status=\"failed\" reason=\"name_invalid\"
msg=\"Administrator xxxxuser login failed from https(xxxx) because of invalid user name\""
],
"log.syslog.severity.code": [
1
],
"elastic_agent.id": [
"c84127c2-0b46-4a7a-be4b-e6645eba6281"
],
"rsa.time.event_time": [
"2022-10-18T06:46:57.000Z"
],
"data_stream.namespace": [
"default"
],
"input.type": [
"tcp"
],
"destination.ip": [
"xxxxdstip"
],
"data_stream.type": [
"logs"
],
"tags": [
"preserve_original_event",
"fortinet-fortimanager",
"forwarded"
],
"rsa.misc.vsys": [
"root"
],
"event.action": [
"login"
],
"event.ingested": [
"2022-10-18T06:47:02.000Z"
],
"event.code": [
"0100032002"
],
"@timestamp": [
"2022-10-18T06:46:57.000Z"
],
"agent.id": [
"c84127c2-0b46-4a7a-be4b-e6645eba6281"
],
"ecs.version": [
"8.3.0"
],
"observer.type": [
"Configuration"
],
"log.source.address": [
"xxxx"
],
"data_stream.dataset": [
"fortinet.fortimanager"
],
"rsa.internal.messageid": [
"generic_fortinetmgr_1"
],
"agent.ephemeral_id": [
"9846deb4-1c9d-43d0-8d1b-3739cedd1ff7"
],
"agent.version": [
"8.3.3"
],
"related.hosts": [
"xxxxclust"
],
"rsa.misc.event_source": [
"xxxxclust"
],
"log.syslog.facility.code": [
23
],
"event.dataset": [
"fortinet.fortimanager"
],
"rsa.time.event_time_str": [
"1666075617815719860"
]
}
}
The fields msg, user are missing and when dealing with possible compromission, it is not very convenient to read all the event.original fields to look for something interesting.
I don't know if it's a real issue or a bug of our machine, and in that case, what should I do ?
Thanks
Sirine