Fortinet Integration not parsing all data

Hi, I noticed a problem with the Fortinet integration.

I have an Elastic Agent 8.3 installed on a virtual machine. The policy for this Agent is composed of system and the fortinet integration. Our fortianalyzer is sending logs to this Agent.

With the issues around Fortinet, I tried to enable some alerts but I realized that all the data is not parsed. In the field event.original, I have lots of information (i.e. user, msg ...) that are not transformed into fields. Most information is but not everything.

Example :
Here's the event.original field :

<185>logver=700080418 timestamp=1666075617 devname="xxxxcluster" devid="xxxx" 
vd="root" date=2022-10-18 time=08:46:57 eventtime=1666075617815719860 tz="+0200" 
logid="0100032002" type="event" subtype="system" level="alert" 
logdesc="Admin login failed" sn="0" user="userxxxx" ui="https(xxxx)" 
method="https" srcip=xxxx dstip=xxxx action="login" status="failed" reason="name_invalid" 
msg="Administrator userxxxx login failed from https(xxxx) because of invalid user name"

As we can see, we have user, logdesc, ui, status, reason which are pretty important fields.

Here's the json log in Elastic :

{
  "_index": ".ds-logs-fortinet.fortimanager-default-2022.10.17-000019",
  "_id": "xc7Y6YMBVz1dgWzkfUw9",
  "_version": 1,
  "_score": 0,
  "_source": {
    "rsa": {
      "internal": {
        "messageid": "generic_fortinetmgr_1"
      },
      "time": {
        "event_time_str": "1666075617815719860",
        "event_time": "2022-10-18T06:46:57.000Z"
      },
      "misc": {
        "vsys": "root",
        "severity": "alert",
        "event_type": "event",
        "reference_id": "0100032002",
        "action": [
          "login"
        ],
        "event_source": "xxxx",
        "category": "system",
        "hardware_id": "xxxx"
      }
    },
    "agent": {
      "name": "VM",
      "id": "c84127c2-0b46-4a7a-be4b-e6645eba6281",
      "type": "filebeat",
      "ephemeral_id": "9846deb4-1c9d-43d0-8d1b-3739cedd1ff7",
      "version": "8.3.3"
    },
    "log": {
      "level": "alert",
      "source": {
        "address": "xxxx"
      },
      "syslog": {
        "severity": {
          "code": 1
        },
        "priority": 185,
        "facility": {
          "code": 23
        }
      }
    },
    "destination": {
      "ip": "xxxxdstip"
    },
    "elastic_agent": {
      "id": "c84127c2-0b46-4a7a-be4b-e6645eba6281",
      "version": "8.3.3",
      "snapshot": false
    },
    "source": {
      "ip": "xxxx"
    },
    "tags": [
      "preserve_original_event",
      "fortinet-fortimanager",
      "forwarded"
    ],
    "observer": {
      "product": "FortiManager",
      "vendor": "Fortinet",
      "type": "Configuration"
    },
    "input": {
      "type": "tcp"
    },
    "@timestamp": "2022-10-18T06:46:57.000Z",
    "ecs": {
      "version": "8.3.0"
    },
    "related": {
      "hosts": [
        "xxxx"
      ],
      "ip": [
        "xxxxdestip",
        "xxxxsrcip"
      ]
    },
    "data_stream": {
      "namespace": "default",
      "type": "logs",
      "dataset": "fortinet.fortimanager"
    },
    "event": {
      "agent_id_status": "verified",
      "ingested": "2022-10-18T06:47:02Z",
      "original": "<185>logver=700080418 timestamp=1666075617 devname=\"xxxxclust\" 
devid=\"xxxx\" vd=\"root\" date=2022-10-18 time=08:46:57 eventtime=1666075617815719860
tz=\"+0200\" logid=\"0100032002\" type=\"event\" subtype=\"system\" level=\"alert\" 
logdesc=\"Admin login failed\" sn=\"0\" user=\"userxxxx\" ui=\"https(xxxx)\" method=\"https\" 
srcip=xxxx dstip=xxxx action=\"login\" status=\"failed\" reason=\"name_invalid\" 
msg=\"Administrator userxxxx login failed from https(xxxx) because of invalid user name\"",
      "code": "0100032002",
      "timezone": "+02:00",
      "action": "login",
      "dataset": "fortinet.fortimanager"
    }
  },
  "fields": {
    "elastic_agent.version": [
      "8.3.3"
    ],
    "rsa.misc.reference_id": [
      "0100032002"
    ],
    "rsa.misc.severity": [
      "alert"
    ],
    "rsa.misc.action": [
      "login"
    ],
    "observer.vendor": [
      "Fortinet"
    ],
    "agent.type": [
      "filebeat"
    ],
    "rsa.misc.category": [
      "system"
    ],
    "event.module": [
      "fortinet"
    ],
    "related.ip": [
      "xxxxdestip",
      "xxxxsrcip"
    ],
    "rsa.misc.hardware_id": [
      "xxxx"
    ],
    "log.level": [
      "alert"
    ],
    "source.ip": [
      "xxxxsrcip"
    ],
    "observer.product": [
      "FortiManager"
    ],
    "agent.name": [
      "VM"
    ],
    "elastic_agent.snapshot": [
      false
    ],
    "event.agent_id_status": [
      "verified"
    ],
    "log.syslog.priority": [
      185
    ],
    "event.timezone": [
      "+02:00"
    ],
    "rsa.misc.event_type": [
      "event"
    ],
    "office_hours": [
      true
    ],
    "event.original": [
      "<185>logver=700080418 timestamp=1666075617 devname=\"xxxx\" devid=\"xxxx\" 
vd=\"root\" date=2022-10-18 time=08:46:57 eventtime=1666075617815719860 tz=\"+0200\"
 logid=\"0100032002\" type=\"event\" subtype=\"system\" level=\"alert\" 
logdesc=\"Admin login failed\" sn=\"0\" user=\"xxxxuser\" ui=\"https(xxxx)\" method=\"https\" 
srcip=xxxxsrcip dstip=xxxxdestip action=\"login\" status=\"failed\" reason=\"name_invalid\" 
msg=\"Administrator xxxxuser login failed from https(xxxx) because of invalid user name\""
    ],
    "log.syslog.severity.code": [
      1
    ],
    "elastic_agent.id": [
      "c84127c2-0b46-4a7a-be4b-e6645eba6281"
    ],
    "rsa.time.event_time": [
      "2022-10-18T06:46:57.000Z"
    ],
    "data_stream.namespace": [
      "default"
    ],
    "input.type": [
      "tcp"
    ],
    "destination.ip": [
      "xxxxdstip"
    ],
    "data_stream.type": [
      "logs"
    ],
    "tags": [
      "preserve_original_event",
      "fortinet-fortimanager",
      "forwarded"
    ],
    "rsa.misc.vsys": [
      "root"
    ],
    "event.action": [
      "login"
    ],
    "event.ingested": [
      "2022-10-18T06:47:02.000Z"
    ],
    "event.code": [
      "0100032002"
    ],
    "@timestamp": [
      "2022-10-18T06:46:57.000Z"
    ],
    "agent.id": [
      "c84127c2-0b46-4a7a-be4b-e6645eba6281"
    ],
    "ecs.version": [
      "8.3.0"
    ],
    "observer.type": [
      "Configuration"
    ],
    "log.source.address": [
      "xxxx"
    ],
    "data_stream.dataset": [
      "fortinet.fortimanager"
    ],
    "rsa.internal.messageid": [
      "generic_fortinetmgr_1"
    ],
    "agent.ephemeral_id": [
      "9846deb4-1c9d-43d0-8d1b-3739cedd1ff7"
    ],
    "agent.version": [
      "8.3.3"
    ],
    "related.hosts": [
      "xxxxclust"
    ],
    "rsa.misc.event_source": [
      "xxxxclust"
    ],
    "log.syslog.facility.code": [
      23
    ],
    "event.dataset": [
      "fortinet.fortimanager"
    ],
    "rsa.time.event_time_str": [
      "1666075617815719860"
    ]
  }
}

The fields msg, user are missing and when dealing with possible compromission, it is not very convenient to read all the event.original fields to look for something interesting.

I don't know if it's a real issue or a bug of our machine, and in that case, what should I do ?
Thanks
Sirine

Based on the "dataset": "fortinet.fortimanager" in the log, it looks like you're using the FortiManager integration.

Have you tried using the Fortinet Fortigate Firewall Logs integration package instead?

Hi, thank you for answering.

I'm sorry, I just noticed that I didn't tell that I am using the forwarded logs of a Fortianalyzer. So I used the Fortimanager integration as it was advised in the Integration description.

@ebeahan

I realized that the Fortinet connected to the FortiAnalyzer have FortiOS version 7.0.

I didn't notice the message "This integration has been tested against FortiOS version 6.0.x and 6.2.x. Versions above this are expected to work but have not been tested." in the Fortinet Integration.

I don't think that the problem is on my side but I can't be sure given that it hasn't been tested by Elastic ; I think the Fortinet modules are not compatible with FortiOS version 7.x and above.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.