FortiSIEM Configuring Event Handling

Configuring Event Handling

This section describes certain event handling operations that happen at the moment events are received in AccelOps.

Event Dropping

Event Forwarding

Event Organization Mapping Multi-line Syslog Handling

Event Dropping

Some devices and applications generate a significant number of logs, which may be very verbose, contain little valuable information, and consume storage resources. You can configure Event Dropping rules that will drop events just after they have been received by FortiSIEM, preventing these event logs from being collected and processed. Implementing these rules may require some thought to accurately set the event type, reporting device type, and event regular expression match, for example. However, dropped events do not count towards licensed Events per Second (EPS), and are not stored in the Event database. Dropped event also do not appear in reports, and do not trigger rules. You can also specify that events should be dropped but stored, so event information will be available for searches and reports, but will not trigger rules. And example of an event type that you might want to store but not have trigger any rules would be an IPS event that is a false positive.

Procedure
  1. Log in to your Supervisor node.

For multi-tenant deployments you should log in to the Super/Global account if you want to set a system-wide event dropping rule. If you want to set an event-dropping rule for a specific organization, either log in as an administrator for that organization, or or log in using the Super/Global Account and then select the organization to which the rule should apply when you are creating it.

  1. Go to Admin > General Settings > Event Handling.
  2. Under Event Dropping Rule, click Add.
  3. Next to Reporting Device, click Edit, and use the CMDB Browser to find device group or individual device that you want to create the rule for.
  4. Next to Event Type, click Edit, and use the Event Type Browser to find the group of event types, or a specific event type, that you want to create the rule for.
  5. If the event type you select has an Source IP or Destination IP attribute, you can enter specific IP addresses to which the rule should apply.
  6. For Regex Filter, enter any regular expressions you want to use to filter the log files.

If any matches are made against your regular expression, then the event will be dropped.

  1. For multi-tenant deployments, select the Organization to which the rule should apply.
  2. Select the Action that should be taken when the event dropping rule is triggered.
  3. Enter any Description for the rule.
  4. Click Save.

Implementation Notes

  1. All matching rules are implemented by FortiSIEM, and inter-rule order is not important. If you create a duplicate of an event dropping rule, the first rule is in effect.
  2. If you leave a rule definition field blank, then that field is not evaluated. For example, leaving Event Type left blank is the same as selecting All Event Types.
  3. FortiSIEM drops the event at the first entry point. If your deployment uses Collectors, events are dropped by the Collectors. If your deployment doesn’t use Collectors, then the event will be droppedby the Worker or Supervisor where the event is received.
  4. You can use the report System Event Processing Statistics to view the statistics for dropped events. When you run the report, select AVG(Policy Dropped Event Rate(/sec) as one of the dimensions for Chart For to see events that have been dropped to this policy.
Event Forwarding

n systems management, many servers may need access to forward logs, traps and Netflows from network devices and servers, but it is often resource intensive for network devices and servers to forward logs, traps and netflows to multiple destinations. For example, most Cisco routers can forward Netflow to two locations at most. However, FortiSIEM can forward/relay specific logs, traps and Netflows to one or more destinations. If you want to send a log to multiple destinations, you can send it to FortiSIEM, which will use an event forwarding rule to send it to the desired locations.

  1. Log in to your Supervisor node.
  2. Go to Admin > General Settings > Event Handling.
  3. Under Event Forwarding Rule, for multi-tenant deployments, select the organization for which the rule will apply.
  4. Click Add.
  5. For Sender IP, enter the IP address of the device that will be sending the logs. The syntax can be one of the following a. a single IP address
    1. an IP address range e.g. 10.1.1.1-10.1.1.10
    2. CIDR notation e.g. 10.1.1.0/8
    3. a combination of the above separated by comma, e.g. 10.1.1.1,10.1.1.3,20.1.1.1-20.1.1.10,30.1.1.0/24
  6. For Severity, select an operator and enter a severity level that must match for the log to be forwarded.
  7. Select the Traffic Type to which the rule should apply.

The Forward To > Port field will be populated based on your selection here.

  1. For Forward to > IP, enter the IP address to which the event should be forwarded.
  2. Click OK.
Event Organization Mapping

FortiSIEM can handle reporting devices that are themselves multi-tenant and hence have organization names in events that they send. This section describes how you can map organization names in external events to those on FortiSIEM so that those events have the correct FortiSIEM organizations.

Adding Organization Mapping Rules
  1. Go to Admin > General Settings > Event Handling > Event Organization Handling 2. Click Add to add a rule
  2. Select Enabled if this rule is to be enforced
  3. Select the Device Type of the sender. This has to be a device that FortiSIEM understands and able to parse events.
  4. Select the Event Attribute that contains the external organization name. FortiSIEM will map the value in this field to an FortiSIEM organization.
  5. Select the Collectors that are going to receive the events. By default any collectors would be able to do this but it is possible to scope down if needed. This field is optional.
  6. Specify the Reporting IP/Range of the multi-tenant devices that are sending events. Format of this field is a comma separated list of IP addresses intermixed with IP ranges, e.g. 10.1.1.1,10.1.1.2,10.10.1.1-10.10.1.250.
  7. Specify the Org Mapping.
    1. Click Edit
    2. Select the System (FortiSIEM) organization on the left column
    3. Click the Event Organization and enter the external Organization name corresponding to the System Organization on the left column
  8. Click OK to Save.

 

 

 

Multi-line Syslog Handling

Often applications generate a single syslog in multiple lines. For analysis purposes, the multiple lines need to put together into a single log. This feature enables you to do that.

User can write multiple multi-line syslog combining rules based on reporting IP and begin and ending patterns. All matching syslog within the begin and ending pattern are combined into a single log.

To create a multi-line syslog rule,

  1. Go to Admin > General Settings > Event Handling
  2. Scroll down to Multiline syslog section
  3. Click Add
  4. Enter the following information
    1. Enabled – check this if the rule needs to be effective
    2. Sender IP – the source of the syslog – format is a single IP, IP range, CIDR and a combination of the above separated by comma c. Protocol – TCP or UDP since syslog can come via either of these protocols
    3. Organization – syslog from devices belonging to this organization will be combined into one line
    4. Begin Pattern – combining syslog starts when the regular expression specified here is encountered
    5. End Pattern – combining syslog stops when the regular expression specified here is encountered
  5. Click Save

Example 1 – Syslog over UDP

In this case, Begin Pattern is required and End Pattern is optional.

If a packet matches the Begin Pattern, FortiSIEM will hold it in memory and wait for the next packet.

If the 2nd packet also matches the Begin Pattern, continue waiting.

If the 3rd packet doesn’t match the Begin Pattern, flush out the 2 events (1+2 and 3).

If any packet matches the End Pattern, flush out.

The Begin Pattern is in each packet of a multiline syslog. Remove them except the 1st packet.

For example, the receiver gets these packets:

<syslog header> I come to

<syslog header> work

<syslog header> every day

If you set the Begin Pattern to a regular expression to match the <syslog header> and leave the End Pattern to be empty, then the three syslogs are combined into a single syslog

<syslog header> I come to work every day

If you set the Begin Pattern to a regular expression to match the <syslog header> and leave the End Pattern to match work, then the first two syslogs are combined into a single syslog, while the third one is left alone.

<syslog header> I come to work

<syslog header> work

Example 2 – Syslog over TCP – octet counting

Octet counting means that there is a header that specifies the length of the syslog. In this case, syslog is not combined. There is no need to combine, since the source can send large syslog messages.

Example 3 – syslog over TCP – non-transparent framing

In non-transparent framing, two syslogs sent over a TCP stream is delineated by the “\n” character. In this case, either Begin Pattern or End Pattern is required. Both can be present as well.

If the Begin Pattern is matched in the TCP stream, a multi-line syslog combination begins

If the End Pattern is matched in the TCP stream, multi-line syslog combination ends

If the Begin Pattern is again matched in the TCP stream, the previous multi-line syslog combination ends

TCP syslog stream: id=0,name=<1>name=a,id=1<2>name=b,id=2<3>

Begin pattern is <\d+> and end pattern is id=\d+. This results in 3 syslogs id=0,name=

<1>name=a,id=1

<2>name=b,id=2

And <3> will be held for next packet.

If the Begin pattern is <\d+> and end pattern is empty, this also results in 3 syslogs as before.

Managing FortiSIEM


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

This entry was posted in Administration Guides, FortiSIEM on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

One thought on “FortiSIEM Configuring Event Handling

  1. Renato Gonçalves

    Its possible to put a series of machines with Windows Logs ( AD, Exchange ) sending data to the FortiSiem collector has 1 syslog?

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.