Fortigate logs with wazuh

[uguraaygun]

Hello guys. I started to use Wazuh and it is really amazing.

I have a question. I forwarded my fortigate logs with syslog to wazuh. When i check tcpdump i can see logs are coming but i could not find anything about logs in either archive.log or in web interface.

After research i understood that i need custom ruleset and decoders but i assume wazuh now have ruleset and decoders ( in var/ossec/.. i saw forti related decoders and rules)

What should i do? Any help would be appreciated. Thank you.

[jctello]

Hi @uguraaygun ,
If you're seeing the events with tcpdump but not on either the archives.log or archives.json either archives have not been enabled or the events are being blocked by the operating system's firewall.

The tcpdump utility is capable of detecting events even when they are being blocked by SELinux or firewalld.

In order to open port 514 for inbound connections on firewall you may run the following commands:

firewall-cmd --permanent --zone=public --add-port=514/tcp
firewall-cmd --reload

We do have some rules and decoder for Fortigate, but if you're still not seeing events then you may enable the archives on the manager's ossec.conf by enabling either <logall> or <logall_json> within the <global> section. I recommend using <logall_json> which will populate the /var/ossec/logs/archives/archives.json with all events in an organized manner, making it easy to collect the full_log field to be used when testing your rules and decoders.

For guidance on creating rules and decoders you may follow this part of the Wazuh documentation: https://documentation.wazuh.com/current/user-manual/ruleset/custom.html

And of course if you run into any other issue don't hesitate to let us know and we'll be glad to help.

[uguraaygun]

Thank you i have managed to solve the issue. But i have one more question. I want to create action for fortigate ( for example, a user tried ssl-vpn too many times, i want to blacklist his/her ip from fortigate but i want it as a rule based action.)

Can we create actions on wazuh side ? can wazuh connect fortigate via ssh or other protocols ?

[jctello]

Hi @uguraaygun ,
Yes you can, with the integrator daemon you can configure Wazuh to run an executable on the manager while passing to it information from the event triggering the integration.
Here's a good guide on creating your own integrations: https://wazuh.com/blog/how-to-integrate-external-software-using-integrator/
Specifically for Fortigate you could use the External block list fabric connector and configure a simple script to log in via SSH to run the CLI commands specified there.

If you have a specific requirement to run these actions on a Wazuh agent instead of the manager then you can use Active Responses instead, here is a guide on creating custom AR scripts.