Forwarding Logs from Fortigate Firewall to SIEM with Logstash Parser

Fortigate Logs Forward SIEM Logstash Techhyme

In the realm of cybersecurity, a critical aspect of maintaining a robust defense is effective log management and analysis. Firewalls play a pivotal role in network security, and Fortigate Firewalls are renowned for their capabilities. To enhance the overall security posture, organizations often integrate Security Information and Event Management (SIEM) systems, which provide centralized monitoring and analysis of security events.

In this article, we will explore how to forward logs from a Fortigate Firewall to a SIEM solution, specifically utilizing Logstash as a parser to extract and format log data.

Why Forward Logs to a SIEM?

Forwarding logs from a Fortigate Firewall to a SIEM system offers several advantages:

1. Centralized Monitoring: SIEM systems provide a unified platform for monitoring security events, enabling quick detection of anomalies and potential threats.

2. Threat Detection: By aggregating and analyzing log data from multiple sources, SIEM systems can detect patterns and anomalies that may indicate a security breach or unauthorized access.

3. Compliance: Many industries have strict compliance requirements for log management. Forwarding logs to a SIEM can help organizations meet these regulatory standards.

4. Incident Response: In the event of a security incident, centralized logs can provide valuable insights for investigating the breach and implementing effective incident response strategies.

Step-by-Step Guide: Forwarding Logs from Fortigate Firewall to SIEM

Step 1: Configure Fortigate Firewall Logging

1. Access the Fortigate Firewall’s web interface.
2. Navigate to the ‘Log & Report’ section and select ‘Log Settings.’
3. Configure log settings to forward logs to a designated IP address (the IP of your Logstash server).

Moreover you can also use the command line console to setup log forwarding

config log syslogd setting
  set status enable
  set server "X.X.X.X"
  set port 6000
end
config log syslogd filter
  set severity critical
end

Where X.X.X.X is the Logstash IP

Step 2: Set Up Logstash Server

1. Install Logstash on a server within your network.
2. Create a Logstash configuration file (e.g., fortigate.conf) to define the input (Fortigate logs), filter (parsing and formatting), and output (sending to SIEM) sections.

Example: fortigate.conf

input {
  udp {
    port => 5140
  }
}
filter {
  mutate { copy => { "@timestamp" => "timestampnew" } }
  mutate { convert => { "timestampnew" => "string" } }
  mutate { gsub => [ "timestampnew", "Z", "" ] }
  date {
    match => [ "timestampnew" , "ISO8601" , "yyyyMMdd HH:mm:ss.SSS" ]
    target => "siem_timestamp"
    locale => "en"
    timezone => "-0530"
  }
  grok {
    match => [
      "message" , "%{SYSLOG5424PRI}%{GREEDYDATA:message}"
    ]
    overwrite => [ "message" ]
  }

  kv {
    source => "message"
    prefix => "ngfw_"
  }

  if[ngfw_srcip]{
    mutate {
      add_field => {"siem_sourceip" => "%{ngfw_sr1cip}"}
    }
  }
  if[ngfw_dstip]{
    mutate {
      add_field => {"siem_dstip" => "%{ngfw_dstip}"}
   }
  }
  if[ngfw_srcport]{
    mutate {
      add_field => {"sourceport" => "%{ngfw_srcport}"}
    }
  }
  if[ngfw_url]{
    mutate {
      add_field => {"request" => "%{ngfw_url}"}
    }
  }
  if [siem_sourceip]{
    cidr {
      address => [ "%{siem_sourceip}" ]
      network => [ "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", "192.0.0.0/29", "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24", "192.31.196.0/24", "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", "100.64.0.0/10", "192.175.48.0/24", "198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1", "FE80::/10", "FF00::/8" ]
      add_field => {"iptype" => "privateip"}
    }
    if [siem_sourceip] =~ /^\b(?:\d{1,3}.){3}\d{1,3}\b/ and "privateip" not in [iptype] {
      if [siem_sourceip] !~ /^(0.0.0.0)/ {
        mutate { add_field => {"iptype" => "publicip"} }
        geoip {
         source => "siem_sourceip"
       }
     }
    }
  }
  if [ngfw_msg]{
    mutate {
      add_tag => ["%{ngfw_msg}"]
    }
  }
}
output {
  elasticsearch {
    hosts => ["127.0.0.1:9200"]
    index => "fortigate-%{+YYYY.MM}"
  }
}

Step 3: Start Logstash

Execute Logstash using the created configuration file:

bin/logstash -f /path/to/fortigate.conf

Step 4: Configure SIEM to Ingest Data

Configure your SIEM solution (e.g., ELK Stack, Splunk, Alienvault etc.) to ingest data from Logstash:

1. Access the SIEM’s web interface.
2. Set up an input source that listens to the Logstash server’s IP and port (5140 in the example).
3. Configure parsing rules and mappings to match the Logstash-filtered logs.

Step 5: Monitor and Analyze

Once the setup is complete, the SIEM will start receiving and analyzing Fortigate Firewall logs. You can now monitor real-time security events, generate reports, and set up alerts for specific conditions.

Conclusion

Integrating Fortigate Firewalls with a SIEM solution through Logstash parsing can significantly enhance an organization’s cybersecurity posture. By centralizing log data, organizations gain greater visibility into their network, making it easier to detect and respond to potential threats.

The step-by-step guide outlined in this article should help you get started on this journey towards improved security and compliance.

Related Posts

Rootkit Attacks Techhyme

Important Key Indicators That Your Computer Might Have Fallen Victim To RootKit Attack

In the ever-evolving realm of cybersecurity threats, rootkits stand out as a particularly insidious and deceptive form of malware. These malicious software packages are designed to infiltrate…

Spyware Techhyme

Vital Measures That Can Help You Thwart Spyware’s Impact

In the realm of cyber threats, where every click and download can carry unforeseen consequences, the menace of spyware looms as a constant danger. Spyware, a form…

ICT Security Techhyme

Different Areas Covered by ICT Security Standards

In today’s digital landscape, where technology pervades nearly every aspect of our lives, ensuring the security and reliability of information and communication technology (ICT) is of paramount…

DOS Attacks Techhyme

Recognize The Major Symptoms of DoS Attacks

In the interconnected world of the internet, Distributed Denial of Service (DoS) attacks have become a prevalent threat, targeting individuals, businesses, and organizations alike. A DoS attack…

Blockchain Blocks Techhyme

How Blockchain Accumulates Blocks: A Step-by-Step Overview

Blockchain technology has revolutionized the way we think about data integrity and secure transactions. At the heart of this innovation lies the concept of blocks, which serve…

Cyber Ethics Techhyme

Exploring the Multifaceted Sources of Cyberethics: From Laws to Religion

In the digital age, where our lives are increasingly intertwined with technology, the concept of ethics has expanded its reach into the realm of cyberspace. Cyberethics, a…

Leave a Reply