In the realm of cybersecurity, a critical aspect of maintaining a robust defense is effective log management and analysis. Firewalls play a pivotal role in network security, and Fortigate Firewalls are renowned for their capabilities. To enhance the overall security posture, organizations often integrate Security Information and Event Management (SIEM) systems, which provide centralized monitoring and analysis of security events.
In this article, we will explore how to forward logs from a Fortigate Firewall to a SIEM solution, specifically utilizing Logstash as a parser to extract and format log data.
Why Forward Logs to a SIEM?
Forwarding logs from a Fortigate Firewall to a SIEM system offers several advantages:
1. Centralized Monitoring: SIEM systems provide a unified platform for monitoring security events, enabling quick detection of anomalies and potential threats.
2. Threat Detection: By aggregating and analyzing log data from multiple sources, SIEM systems can detect patterns and anomalies that may indicate a security breach or unauthorized access.
3. Compliance: Many industries have strict compliance requirements for log management. Forwarding logs to a SIEM can help organizations meet these regulatory standards.
4. Incident Response: In the event of a security incident, centralized logs can provide valuable insights for investigating the breach and implementing effective incident response strategies.
Step-by-Step Guide: Forwarding Logs from Fortigate Firewall to SIEM
Step 1: Configure Fortigate Firewall Logging
1. Access the Fortigate Firewall’s web interface.
2. Navigate to the ‘Log & Report’ section and select ‘Log Settings.’
3. Configure log settings to forward logs to a designated IP address (the IP of your Logstash server).
Moreover you can also use the command line console to setup log forwarding
config log syslogd setting
set status enable
set server "X.X.X.X"
set port 6000
end
config log syslogd filter
set severity critical
endWhere X.X.X.X is the Logstash IP
Step 2: Set Up Logstash Server
1. Install Logstash on a server within your network.
2. Create a Logstash configuration file (e.g., fortigate.conf) to define the input (Fortigate logs), filter (parsing and formatting), and output (sending to SIEM) sections.
Example: fortigate.conf
input {
udp {
port => 5140
}
}
filter {
mutate { copy => { "@timestamp" => "timestampnew" } }
mutate { convert => { "timestampnew" => "string" } }
mutate { gsub => [ "timestampnew", "Z", "" ] }
date {
match => [ "timestampnew" , "ISO8601" , "yyyyMMdd HH:mm:ss.SSS" ]
target => "siem_timestamp"
locale => "en"
timezone => "-0530"
}
grok {
match => [
"message" , "%{SYSLOG5424PRI}%{GREEDYDATA:message}"
]
overwrite => [ "message" ]
}
kv {
source => "message"
prefix => "ngfw_"
}
if[ngfw_srcip]{
mutate {
add_field => {"siem_sourceip" => "%{ngfw_sr1cip}"}
}
}
if[ngfw_dstip]{
mutate {
add_field => {"siem_dstip" => "%{ngfw_dstip}"}
}
}
if[ngfw_srcport]{
mutate {
add_field => {"sourceport" => "%{ngfw_srcport}"}
}
}
if[ngfw_url]{
mutate {
add_field => {"request" => "%{ngfw_url}"}
}
}
if [siem_sourceip]{
cidr {
address => [ "%{siem_sourceip}" ]
network => [ "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", "192.0.0.0/29", "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24", "192.31.196.0/24", "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", "100.64.0.0/10", "192.175.48.0/24", "198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1", "FE80::/10", "FF00::/8" ]
add_field => {"iptype" => "privateip"}
}
if [siem_sourceip] =~ /^\b(?:\d{1,3}.){3}\d{1,3}\b/ and "privateip" not in [iptype] {
if [siem_sourceip] !~ /^(0.0.0.0)/ {
mutate { add_field => {"iptype" => "publicip"} }
geoip {
source => "siem_sourceip"
}
}
}
}
if [ngfw_msg]{
mutate {
add_tag => ["%{ngfw_msg}"]
}
}
}
output {
elasticsearch {
hosts => ["127.0.0.1:9200"]
index => "fortigate-%{+YYYY.MM}"
}
}Step 3: Start Logstash
Execute Logstash using the created configuration file:
bin/logstash -f /path/to/fortigate.confStep 4: Configure SIEM to Ingest Data
Configure your SIEM solution (e.g., ELK Stack, Splunk, Alienvault etc.) to ingest data from Logstash:
1. Access the SIEM’s web interface.
2. Set up an input source that listens to the Logstash server’s IP and port (5140 in the example).
3. Configure parsing rules and mappings to match the Logstash-filtered logs.
Step 5: Monitor and Analyze
Once the setup is complete, the SIEM will start receiving and analyzing Fortigate Firewall logs. You can now monitor real-time security events, generate reports, and set up alerts for specific conditions.
Conclusion
Integrating Fortigate Firewalls with a SIEM solution through Logstash parsing can significantly enhance an organization’s cybersecurity posture. By centralizing log data, organizations gain greater visibility into their network, making it easier to detect and respond to potential threats.
The step-by-step guide outlined in this article should help you get started on this journey towards improved security and compliance.
