i have problem with my Fortigate data source. When i add my fortigate data source... i get only one rule TRAFFIC Traffic local message, but this isnt good.
Can you help my?
Can you verify that there are logs being sent from the Fortigate that are not being parsed? I recommend turning on "Log "Unknown Syslog" Event under the data source to see if there are additional logs that are being provided that are not being parsed. If so, parsing rules can be created.
McAfee ESM (any version) not parsing the fortigate ver 5.x events. It will parse only fortigate version 4.x. We created the ticket to support and find the below answer for the same.
More than 1 year mcafee not provide any solution for fortigate Ver 5.
Fortinet have introduced event ID 13 (description: Traffic Forward). "Forward" is described by Fortinet as traffic that passes through the FortiGate unit. Many events are now categorized as the "Traffic Forward" event that were previously categorized as more granular events.
So our parsing hasn't changed, but the way Fortinet is categorizing the events has and this is why you are seeing differences.
Note : But the product supported list they mentioned the forigate ver.5. They should remove the ver 5 from the list.