8 Replies Latest reply on Jun 22, 2016 7:02 AM by vimalnirwan

    SIEM 9.4.0 || Fortigate firewall version 5 log not parsing


      Hi Team


      ESM version 9.4.0

      Before upgrading the version of firewall i used to get the logs properly in correct version , recently the security team has upgraded from 4.0 to 5.0 in fortigate firewall post that the logs are not gettting parsed properly.Kindly help


      Before upgrading i used get all these type of logs from fortigate firewall.


      Signature IDDescription
      355-1025152FortiGate_UTM ADMINISTRATION An administrator failed to login
      355-2TRAFFIC ALLOWED Traffic was allowed
      355-2400660487snmp_decoder: SNMP.Restricted.OID
      355-2602994561netbios: NBTStat.Query
      355-3TRAFFIC VIOLATION Traffic violation
      355-3010399241applications3: VxWorks.WDB.Agent.Debug.Service.Code.Execution
      355-32001EVENT-ADMIN An administrator successfully logged into the FortiGate unit
      355-32003EVENT-ADMIN An administrator was successfully logged out
      355-32400EVENT-ADMIN The configuration changed
      355-37903EVENT-HA The primary unit's synchronization status
      355-3929254537DoS: Avahi.NULL.UDP.Packet.DoS
      355-39424EVENT-SSL-VPN USER An SSL-VPN web access user has logged into the system
      355-39425EVENT-SSL-VPN USER An SSL-VPN tunnel was shut down
      355-39426EVENT-SSL-VPN USER An SSL VPN user has failed to log in
      355-39937EVENT-SSL-VPN SESSION An SSL VPN web application was blocked
      355-39947EVENT-SSL-VPN SESSION An SSL VPN tunnel was established
      355-39948EVENT-SSL-VPN SESSION The SSL VPN tunnel was shut down
      355-4TRAFFIC TRAFFIC - OTHER Misc traffic event
      355-40704EVENT-PERF-HISTORICAL Performance statistics for the FortiGate unit
      355-41000EVENT-PATTERN The specified administrator successfully updated a database
      355-43776EVENT-NAC-QUARANTINE A NAC quarantine event was recorded
      355-44545EVENT-CONFIG Configuration object message
      355-44547EVENT-CONFIG Configuration object attributes message
      355-5TRAFFIC OTHER ICMP allowed
      355-6TRAFFIC OTHER Internal ICMP traffic denied
      355-7TRAFFIC OTHER External ICMP traffic denied


      Post upgradtion of firewall to version 5 im getting only the below 2 logs, the settings fo the ESM and firewall for the syslog stays the same as before


      355-13 TRAFFIC  Traffic forward message
      355-14 TRAFFIC Traffic local message