FortiAnalazer / Log Forwarding / Filter / General free-test filter - unable to use

IIQt · ‎04-24-2020

Hello!

I am trying to filter logs before sending them to SIEM via Syslog. I can’t filter by text with regular expressions. I am writing the following text in Value:

Message = / [A-Z] {3} [a-z] {6} [a-z] {6} [a-z] {2} [A-Z] {3} [a-z] {4} / gm

I'm trying to find text: TCP access denied by ACL from

I attach the spirinshot. Has anyone used this functionality? Please help.

localhost · ‎04-24-2020

Hi

Are you sure your regex is valid?

Can you post the raw syslog string you are trying to catch and forward?

Described here pretty well how to get it:

https://docs.fortinet.com/document/fortianalyzer/6.0.5/administration-guide/283336/using-the-generic...

I think you regex query is going to look more something like this.

msg=\'TCP access denied by ACL from\'

But to be sure, please post the raw syslog entry.

IIQt · ‎04-27-2020

I checked the regular expression on the site [link]https://regex101.com/[/link]

Event in which I am trying to extract a phrase:

Apr 20 2020 11:01:41: %ASA-3-710003: TCP access denied by ACL from 111.111.111.111/34564 to outside:222.222.222.222/45

Unfortunately, this entry cannot be saved in the filter (msg=\'TCP access denied by ACL from\'). Returns an error "fail to save: invalid value".

The link you sent offers to perform the configuration in the section: Event Manager > Event Monitor > Event Handler List. I guess the meaning is the same, but I planned to perform the configuration in the Log Forwarding section (because it is also allowed there)

localhost · ‎04-27-2020

So I spend some time on this, because it might be useful for myself as well at some point . The generic text filter is not a Regex query. It's only supporting the tilde function (~ and !~) from the glibc regex library. So no full Regex support! The other supported operators are documented here: https://kb.fortinet.com/k....do?externalID=FD36097 I understand you are looking for a Forward logging filter.. but I only got it working within the Event Handler. The forward logging filter looks bugged to me. I suggest you open a case at Fortinet. Since the generic text filter works fine in the event handler, I don't see any reason why it should be different in the syslog forwarding filter settings.

Also the text field size of just 2-3 chars is very strange. Sending syslog events with Event Handler: In my case I tried to capture login events on a switch sending syslog events. The syslog entry looks like this on FortiAnalyzer: date=2020-04-27 time=20:07:44 idseq=191172792102682666 itime=2020-04-27 22:07:44 euid=1 epid=1 dsteuid=1 dstepid=1 level=warning type=generic msg=[style="background-color: #ffff00;"] Apr 27 20:07:53 1.2.3.4 03362 auth: AM2: User 'admin' login from 1.2.3.5 [/style]device_id=SYSLOG-AABBCCDD dtime=2020-04-27 20:07:44 itime_t=1588018064 devname=SWITCH01 The Generic Text Filter is: msg ~ "login from"

Your query would be: msg ~ "TCP access denied by ACL from" This will capture all syslog messages containing the string 'login from'. And send an alert to an external syslog server. In case you decide to open a fortinet support ticket, please let me know what the issue was.

IIQt · ‎05-08-2020

I will open a case at Fortinet. Thanks