Where is the appliance name/ip when sending Fortigate (CEF) logs to Sentinel?

Juan Orjuela 1 Reputation point
2020-06-11T04:27:53.417+00:00

I have two different fortigate that stream logs to a CEF collector (linux oms agent). The agent relays the info to logs analytics workspace that has azure sentinel and it does process them. When querying the logs I do not have a way to know from which appliance the event is coming. When I capture what the fortinet is sending (at the cef collector with tcpdump) something similar to this appears: 

Jun 10 22:12:21 APPLIANCE_NAME CEF:0|Fortinet|Fortigate|v6.2.4|00013|traffic:forward close|3|deviceExternalId=FG100D3G15808468 FTNTFGTlogid=0000000013 cat=traffic:forward FTNTFGTsubtype=forward FTNTFGTlevel=notice FTNTFGTvd=root FTNTFGTeventtime=1591845141442844111 FTNTFGTtz=-0500 src=192.168.12.7 spt=59648 deviceInboundInterface=port3 FTNTFGTsrcintfrole=undefined dst=99.99.99.99 dpt=995 deviceOutboundInterface=port10 FTNTFGTdstintfrole=wan FTNTFGTsrcuuid=2819709e-a92c-51e7-aaee-8d5fe21947ab FTNTFGTdstuuid=144dd486-1a2e-51e5-ae3c-46083ccbcd10 externalId=110369543 proto=6 act=close FTNTFGTpolicyid=180 FTNTFGTpolicytype=policy FTNTFGTpoluuid=be9f5024-50d3-51e9-ba7c-584c1a07444f app=POP3S FTNTFGTdstcountry=United States FTNTFGTsrccountry=Reserved FTNTFGTtrandisp=snat sourceTranslatedAddress=88.88.88.88 sourceTranslatedPort=59648 FTNTFGTappid=27561 FTNTFGTapp=POP3S FTNTFGTappcat=Email FTNTFGTapprisk=medium FTNTFGTapplist=SUP_PM_QA_TRAIN FTNTFGTappact=detected FTNTFGTduration=4 out=1503 in=1236 FTNTFGTsentpkt=18 FTNTFGTrcvdpkt=17 FTNTFGTutmaction=allow FTNTFGTcountapp=1

but APPLIANCE_NAME and IP is not recorded in the event that appears in the logs analytcis workspace

Is there any way to display that info?

Azure Monitor
Azure Monitor
An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.
2,826 questions
Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
990 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Saurabh Sharma 23,751 Reputation points Microsoft Employee
    2020-06-12T00:11:13.027+00:00

    @Juan Orjuela When I check the FortiGate document, I do not see any appliance_name field and Appliance_Name seems hostname of the fortigate. Also, there is no IP field gets exported to CEF log field as per the documentation. (see screenshot below).
    9810-fortis-cef-log.png

    Do you get Appliance_Name anywhere in the logs which you want to get sent to Sentinel ?

    0 comments
  2. Juan Orjuela 1 Reputation point
    2020-06-12T02:33:58.85+00:00

    I started logging to a file from rsyslog also and this is what I get: 

    Jun 11 21:21:18 XXXXX_Miami CEF: 0|Fortinet|Fortigate|v6.2.3|00020|traffic:forward accept|3|deviceExternalId=FGT3HD3915805616 FTNTFGTlogid=0000000020 cat=traffic:forward FTNTFGTsubtype=forward FTNTFGTlevel=notice FTNTFGTvd=root FTNTFGTeventtime=1591928479063045578 FTNTFGTtz=-0500 src=192.168.5.55 spt=59415 deviceInboundInterface=port2 FTNTFGTsrcintfrole=lan dst=10.208.88.30 dpt=1433 deviceOutboundInterface=port3 FTNTFGTdstintfrole=undefined FTNTFGTsrcuuid=6512069e-1b00-51e5-da4b-77658b7aee03 FTNTFGTdstuuid=6512069e-1b00-51e5-da4b-77658b7aee03 externalId=116110501 proto=6 act=accept FTNTFGTpolicyid=60 FTNTFGTpolicytype=policy FTNTFGTpoluuid=c2c683a0-c9c2-51e7-097d-3e015d58eaf6 app=MS-SQL FTNTFGTdstcountry=Reserved FTNTFGTsrccountry=Reserved FTNTFGTtrandisp=noop FTNTFGTduration=23503 out=77046 in=89424 FTNTFGTsentpkt=1593 FTNTFGTrcvdpkt=1584 FTNTFGTappcat=unscanned FTNTFGTsentdelta=372 FTNTFGTrcvddelta=372

    So where there is XXXXX_Miami that is the host or the appliance name. This XXXXX_Miami does not appear any where on the logs on azure.

    9904-annotation-2020-06-11-223223.png