Connecting Fortinet to Sentinel

Vano Qochladze 21 Reputation points
2022-09-22T10:36:26.967+00:00

Trying to add Sentinel for Fortinet using a Linux proxy machine following the instructions provided on the Fortinet connector page in the Azure/Sentinel portal.

The omsagent is installed successfully, however when running the troubleshooter (cef_troubleshoot.py), we get an error message saying 

Error: agent is not listening to incoming port 25226 please check that the process is up and running and the port is configured correctly.[Use netstat -an | grep [daemon port] to validate the connection or re-run ths script]

Running netstat -an | grep 25226 returns nothing.

There's not much information on this out there, and what little there is we have tried to no avail.

Here's a snippet of the last few output lines: 

Current content of the daemon configuration is:  
​  
if $rawmsg contains "CEF:" or $rawmsg contains "ASA-" then @@127.0.0.1:25226  
​  
rsyslog daemon configuration was found valid.  
Trying to restart syslog daemon  
Restarting rsyslog daemon - 'sudo service rsyslog restart'  
rsyslog daemon restarted.  
This will take a few seconds.  
sudo: /opt/microsoft/omsagent/bin/service_control: command not found  
Omsagent restarted.  
This will take a few seconds.  
Incoming port grep: 0.0.0.0:514  
tcp        0      0 0.0.0.0:514             0.0.0.0:*               LISTEN       
udp        0      0 0.0.0.0:514             0.0.0.0:*                            
​  
Daemon incoming port 514 is open  
Incoming port grep: 25226  
​  
Error: agent is not listening to incoming port 25226 please check that the process is up and running and the port is configured correctly.[Use netstat -an | grep [daemon port] to validate the connection or re-run ths script]

Any ideas?

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
976 questions
0 comments
Accepted answer
  1. David Broggy 5,681 Reputation points MVP
    2022-09-22T12:58:06.38+00:00

    Hi Vano,
    Did you install the CEF agent?
    It's a separate installation script from the OMS agent.
    I see the Fortinet instructions might be a bit confusing, you may have installed the CEF agent but not the OMS agent as well?

    Here's a typical syslog setup on an ubuntu linux server with Palo Alto, but the syslog setup steps should be exactly the same for Fortinet:

    243931-image.png

    The OMS agent can be found in: Log Analytics Workspace > Agents Management > Linux Servers
    eg:
    wget https://raw.githubusercontent.com/Microsoft/OMS-Agent-for-Linux/master/installer/scripts/onboard_agent.sh && sh onboard_agent.sh -w <workspace> -s <key> -d opinsights.azure.com

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. NIJIN C GANGA 0 Reputation points
    2023-09-15T12:09:12.4+00:00

    You need to open TCP/UDP port 514 and 25226.

    Uncomment or add bellow configuration syslog.conf file: 

    sudo nano /etc/rsyslog.conf 
 
# provides UDP syslog reception 
module(load="imudp") 
input(type="imudp" port="514") 
input(type="imudp" port="25226") 
  
# provides TCP syslog reception 
module(load="imtcp") 
input(type="imtcp" port="514") 
input(type="imtcp" port="25226")

    Restart rsyslog

    sudo service rsyslog restart

    Run netstat to verify port 25226 is listening. 

    sudo netstat -an | grep 25226
    0 comments