FortiSIEM Plugin for Log Shipper
FortiSIEM Plugin for Log Shipper
This document explains how to configure the FortiSIEM v1.0.0 plugin with the Log Shipper module of the Netskope Cloud Exchange platform. This plugin supports ingestion of Alerts (Compromised Credential, Policy, Malsite, Malware, DLP, Security Assessment, Quarantine, Remediation, UBA, Watchlist, CTEP), Events (Page, Application, Audit, Infrastructure, Network, Incident, Endpoint), Web Transaction data, and CE logs (Debug, Information, Error, Warning) to FortiSIEM in JSON format.
Prerequisites
- A Netskope tenant (or multiple, for example, production and development/test instances) that is already configured in Cloud Exchange.
- A Netskope Cloud Exchange tenant with the Log Shipper module already configured.
- A Netskope Cloud Exchange tenant with the WebTx plugin already configured.
- A Netskope Cloud Exchange tenant with the Syslog plugin already configured.
- Connectivity to the following host: FortiSIEM Server.
CE Version Compatibility
Netskope CE v4.2.0, v5.0.1
FortiSIEM Plugin Support
The FortiSIEM plugin is used to ingest all the Alert, Events, WebTx, and CE Logs in JSON format to the specified FortiSIEM server. Ingestion in CEF format is not supported.
Event Types | Yes (Audit, Application, Infrastructure, Network, Incident, Page, Endpoint) |
Alert Types | Yes (DLP, Malware, Policy, Compromised Credential, Malsite, Quarantine, Remediation, Security Assessment, Watchlist, CTEP, UBA) |
WebTx Support | Yes |
Syslog CE Log Types | Yes (Info, Debug, Warning, Error) |
API Details
The plugin uses a logging third-party library to push the data to the FortiSIEM collector.
Library: logging
This module defines functions and classes which implement a flexible event-logging system for applications and libraries.
The key benefit of having the logging API provided by a standard library module is that all Python modules can participate in logging, so your application log can include your own messages integrated with messages from third-party modules.
Refer to the official documentation for more information on the logging library.
https://docs.python.org/3/library/logging.html
List of Methods Used
Method: logging.getLogger(name=None)
Return a logger with the specified name or, if the name is None, return a logger which is the root logger of the hierarchy
All calls to this function with a given name return the same logger instance. This means that logger instances never need to be passed between different parts of an application.
Method: setLevel(level)
Sets the threshold for this logger to level. Logging messages that are less severe than the level will be ignored; logging messages that have a severity level or higher will be emitted by whichever handler or handlers service this logger, unless a handler’s level has been set to a higher severity level than the level.
Method: handlers
The list of handlers is directly attached to this logger instance.
Note that this attribute should be treated as read-only; it is normally changed via the addHandler() and removeHandler() methods, which use locks to ensure thread-safe operation.
Method: addHandler(hdlr)
Adds the specified handler hdlr to this logger.
Method: removeHandler(hdlr)
Removes the specified handler hdlr from this logger.
Performance Matrix
This performance reading is conducted on a Large Stack CE with these VM specifications. These readings are added with the consideration that it will ingest around 10K events in 2 seconds to the FortiSIEM platform.
Stack details | Size: Large RAM: 32 GB CPU: 16 Cores |
Alerts/Events ingested to SIEM | ~200K EPM |
WebTx ingested to SIEM | ~6 MBps |
Workflow
- Add Data input on Splunk.
- Configure the FortiSIEM plugin.
- Add a Log Shipper Business Rule for FortiSIEM.
- Add Log Shipper SIEM Mappings for FortiSIEM.
- Validate the FortiSIEM plugin.
Click play to watch a video.
Create a Data Input on Splunk
- Log in to your Splunk instance.
- From the dashboard, go to Settings > Data inputs.
- Click Add new for TCP input.
- Add your port and click Next.
- Select the source type if you already have any, or click New to create a new source type.
- Enter the source type. Select the Source Type Category based on your requirement, or keep it as it is.
- Scroll down to Index. If you already have any index that you want to use, select it from the Index dropdown, or click Create a new index. Enter a Index Name and click Save.
- Click Review.
- Click Submit.
- Click Start Searching.
Configure the FortiSIEM Plugin
- In Cloud Exchange, go to Settings > Plugins. Search for and select the FortiSIEM v1.0.0 (CLS) plugin box.
- Add a configuration name, and make sure you have the FortiSIEM Default Mapping file selected.
Notes
- Disable the toggle button to transform the logs in JSON, as the plugin only supports ingestion in JSON format.
- The ingestion of Endpoint event type is supported from CE version 5.1.0.
- Click Next and enter values for these parameters:
- FortiSIEM server: IP address/FQDN of FortiSIEM server in which data will be ingested.
- FortiSIEM Protocol: Protocol to be used while ingesting data.
- FortiSIEM Port: The port used while creating the Data input configuration on Splunk.
- Click Save. Your new plugin will be available on the Log Shipper > Plugins page.
Add a Log Shipper Business Rule for FortiSIEM
- In Log Shipper, go to Business Rules.
- By default, there’s a business rule that filters all alerts and events. If you want to filter out any specific type of alert or event, click Create New Rule and configure a new business rule by adding the rule name and filter.
- Click Save.
Add Log Shipper SIEM Mapping for FortiSIEM
- In Log Shipper, go to SIEM Mappings and click Add SIEM Mapping.
- Select the Source plugin (CLS Netskope), Destination plugin (CLS FortiSIEM), and a business rule. Click Save.
- For WebTx, click Add SIEM Mapping, select the Source plugin (CLS Netskope WebTx), Destination plugin (CLS FortiSIEM), and a business rule. Click Save.
- For Logs sharing, click Add SIEM Mapping, select the Source plugin (CLS Syslog for CE), Destination plugin (CLS FortiSIEM), and a business rule. Click Save.
- After the SIEM mappings are added, the data will start to be pulled from the Netskope tenant, transformed, and ingested into the FortiSIEM platform.
Validate the FortiSIEM Plugin
Validate the Pull
To validate the pulling of Events, Alerts, logs, and Webtx from the Netskope tenant.
Go to the Logging in Netskope CE. Search for the pulled logs.
Validate the Push
To validate the plugin workflow on Netskope CE:
Go to Logging and search for ingested Events, Alerts, WebTx, and Logs with the filter message contains ingested. The ingested logs will be filtered.
To validate the push on the Splunk:
- Log in to Splunk Platform.
- Click Search & Reporting.
- Enter the source, Protocol, and port along with the Log Source Identifier (Example: source=”tcp:8978″ netskopece)
Troubleshooting the FortiSIEM Plugin
An error occurred while configuring the FortiSIEM Plugin
Despite entering all parameters and clicking Save, an error may occur possibly due to one of these reasons:
- The server/port configuration may differ from the specified settings (Netskope CE/Splunk).
- The port is not exposed on the Splunk server.
To resolve these issues, follow these steps
- In the Splunk Platform, go to Settings and click Data inputs > TCP (the configuration you used). Check that both are the same.
- Expose the Port on the Splunk server.
Error occurred while ingesting data from CE to FortiSIEM
If you are unable to push alerts/events/logs/webtx data on the FortiSIEM platform, it could be due to one of these reasons:
- The Port is deleted/disabled on the FortiSIEM platform.
- The Splunk server storage is full.
To solve these issues, follow these steps.
- Make sure the port is present and enabled, and if not, create a new port.
- Make sure to clean the event data. If not necessary, increase the storage of the Splunk server.
If ingested data is not reflected on the FortiSIEM Platform
If you are unable to view alerts/events/logs/webtx data on the FortiSIEM platform, it could be due to one of these reasons:
- The filter is not correct on the Splunk platform.
- There might be an error, but UDP was selected for the Port while configuring the FortiSIEM plugin. Hence, logs ingested are visible.
To solve these issues, follow these steps.
- Make sure Data is searched using the correct filter.
- Make sure to select the TCP port to check if there is any issue.