Qradar is not receiving syslog from fortinet firewall .
It is confirmed that proper logs are generating from firewall side .
All RPMs are upto date in Qradar .
After adding logsource in Qradar it show 'store' and proper payload is missing .
Below is the Tcp dump output: [root@xxx-Qradar log]# 13:57:55.075945 IP 172.x.x.x.1655 > 172.x.x.x.514: Flags [F.], seq 1852605543, ack 1187216380, win 15, options [nop,nop,TS val 1389136432 ecr 1394662132], length 0 E..4.X@.?............w..nl.gF.{.....=...... R..0S .. 13:57:55.075966 IP 172.x.x.x1778 >172.x.x.x.514: Flags [S], seq 2762777443, win 14600, options [mss 1460,sackOK,TS val 1389136432 ecr 0,nop,wscale 10], length 0 -bash: 13:57:55.075945: command not found E..<)S@.?..................c......9.q.......... R..0.......
Qradar.log shows : Aug 30 13:46:16 ::ffff:172.x.x.x [ecs-ec-ingress.ecs-ec-ingress] [TcpSyslog(0.0.0.0/514) Protocol Provider Thread: class com.q1labs.semsources.sources.tcpsyslog.TcpSyslogProvider0] com.q1labs.semsources.sources.tcpsyslog.TcpSyslogProvider: [INFO] [NOT:0000006000][172.x.x.x/- -] [-/- -]TcpSyslog(0.0.0.0/514) read failed, connection reset from 172.x.x.x
Can anyone please give your inputs on this ?
Answer by Ankitece1028 (26) | Aug 30, 2018 at 09:06 AM
Hi @VinokM Fortinet logging has a /reliable/ parameter. Check with the firewall admin on this. When it's enabled, it sends out logs on top protocol when disabled it uses udp.
See if you can disabled it just for giggles and see anything flashing in Qradar.
Here the sample config on Fortinet:
config log syslogd setting set status enable set server "10.160.0.171" set reliable enable set port 601 end
It sends logs on tcp 601 ( not default syslog port) So you can try changing it to 514 first and then disabling reliable field.
Hope this help! Let me know the results.. Regards, Ankit Rai