Collect FortiWeb WAF logs

Supported in:

Google SecOps SIEM

This document describes how you can collect the FortiWeb web application firewall (WAF) logs by using a Google Security Operations forwarder.

For more information, see Data ingestion to Google Security Operations overview.

An ingestion label identifies the parser which normalizes raw log data to structured UDM format. The information in this document applies to the parser with the FORTINET_FORTIWEB ingestion label.

Configure the FortiWeb WAF logs

To configure the FortiWeb WAF to send logs to a Google Security Operations forwarder, do the following:

Create a syslog policy.
Enable the syslog types and log level.
Create a trigger.

Create a syslog policy

Sign in to the Fortinet FortiWeb console.
In the Fortinet FortiWeb console, select Log & report > Log policy > Syslog policy.
Click Create new.
In the New syslog policy window that appears, do the following:
- In the Policy name field, specify a name for the policy that you want to use in the configuration.
- In the IP address field, specify the IP address or hostname for the remote syslog server.
- In the Port field, specify the port for the syslog server.
- Clear the Enable CSV format checkbox, if it is selected.
Click OK.

Enable the syslog types and log level

In the Fortinet FortiWeb console, select Log & report > Log config > Global log settings.
In the Global log settings window that appears, select the Syslog checkbox and do the following:
- In the Syslog policy list, select the syslog policy that you created earlier.
- In the Log level list, choose the minimum severity level for logs to collect.
- In the Facility list, select the log facility.
Click Apply.

Create a trigger

In the Fortinet FortiWeb console, select Log & report > Log policy > Trigger policy.
Click Create new.
In the New trigger policy window that appears, do the following:
- In the Policy name field, specify a name for the policy that you want to use in the configuration.
- In the Syslog policy list, select the syslog policy that you created earlier.
Click OK.

Update your syslog policy with the newly created trigger to ensure all required events are logged to Google Security Operations syslog forwarder.

Configure the Google Security Operations forwarder to ingest FortiWeb WAF logs

In the Google Security Operations menu, select Settings > Forwarders > Add new forwarder.
In the Forwarder name field, enter a unique name for the forwarder.
Click Submit. The forwarder is added and the Add collector configuration window appears.
In the Collector name field, enter a unique name for the collector.
In the Log type field, specify Fortinet Web Application Firewall.
Select Syslog as the Collector type.
Configure the following input parameters:
- Protocol: specify the connection protocol that the collector uses to listen to syslog data.
- Address: specify the target IP address or hostname where the collector resides and listens to syslog data.
- Port: specify the target port where the collector resides and listens to syslog data.
Click Submit.

For more information about the Google Security Operations forwarders, see Manage forwarder configurations through the Google Security Operations UI.

If you encounter issues when you create forwarders, contact Google Security Operations support.

Field mapping reference

This parser handles logs from FORTINET FORTIWEB in key-value (KV) format, transforming them into UDM. It processes both CEF and non-CEF formatted logs, extracting fields, normalizing values, and mapping them to the appropriate UDM fields based on the log format.

UDM Mapping Table

Log Field	UDM Mapping	Logic
`action`	`additional.fields[].value.string_value`	Value is directly mapped.
`action`	`security_result.action_details`	If `action` is "Allow" or "accept", `security_result.action_details` is set to "ALLOW". If `action` is "Denied", "deny", "block", or "Block", `security_result.action_details` is set to "BLOCK".
`app`	`network.application_protocol`	Value is directly mapped after being uppercased. Only if value is one of HTTPS, HTTP, DNS, DHCP, SMB.
`app_name`	`additional.fields[].key`	Key is set to "appName".
`app_name`	`additional.fields[].value.string_value`	Value is directly mapped.
`backend_service`	`additional.fields[].key`	Key is set to "backend_service".
`backend_service`	`additional.fields[].value.string_value`	Value is directly mapped.
`cat`	`security_result.category_details`	Value is directly mapped.
`client_level`	`security_result.category`	If `client_level` is "Malicious", `security_result.category` is set to "NETWORK_MALICIOUS".
`cn1`	`additional.fields[].value.string_value`	Mapped to threatWeight field.
`cn1Label`	`additional.fields[].key`	Key is set to cn1Label value.
`cn2`	`additional.fields[].value.string_value`	Mapped to length field.
`cn2Label`	`additional.fields[].key`	Key is set to cn2Label value.
`cn3`	`additional.fields[].value.string_value`	Mapped to signatureID field.
`cn3Label`	`additional.fields[].key`	Key is set to cn3Label value.
`cs1`	`additional.fields[].value.string_value`	Value is directly mapped.
`cs1Label`	`additional.fields[].key`	Key is set to cs1Label value.
`cs1`	`principal.user.product_object_id`	Value is directly mapped when `cs1Label` matches "userID" (case-insensitive).
`cs2`	`additional.fields[].value.string_value`	Value is directly mapped.
`cs2Label`	`additional.fields[].key`	Key is set to cs2Label value.
`cs2`	`principal.user.userid`	Value is directly mapped when `cs2Label` matches "userName" (case-insensitive) and `suid` is empty.
`cs3`	`additional.fields[].value.string_value`	Value is directly mapped.
`cs3Label`	`additional.fields[].key`	Key is set to cs3Label value.
`cs3`	`metadata.severity`	Value is directly mapped when `cs3Label` is "level" and `cs3` is not empty.
`cs4`	`additional.fields[].value.string_value`	Mapped to subType field.
`cs4Label`	`additional.fields[].key`	Key is set to cs4Label value.
`cs5`	`additional.fields[].value.string_value`	Mapped to threatLevel field.
`cs5Label`	`additional.fields[].key`	Key is set to cs5Label value.
`cs6`	`additional.fields[].value.string_value`	Mapped to owaspTop10 field.
`cs6Label`	`additional.fields[].key`	Key is set to cs6Label value.
`date`	`metadata.event_timestamp.seconds`	Combined with `time` and parsed to generate epoch seconds.
`dev_id`	`principal.resource.id`	Value is directly mapped.
`devname`	`principal.resource.name`	Value is directly mapped.
`device_event_class_id`	`metadata.product_event_type`	Used in CEF parsing.
`device_product`	`metadata.product_name`	Used in CEF parsing.
`device_vendor`	`metadata.vendor_name`	Used in CEF parsing.
`device_version`	`metadata.product_version`	Used in CEF parsing.
`dhost`	`target.hostname`	Value is directly mapped.
`dpt`	`target.port`	Value is directly mapped and converted to integer.
`dst`	`target.ip`	Value is directly mapped.
`dst_port`	`target.port`	Value is directly mapped and converted to integer.
`dstepid`	`target.process.pid`	Value is directly mapped.
`dsteuid`	`target.user.userid`	Value is directly mapped.
`event_name`	`metadata.product_event_type`	Used in CEF parsing.
`http_agent`	`network.http.parsed_user_agent`	Value is parsed as a user agent string.
`http_method`	`network.http.method`	Value is directly mapped.
`http_refer`	`network.http.referral_url`	Value is directly mapped.
`http_session_id`	`network.session_id`	Value is directly mapped.
`http_url`	`target.url`	Value is directly mapped.
`http_version`	`metadata.product_version`	Value is directly mapped.
`length`	`additional.fields[].key`	Key is set to "length".
`length`	`additional.fields[].value.string_value`	Value is directly mapped.
`log_type`	`metadata.log_type`	Hardcoded to "FORTINET_FORTIWEB".
`main_type`	`additional.fields[].key`	Key is set to "mainType".
`main_type`	`additional.fields[].value.string_value`	Value is directly mapped.
`message`	Various fields	Parsed using grok and kv filters to extract different fields.
`ml_allow_method`	`additional.fields[].key`	Key is set to "ml_allow_method".
`ml_allow_method`	`additional.fields[].value.string_value`	Value is directly mapped.
`ml_arg_dbid`	`additional.fields[].key`	Key is set to "ml_arg_dbid".
`ml_arg_dbid`	`additional.fields[].value.string_value`	Value is directly mapped.
`ml_domain_index`	`additional.fields[].key`	Key is set to "ml_domain_index".
`ml_domain_index`	`additional.fields[].value.string_value`	Value is directly mapped.
`ml_log_arglen`	`additional.fields[].key`	Key is set to "ml_log_arglen".
`ml_log_arglen`	`additional.fields[].value.string_value`	Value is directly mapped.
`ml_log_hmm_probability`	`additional.fields[].key`	Key is set to "ml_log_hmm_probability".
`ml_log_hmm_probability`	`additional.fields[].value.string_value`	Value is directly mapped.
`ml_log_sample_arglen_mean`	`additional.fields[].key`	Key is set to "ml_log_sample_arglen_mean".
`ml_log_sample_arglen_mean`	`additional.fields[].value.string_value`	Value is directly mapped.
`ml_log_sample_prob_mean`	`additional.fields[].key`	Key is set to "ml_log_sample_prob_mean".
`ml_log_sample_prob_mean`	`additional.fields[].value.string_value`	Value is directly mapped.
`ml_svm_accuracy`	`additional.fields[].key`	Key is set to "ml_svm_accuracy".
`ml_svm_accuracy`	`additional.fields[].value.string_value`	Value is directly mapped.
`ml_svm_log_main_types`	`additional.fields[].key`	Key is set to "ml_svm_log_main_types".
`ml_svm_log_main_types`	`additional.fields[].value.string_value`	Value is directly mapped.
`ml_svm_log_match_types`	`additional.fields[].key`	Key is set to "ml_svm_log_match_types".
`ml_svm_log_match_types`	`additional.fields[].value.string_value`	Value is directly mapped.
`ml_url_dbid`	`additional.fields[].key`	Key is set to "ml_url_dbid".
`ml_url_dbid`	`additional.fields[].value.string_value`	Value is directly mapped.
`monitor_status`	`additional.fields[].key`	Key is set to "monitor_status".
`monitor_status`	`additional.fields[].value.string_value`	Value is directly mapped.
`msg`	`metadata.description`	Value is directly mapped.
`owasp_top10`	`additional.fields[].key`	Key is set to "owaspTop10".
`owasp_top10`	`additional.fields[].value.string_value`	Value is directly mapped.
`principal_app`	`principal.application`	Value is directly mapped.
`principal_host`	`principal.hostname`	Value is directly mapped.
`proto`	`network.ip_protocol`	Value is directly mapped after being uppercased.
`request`	`target.url`	Value is directly mapped.
`requestMethod`	`network.http.method`	Value is directly mapped.
`rt`	`metadata.event_timestamp.seconds`	Parsed as milliseconds since epoch and converted to seconds.
`security_result.severity`	`security_result.severity`	Derived from `severity_level`. Mapped to different UDM severity values based on the raw log value. Defaults to `UNKNOWN_SEVERITY` if no match is found.
`server_pool_name`	`additional.fields[].key`	Key is set to "server_pool_name".
`server_pool_name`	`additional.fields[].value.string_value`	Value is directly mapped.
`service`	`network.application_protocol`	Value is directly mapped after being uppercased.
`service`	`target.application`	Value is directly mapped after being uppercased if it's not one of HTTPS, HTTP, DNS, DHCP, or SMB.
`severity`	`security_result.severity`	If `severity` is empty and `cs3Label` is "level", the value of `cs3` is used. Then mapped to a UDM severity value (LOW, HIGH, etc.).
`signature_id`	`security_result.rule_id`	Value is directly mapped.
`signature_subclass`	`security_result.detection_fields[].key`	Key is set to "signature_subclass".
`signature_subclass`	`security_result.detection_fields[].value`	Value is directly mapped.
`src`	`principal.ip`	Value is directly mapped.
`src_country`	`principal.location.country_or_region`	Value is directly mapped.
`src_ip`	`principal.ip`	Value is directly mapped.
`src_port`	`principal.port`	Value is directly mapped and converted to integer.
`srccountry`	`principal.location.country_or_region`	Value is directly mapped.
`sub_type`	`additional.fields[].key`	Key is set to "subType".
`sub_type`	`additional.fields[].value.string_value`	Value is directly mapped.
`subtype`	`target.resource.resource_subtype`	Value is directly mapped.
`suid`	`principal.user.userid`	Value is directly mapped.
`threat_level`	`additional.fields[].key`	Key is set to "threatLevel".
`threat_level`	`additional.fields[].value.string_value`	Value is directly mapped.
`threat_weight`	`security_result.detection_fields[].key`	Key is set to "threat_weight".
`threat_weight`	`security_result.detection_fields[].value`	Value is directly mapped.
`time`	`metadata.event_timestamp.seconds`	Combined with `date` and parsed to generate epoch seconds.
`user_id`	`principal.user.product_object_id`	Value is directly mapped.
`user_name`	`additional.fields[].key`	Key is set to "userName".
`user_name`	`additional.fields[].value.string_value`	Value is directly mapped.
`user_name`	`principal.user.userid`	Value is directly mapped.
N/A	`metadata.event_type`	Set to "NETWORK_CONNECTION" if both `principal.ip` and `target.ip` are present. Set to "USER_UNCATEGORIZED" if `principal.ip` and `principal.user` are present. Set to "STATUS_UPDATE" if only `principal.ip` is present. Otherwise, set to "GENERIC_EVENT".
N/A	`metadata.log_type`	Hardcoded to "FORTINET_FORTIWEB".
N/A	`metadata.product_name`	Hardcoded to "FORTINET FORTIWEB" or "FortiWEB Cloud" based on the log format.
N/A	`metadata.vendor_name`	Hardcoded to "FORTINET" or "Fortinet" based on the log format.
N/A	`principal.resource.resource_type`	Hardcoded to "DEVICE" if `dev_id` is present.

Changes

2024-01-09

Added support for CEF format logs.
Added a Grok pattern to match new format of CEF logs.
Mapped "principal_hostnamne" to "principal.hostname".
Mapped "principal.app" to "principal.application".

2023-05-18

Newly created parser.