Collect FortiWeb WAF logs

Supported in:

This document describes how you can collect the FortiWeb web application firewall (WAF) logs by using a Google Security Operations forwarder.

For more information, see Data ingestion to Google Security Operations overview.

An ingestion label identifies the parser which normalizes raw log data to structured UDM format. The information in this document applies to the parser with the FORTINET_FORTIWEB ingestion label.

Configure the FortiWeb WAF logs

To configure the FortiWeb WAF to send logs to a Google Security Operations forwarder, do the following:

Create a syslog policy

  1. Sign in to the Fortinet FortiWeb console.
  2. In the Fortinet FortiWeb console, select Log & report > Log policy > Syslog policy.
  3. Click Create new.
  4. In the New syslog policy window that appears, do the following:

    • In the Policy name field, specify a name for the policy that you want to use in the configuration.
    • In the IP address field, specify the IP address or hostname for the remote syslog server.
    • In the Port field, specify the port for the syslog server.
    • Clear the Enable CSV format checkbox, if it is selected.
  5. Click OK.

Enable the syslog types and log level

  1. In the Fortinet FortiWeb console, select Log & report > Log config > Global log settings.
  2. In the Global log settings window that appears, select the Syslog checkbox and do the following:

    • In the Syslog policy list, select the syslog policy that you created earlier.
    • In the Log level list, choose the minimum severity level for logs to collect.
    • In the Facility list, select the log facility.
  3. Click Apply.

Create a trigger

  1. In the Fortinet FortiWeb console, select Log & report > Log policy > Trigger policy.
  2. Click Create new.
  3. In the New trigger policy window that appears, do the following:

    • In the Policy name field, specify a name for the policy that you want to use in the configuration.
    • In the Syslog policy list, select the syslog policy that you created earlier.
  4. Click OK.

    Update your syslog policy with the newly created trigger to ensure all required events are logged to Google Security Operations syslog forwarder.

Configure the Google Security Operations forwarder to ingest FortiWeb WAF logs

  1. In the Google Security Operations menu, select Settings > Forwarders > Add new forwarder.
  2. In the Forwarder name field, enter a unique name for the forwarder.
  3. Click Submit. The forwarder is added and the Add collector configuration window appears.
  4. In the Collector name field, enter a unique name for the collector.
  5. In the Log type field, specify Fortinet Web Application Firewall.
  6. Select Syslog as the Collector type.
  7. Configure the following input parameters:
    • Protocol: specify the connection protocol that the collector uses to listen to syslog data.
    • Address: specify the target IP address or hostname where the collector resides and listens to syslog data.
    • Port: specify the target port where the collector resides and listens to syslog data.
  8. Click Submit.

For more information about the Google Security Operations forwarders, see Manage forwarder configurations through the Google Security Operations UI.

If you encounter issues when you create forwarders, contact Google Security Operations support.

Field mapping reference

This parser handles logs from FORTINET FORTIWEB in key-value (KV) format, transforming them into UDM. It processes both CEF and non-CEF formatted logs, extracting fields, normalizing values, and mapping them to the appropriate UDM fields based on the log format.

UDM Mapping Table

Log Field UDM Mapping Logic
action additional.fields[].value.string_value Value is directly mapped.
action security_result.action_details If action is "Allow" or "accept", security_result.action_details is set to "ALLOW". If action is "Denied", "deny", "block", or "Block", security_result.action_details is set to "BLOCK".
app network.application_protocol Value is directly mapped after being uppercased. Only if value is one of HTTPS, HTTP, DNS, DHCP, SMB.
app_name additional.fields[].key Key is set to "appName".
app_name additional.fields[].value.string_value Value is directly mapped.
backend_service additional.fields[].key Key is set to "backend_service".
backend_service additional.fields[].value.string_value Value is directly mapped.
cat security_result.category_details Value is directly mapped.
client_level security_result.category If client_level is "Malicious", security_result.category is set to "NETWORK_MALICIOUS".
cn1 additional.fields[].value.string_value Mapped to threatWeight field.
cn1Label additional.fields[].key Key is set to cn1Label value.
cn2 additional.fields[].value.string_value Mapped to length field.
cn2Label additional.fields[].key Key is set to cn2Label value.
cn3 additional.fields[].value.string_value Mapped to signatureID field.
cn3Label additional.fields[].key Key is set to cn3Label value.
cs1 additional.fields[].value.string_value Value is directly mapped.
cs1Label additional.fields[].key Key is set to cs1Label value.
cs1 principal.user.product_object_id Value is directly mapped when cs1Label matches "userID" (case-insensitive).
cs2 additional.fields[].value.string_value Value is directly mapped.
cs2Label additional.fields[].key Key is set to cs2Label value.
cs2 principal.user.userid Value is directly mapped when cs2Label matches "userName" (case-insensitive) and suid is empty.
cs3 additional.fields[].value.string_value Value is directly mapped.
cs3Label additional.fields[].key Key is set to cs3Label value.
cs3 metadata.severity Value is directly mapped when cs3Label is "level" and cs3 is not empty.
cs4 additional.fields[].value.string_value Mapped to subType field.
cs4Label additional.fields[].key Key is set to cs4Label value.
cs5 additional.fields[].value.string_value Mapped to threatLevel field.
cs5Label additional.fields[].key Key is set to cs5Label value.
cs6 additional.fields[].value.string_value Mapped to owaspTop10 field.
cs6Label additional.fields[].key Key is set to cs6Label value.
date metadata.event_timestamp.seconds Combined with time and parsed to generate epoch seconds.
dev_id principal.resource.id Value is directly mapped.
devname principal.resource.name Value is directly mapped.
device_event_class_id metadata.product_event_type Used in CEF parsing.
device_product metadata.product_name Used in CEF parsing.
device_vendor metadata.vendor_name Used in CEF parsing.
device_version metadata.product_version Used in CEF parsing.
dhost target.hostname Value is directly mapped.
dpt target.port Value is directly mapped and converted to integer.
dst target.ip Value is directly mapped.
dst_port target.port Value is directly mapped and converted to integer.
dstepid target.process.pid Value is directly mapped.
dsteuid target.user.userid Value is directly mapped.
event_name metadata.product_event_type Used in CEF parsing.
http_agent network.http.parsed_user_agent Value is parsed as a user agent string.
http_method network.http.method Value is directly mapped.
http_refer network.http.referral_url Value is directly mapped.
http_session_id network.session_id Value is directly mapped.
http_url target.url Value is directly mapped.
http_version metadata.product_version Value is directly mapped.
length additional.fields[].key Key is set to "length".
length additional.fields[].value.string_value Value is directly mapped.
log_type metadata.log_type Hardcoded to "FORTINET_FORTIWEB".
main_type additional.fields[].key Key is set to "mainType".
main_type additional.fields[].value.string_value Value is directly mapped.
message Various fields Parsed using grok and kv filters to extract different fields.
ml_allow_method additional.fields[].key Key is set to "ml_allow_method".
ml_allow_method additional.fields[].value.string_value Value is directly mapped.
ml_arg_dbid additional.fields[].key Key is set to "ml_arg_dbid".
ml_arg_dbid additional.fields[].value.string_value Value is directly mapped.
ml_domain_index additional.fields[].key Key is set to "ml_domain_index".
ml_domain_index additional.fields[].value.string_value Value is directly mapped.
ml_log_arglen additional.fields[].key Key is set to "ml_log_arglen".
ml_log_arglen additional.fields[].value.string_value Value is directly mapped.
ml_log_hmm_probability additional.fields[].key Key is set to "ml_log_hmm_probability".
ml_log_hmm_probability additional.fields[].value.string_value Value is directly mapped.
ml_log_sample_arglen_mean additional.fields[].key Key is set to "ml_log_sample_arglen_mean".
ml_log_sample_arglen_mean additional.fields[].value.string_value Value is directly mapped.
ml_log_sample_prob_mean additional.fields[].key Key is set to "ml_log_sample_prob_mean".
ml_log_sample_prob_mean additional.fields[].value.string_value Value is directly mapped.
ml_svm_accuracy additional.fields[].key Key is set to "ml_svm_accuracy".
ml_svm_accuracy additional.fields[].value.string_value Value is directly mapped.
ml_svm_log_main_types additional.fields[].key Key is set to "ml_svm_log_main_types".
ml_svm_log_main_types additional.fields[].value.string_value Value is directly mapped.
ml_svm_log_match_types additional.fields[].key Key is set to "ml_svm_log_match_types".
ml_svm_log_match_types additional.fields[].value.string_value Value is directly mapped.
ml_url_dbid additional.fields[].key Key is set to "ml_url_dbid".
ml_url_dbid additional.fields[].value.string_value Value is directly mapped.
monitor_status additional.fields[].key Key is set to "monitor_status".
monitor_status additional.fields[].value.string_value Value is directly mapped.
msg metadata.description Value is directly mapped.
owasp_top10 additional.fields[].key Key is set to "owaspTop10".
owasp_top10 additional.fields[].value.string_value Value is directly mapped.
principal_app principal.application Value is directly mapped.
principal_host principal.hostname Value is directly mapped.
proto network.ip_protocol Value is directly mapped after being uppercased.
request target.url Value is directly mapped.
requestMethod network.http.method Value is directly mapped.
rt metadata.event_timestamp.seconds Parsed as milliseconds since epoch and converted to seconds.
security_result.severity security_result.severity Derived from severity_level. Mapped to different UDM severity values based on the raw log value. Defaults to UNKNOWN_SEVERITY if no match is found.
server_pool_name additional.fields[].key Key is set to "server_pool_name".
server_pool_name additional.fields[].value.string_value Value is directly mapped.
service network.application_protocol Value is directly mapped after being uppercased.
service target.application Value is directly mapped after being uppercased if it's not one of HTTPS, HTTP, DNS, DHCP, or SMB.
severity security_result.severity If severity is empty and cs3Label is "level", the value of cs3 is used. Then mapped to a UDM severity value (LOW, HIGH, etc.).
signature_id security_result.rule_id Value is directly mapped.
signature_subclass security_result.detection_fields[].key Key is set to "signature_subclass".
signature_subclass security_result.detection_fields[].value Value is directly mapped.
src principal.ip Value is directly mapped.
src_country principal.location.country_or_region Value is directly mapped.
src_ip principal.ip Value is directly mapped.
src_port principal.port Value is directly mapped and converted to integer.
srccountry principal.location.country_or_region Value is directly mapped.
sub_type additional.fields[].key Key is set to "subType".
sub_type additional.fields[].value.string_value Value is directly mapped.
subtype target.resource.resource_subtype Value is directly mapped.
suid principal.user.userid Value is directly mapped.
threat_level additional.fields[].key Key is set to "threatLevel".
threat_level additional.fields[].value.string_value Value is directly mapped.
threat_weight security_result.detection_fields[].key Key is set to "threat_weight".
threat_weight security_result.detection_fields[].value Value is directly mapped.
time metadata.event_timestamp.seconds Combined with date and parsed to generate epoch seconds.
user_id principal.user.product_object_id Value is directly mapped.
user_name additional.fields[].key Key is set to "userName".
user_name additional.fields[].value.string_value Value is directly mapped.
user_name principal.user.userid Value is directly mapped.
N/A metadata.event_type Set to "NETWORK_CONNECTION" if both principal.ip and target.ip are present. Set to "USER_UNCATEGORIZED" if principal.ip and principal.user are present. Set to "STATUS_UPDATE" if only principal.ip is present. Otherwise, set to "GENERIC_EVENT".
N/A metadata.log_type Hardcoded to "FORTINET_FORTIWEB".
N/A metadata.product_name Hardcoded to "FORTINET FORTIWEB" or "FortiWEB Cloud" based on the log format.
N/A metadata.vendor_name Hardcoded to "FORTINET" or "Fortinet" based on the log format.
N/A principal.resource.resource_type Hardcoded to "DEVICE" if dev_id is present.

Changes

2024-01-09

  • Added support for CEF format logs.
  • Added a Grok pattern to match new format of CEF logs.
  • Mapped "principal_hostnamne" to "principal.hostname".
  • Mapped "principal.app" to "principal.application".

2023-05-18

  • Newly created parser.