Collect FortiWeb WAF logs
This document describes how you can collect the FortiWeb web application firewall (WAF) logs by using a Google Security Operations forwarder.
For more information, see Data ingestion to Google Security Operations overview.
An ingestion label identifies the parser which normalizes raw log data to structured
UDM format. The information in this document applies to the parser with the
FORTINET_FORTIWEB
ingestion label.
Configure the FortiWeb WAF logs
To configure the FortiWeb WAF to send logs to a Google Security Operations forwarder, do the following:
Create a syslog policy
- Sign in to the Fortinet FortiWeb console.
- In the Fortinet FortiWeb console, select Log & report > Log policy > Syslog policy.
- Click Create new.
In the New syslog policy window that appears, do the following:
- In the Policy name field, specify a name for the policy that you want to use in the configuration.
- In the IP address field, specify the IP address or hostname for the remote syslog server.
- In the Port field, specify the port for the syslog server.
- Clear the Enable CSV format checkbox, if it is selected.
Click OK.
Enable the syslog types and log level
- In the Fortinet FortiWeb console, select Log & report > Log config > Global log settings.
In the Global log settings window that appears, select the Syslog checkbox and do the following:
- In the Syslog policy list, select the syslog policy that you created earlier.
- In the Log level list, choose the minimum severity level for logs to collect.
- In the Facility list, select the log facility.
Click Apply.
Create a trigger
- In the Fortinet FortiWeb console, select Log & report > Log policy > Trigger policy.
- Click Create new.
In the New trigger policy window that appears, do the following:
- In the Policy name field, specify a name for the policy that you want to use in the configuration.
- In the Syslog policy list, select the syslog policy that you created earlier.
Click OK.
Update your syslog policy with the newly created trigger to ensure all required events are logged to Google Security Operations syslog forwarder.
Configure the Google Security Operations forwarder to ingest FortiWeb WAF logs
- Go to SIEM Settings > Forwarders.
- Click Add new forwarder.
- In the Forwarder Name field, enter a unique name for the forwarder.
- Click Submit. The forwarder is added and the Add collector configuration window appears.
- In the Collector name field, type a name.
- Select Fortinet Web Application Firewall as the Log type.
- Select Syslog as the Collector type.
- Configure the following mandatory input parameters:
- Protocol: specify the connection protocol that the collector uses to listen to syslog data.
- Address: specify the target IP address or hostname where the collector resides and listens to syslog data.
- Port: specify the target port where the collector resides and listens to syslog data.
- Click Submit.
For more information about the Google Security Operations forwarders, see Manage forwarder configurations through the Google Security Operations UI.
If you encounter issues when you create forwarders, contact Google Security Operations support.
Field mapping reference
This parser handles logs from FORTINET FORTIWEB in key-value (KV) format, transforming them into UDM. It processes both CEF and non-CEF formatted logs, extracting fields, normalizing values, and mapping them to the appropriate UDM fields based on the log format.
UDM Mapping Table
Log Field | UDM Mapping | Logic |
---|---|---|
action |
additional.fields[].value.string_value |
Value is directly mapped. |
action |
security_result.action_details |
If action is "Allow" or "accept", security_result.action_details is set to "ALLOW". If action is "Denied", "deny", "block", or "Block", security_result.action_details is set to "BLOCK". |
app |
network.application_protocol |
Value is directly mapped after being uppercased. Only if value is one of HTTPS, HTTP, DNS, DHCP, SMB. |
app_name |
additional.fields[].key |
Key is set to "appName". |
app_name |
additional.fields[].value.string_value |
Value is directly mapped. |
backend_service |
additional.fields[].key |
Key is set to "backend_service". |
backend_service |
additional.fields[].value.string_value |
Value is directly mapped. |
cat |
security_result.category_details |
Value is directly mapped. |
client_level |
security_result.category |
If client_level is "Malicious", security_result.category is set to "NETWORK_MALICIOUS". |
cn1 |
additional.fields[].value.string_value |
Mapped to threatWeight field. |
cn1Label |
additional.fields[].key |
Key is set to cn1Label value. |
cn2 |
additional.fields[].value.string_value |
Mapped to length field. |
cn2Label |
additional.fields[].key |
Key is set to cn2Label value. |
cn3 |
additional.fields[].value.string_value |
Mapped to signatureID field. |
cn3Label |
additional.fields[].key |
Key is set to cn3Label value. |
cs1 |
additional.fields[].value.string_value |
Value is directly mapped. |
cs1Label |
additional.fields[].key |
Key is set to cs1Label value. |
cs1 |
principal.user.product_object_id |
Value is directly mapped when cs1Label matches "userID" (case-insensitive). |
cs2 |
additional.fields[].value.string_value |
Value is directly mapped. |
cs2Label |
additional.fields[].key |
Key is set to cs2Label value. |
cs2 |
principal.user.userid |
Value is directly mapped when cs2Label matches "userName" (case-insensitive) and suid is empty. |
cs3 |
additional.fields[].value.string_value |
Value is directly mapped. |
cs3Label |
additional.fields[].key |
Key is set to cs3Label value. |
cs3 |
metadata.severity |
Value is directly mapped when cs3Label is "level" and cs3 is not empty. |
cs4 |
additional.fields[].value.string_value |
Mapped to subType field. |
cs4Label |
additional.fields[].key |
Key is set to cs4Label value. |
cs5 |
additional.fields[].value.string_value |
Mapped to threatLevel field. |
cs5Label |
additional.fields[].key |
Key is set to cs5Label value. |
cs6 |
additional.fields[].value.string_value |
Mapped to owaspTop10 field. |
cs6Label |
additional.fields[].key |
Key is set to cs6Label value. |
date |
metadata.event_timestamp.seconds |
Combined with time and parsed to generate epoch seconds. |
dev_id |
principal.resource.id |
Value is directly mapped. |
devname |
principal.resource.name |
Value is directly mapped. |
device_event_class_id |
metadata.product_event_type |
Used in CEF parsing. |
device_product |
metadata.product_name |
Used in CEF parsing. |
device_vendor |
metadata.vendor_name |
Used in CEF parsing. |
device_version |
metadata.product_version |
Used in CEF parsing. |
dhost |
target.hostname |
Value is directly mapped. |
dpt |
target.port |
Value is directly mapped and converted to integer. |
dst |
target.ip |
Value is directly mapped. |
dst_port |
target.port |
Value is directly mapped and converted to integer. |
dstepid |
target.process.pid |
Value is directly mapped. |
dsteuid |
target.user.userid |
Value is directly mapped. |
event_name |
metadata.product_event_type |
Used in CEF parsing. |
http_agent |
network.http.parsed_user_agent |
Value is parsed as a user agent string. |
http_method |
network.http.method |
Value is directly mapped. |
http_refer |
network.http.referral_url |
Value is directly mapped. |
http_session_id |
network.session_id |
Value is directly mapped. |
http_url |
target.url |
Value is directly mapped. |
http_version |
metadata.product_version |
Value is directly mapped. |
length |
additional.fields[].key |
Key is set to "length". |
length |
additional.fields[].value.string_value |
Value is directly mapped. |
log_type |
metadata.log_type |
Hardcoded to "FORTINET_FORTIWEB". |
main_type |
additional.fields[].key |
Key is set to "mainType". |
main_type |
additional.fields[].value.string_value |
Value is directly mapped. |
message |
Various fields | Parsed using grok and kv filters to extract different fields. |
ml_allow_method |
additional.fields[].key |
Key is set to "ml_allow_method". |
ml_allow_method |
additional.fields[].value.string_value |
Value is directly mapped. |
ml_arg_dbid |
additional.fields[].key |
Key is set to "ml_arg_dbid". |
ml_arg_dbid |
additional.fields[].value.string_value |
Value is directly mapped. |
ml_domain_index |
additional.fields[].key |
Key is set to "ml_domain_index". |
ml_domain_index |
additional.fields[].value.string_value |
Value is directly mapped. |
ml_log_arglen |
additional.fields[].key |
Key is set to "ml_log_arglen". |
ml_log_arglen |
additional.fields[].value.string_value |
Value is directly mapped. |
ml_log_hmm_probability |
additional.fields[].key |
Key is set to "ml_log_hmm_probability". |
ml_log_hmm_probability |
additional.fields[].value.string_value |
Value is directly mapped. |
ml_log_sample_arglen_mean |
additional.fields[].key |
Key is set to "ml_log_sample_arglen_mean". |
ml_log_sample_arglen_mean |
additional.fields[].value.string_value |
Value is directly mapped. |
ml_log_sample_prob_mean |
additional.fields[].key |
Key is set to "ml_log_sample_prob_mean". |
ml_log_sample_prob_mean |
additional.fields[].value.string_value |
Value is directly mapped. |
ml_svm_accuracy |
additional.fields[].key |
Key is set to "ml_svm_accuracy". |
ml_svm_accuracy |
additional.fields[].value.string_value |
Value is directly mapped. |
ml_svm_log_main_types |
additional.fields[].key |
Key is set to "ml_svm_log_main_types". |
ml_svm_log_main_types |
additional.fields[].value.string_value |
Value is directly mapped. |
ml_svm_log_match_types |
additional.fields[].key |
Key is set to "ml_svm_log_match_types". |
ml_svm_log_match_types |
additional.fields[].value.string_value |
Value is directly mapped. |
ml_url_dbid |
additional.fields[].key |
Key is set to "ml_url_dbid". |
ml_url_dbid |
additional.fields[].value.string_value |
Value is directly mapped. |
monitor_status |
additional.fields[].key |
Key is set to "monitor_status". |
monitor_status |
additional.fields[].value.string_value |
Value is directly mapped. |
msg |
metadata.description |
Value is directly mapped. |
owasp_top10 |
additional.fields[].key |
Key is set to "owaspTop10". |
owasp_top10 |
additional.fields[].value.string_value |
Value is directly mapped. |
principal_app |
principal.application |
Value is directly mapped. |
principal_host |
principal.hostname |
Value is directly mapped. |
proto |
network.ip_protocol |
Value is directly mapped after being uppercased. |
request |
target.url |
Value is directly mapped. |
requestMethod |
network.http.method |
Value is directly mapped. |
rt |
metadata.event_timestamp.seconds |
Parsed as milliseconds since epoch and converted to seconds. |
security_result.severity |
security_result.severity |
Derived from severity_level . Mapped to different UDM severity values based on the raw log value. Defaults to UNKNOWN_SEVERITY if no match is found. |
server_pool_name |
additional.fields[].key |
Key is set to "server_pool_name". |
server_pool_name |
additional.fields[].value.string_value |
Value is directly mapped. |
service |
network.application_protocol |
Value is directly mapped after being uppercased. |
service |
target.application |
Value is directly mapped after being uppercased if it's not one of HTTPS, HTTP, DNS, DHCP, or SMB. |
severity |
security_result.severity |
If severity is empty and cs3Label is "level", the value of cs3 is used. Then mapped to a UDM severity value (LOW, HIGH, etc.). |
signature_id |
security_result.rule_id |
Value is directly mapped. |
signature_subclass |
security_result.detection_fields[].key |
Key is set to "signature_subclass". |
signature_subclass |
security_result.detection_fields[].value |
Value is directly mapped. |
src |
principal.ip |
Value is directly mapped. |
src_country |
principal.location.country_or_region |
Value is directly mapped. |
src_ip |
principal.ip |
Value is directly mapped. |
src_port |
principal.port |
Value is directly mapped and converted to integer. |
srccountry |
principal.location.country_or_region |
Value is directly mapped. |
sub_type |
additional.fields[].key |
Key is set to "subType". |
sub_type |
additional.fields[].value.string_value |
Value is directly mapped. |
subtype |
target.resource.resource_subtype |
Value is directly mapped. |
suid |
principal.user.userid |
Value is directly mapped. |
threat_level |
additional.fields[].key |
Key is set to "threatLevel". |
threat_level |
additional.fields[].value.string_value |
Value is directly mapped. |
threat_weight |
security_result.detection_fields[].key |
Key is set to "threat_weight". |
threat_weight |
security_result.detection_fields[].value |
Value is directly mapped. |
time |
metadata.event_timestamp.seconds |
Combined with date and parsed to generate epoch seconds. |
user_id |
principal.user.product_object_id |
Value is directly mapped. |
user_name |
additional.fields[].key |
Key is set to "userName". |
user_name |
additional.fields[].value.string_value |
Value is directly mapped. |
user_name |
principal.user.userid |
Value is directly mapped. |
N/A | metadata.event_type |
Set to "NETWORK_CONNECTION" if both principal.ip and target.ip are present. Set to "USER_UNCATEGORIZED" if principal.ip and principal.user are present. Set to "STATUS_UPDATE" if only principal.ip is present. Otherwise, set to "GENERIC_EVENT". |
N/A | metadata.log_type |
Hardcoded to "FORTINET_FORTIWEB". |
N/A | metadata.product_name |
Hardcoded to "FORTINET FORTIWEB" or "FortiWEB Cloud" based on the log format. |
N/A | metadata.vendor_name |
Hardcoded to "FORTINET" or "Fortinet" based on the log format. |
N/A | principal.resource.resource_type |
Hardcoded to "DEVICE" if dev_id is present. |
Changes
2024-01-09
- Added support for CEF format logs.
- Added a Grok pattern to match new format of CEF logs.
- Mapped "principal_hostnamne" to "principal.hostname".
- Mapped "principal.app" to "principal.application".
2023-05-18
- Newly created parser.