Alerting on events not parsed by default by InsightIDR

rjorgensen · December 17, 2021, 2:22pm

Hi everyone,

Just want to check with other peers about InsightIDR functionality. IDR do not seem to be able to parse all events that is sent from our Fortinet Firewall (FortiGate) via syslog to it and I have events i would like to create queries and cards for.

Is it correct that I cannot create a query based on raw logs that comes in from the FortiGate for events such as creation or deletion of an admin account or creation of a new firewall policy.

A little bit like what i understand Solarwinds Event Manager can do.

david_smith · December 17, 2021, 2:33pm

You certainly can create queries against raw or unparsed logs, its also recommended to use the custom parser to create easy to use KVPs Custom Parsing Tool | InsightIDR Documentation

rjorgensen · December 17, 2021, 3:47pm

Hi David,

Could you perhaps give me a tip or 2 on what i need to do?

So i have an unparsed log:

<190>date=2021-12-17 time=15:31:23 devname="fw1_dc" devid="FG3H1E5818900637" eventtime=1639755083895932240 tz="+0000" logid="0100044547" type="event" subtype="system" level="information" vd="root" logdesc="Object attribute configured" user="r.jorgensen@upp-ltd.com" ui="GUI(81.109.83.50)" action="Add" cfgtid=10944658 cfgpath="firewall.policy" cfgobj="40" cfgattr="status[disable]srcintf[port3]dstintf[port1]srcaddr[all]dstaddr[all]srcaddr6[]dstaddr6[]src-vendor-mac[]action[accept]schedule[always]service[ALL]groups[]users[]fsso-groups[]custom-log-fields[]" msg="Add firewall.policy 40"

I have used the custom parser tool once before. so would you just extract the fields you want and once that is done i can use this for building queries and cards for dashboards?

Do i have to do the custom parsing tool? If i just go to log search and look under RAW and find my firewall, i can see the entries in a table form. Just in case i dont need to create the custom parsing tool entry

david_smith · December 17, 2021, 5:36pm

Hi Ronnie,

I replied to your thread in the support case you raised, but as you mentioned you see these keys in the table form, therefore you can use key comparison operators to build alerts and dashboards.

David