Alerting on events not parsed by default by InsightIDR

Hi everyone,

Just want to check with other peers about InsightIDR functionality. IDR do not seem to be able to parse all events that is sent from our Fortinet Firewall (FortiGate) via syslog to it and I have events i would like to create queries and cards for.

Is it correct that I cannot create a query based on raw logs that comes in from the FortiGate for events such as creation or deletion of an admin account or creation of a new firewall policy.

A little bit like what i understand Solarwinds Event Manager can do.

You certainly can create queries against raw or unparsed logs, its also recommended to use the custom parser to create easy to use KVPs Custom Parsing Tool | InsightIDR Documentation

Hi David,

Could you perhaps give me a tip or 2 on what i need to do?

So i have an unparsed log:

<190>date=2021-12-17 time=15:31:23 devname="fw1_dc" devid="FG3H1E5818900637" eventtime=1639755083895932240 tz="+0000" logid="0100044547" type="event" subtype="system" level="information" vd="root" logdesc="Object attribute configured" user="" ui="GUI(" action="Add" cfgtid=10944658 cfgpath="firewall.policy" cfgobj="40" cfgattr="status[disable]srcintf[port3]dstintf[port1]srcaddr[all]dstaddr[all]srcaddr6[]dstaddr6[]src-vendor-mac[]action[accept]schedule[always]service[ALL]groups[]users[]fsso-groups[]custom-log-fields[]" msg="Add firewall.policy 40"

I have used the custom parser tool once before. so would you just extract the fields you want and once that is done i can use this for building queries and cards for dashboards?

Do i have to do the custom parsing tool? If i just go to log search and look under RAW and find my firewall, i can see the entries in a table form. Just in case i dont need to create the custom parsing tool entry :slight_smile:

Hi Ronnie,

I replied to your thread in the support case you raised, but as you mentioned you see these keys in the table form, therefore you can use key comparison operators to build alerts and dashboards.