Home

> Administration > General Settings > Event Handling Settings

Event Handling Settings

This section provides the procedures to configure Event Handling.

Event Dropping

Some devices and applications generate a significant number of logs, which may be very verbose, contain little valuable information, and consume storage resources. You can configure Event Dropping rules that will drop events just after they have been received by FortiSIEM, preventing these event logs from being collected and processed. Implementing these rules may require some thought to accurately set the event type, reporting device, and event regular expression match, for example. However, dropped events do not count towards licensed Events per Second (EPS), and are not stored in the Event database. Dropped event also do not appear in reports, and do not trigger rules. You can also specify that events should be dropped but stored, so event information will be available for searches and reports, but will not trigger rules. An example of an event type that you might want to store but not have trigger any rules would be an IPS event that is a false positive.

  1. Go to ADMIN > General Settings > Event Handling > Dropping tab.
  2. Click New.
  3. Click the drop-down next to Reporting Device and browse the folders to select the device group or individual devices for which you need to create a rule.
  4. Click Save.
  5. Click the drop-down next to Event Type and browse the folders to find the group of event types, or a specific event type for which you need to create a rule.
  6. Click Save.
  7. Enter Source IP or Destination IP that you want to filter. The value can be IP range.
  8. Select the Action that should be taken when the event dropping rule is triggered.
  9. For Regex Filter, enter any regular expressions you want to use to filter the log files. 
    If any matches are made against your regular expression, then the event will be dropped.
  10. Enter any Description for the rule. 
  11. Click Save.

Notes:

  • All matching rules are implemented by FortiSIEM, and inter-rule order is not important. If you create a duplicate of an event dropping rule, the first rule is in effect.
  • If you leave a rule definition field blank, then that field is not evaluated. For example, leaving Event Type left blank is the same as selecting All Event Types.
  • FortiSIEM drops the event at the first entry point. If your deployment uses Collectors, events are dropped by the Collectors. If your deployment doesn't use Collectors, then the event will be dropped by the Worker or Supervisor where the event is received.
  • You can use the report System Event Processing Statistics to view the statistics for dropped events. When you run the report, select AVG(Policy Dropped Event Rate (/sec) as one of the dimensions for Chart to see events that have been dropped to this policy.

Event Forwarding

In systems management, many servers may need access to forward logs, traps and Netflows from network devices and servers, but it is often resource intensive for network devices and servers to forward logs, traps and Netflows to multiple destinations. For example, most Cisco routers can forward Netflow to two locations at most. However, FortiSIEM can forward/relay specific logs, traps and Netflows to one or more destinations. A Super, Worker or Collector can forward events - the one which receives and parses the event forwards it. If you want to send a log to multiple destinations, you can send it to FortiSIEM, which will use an event forwarding rule to send it to the desired locations. 

  1. Go to ADMIN > General Settings > Event Handling > Forwarding tab.
  2. Click New.
  3. Select the Organization for which the rule will apply.
  4. Click the drop-down next to Event Type and browse the folders to find the group of event types, or a specific event type for which you need to create a rule.
  5. Click Save.
  6. Click the drop-down next to Reporting Device and browse the folders to find the group of devices, or a specific device for which you need to create a rule.
  7. Click Save.
  8. Select the Traffic Type to which the rule should apply.
  9. For Source IP, enter the IP address of the device that will be sending the logs.
  10. For Destination IP, enter the IP address of the device to which the logs are sent.
  11. For Severity, select an operator and enter a severity level that must match for the log to be forwarded.
  12. For Regex Filter, enter any regular expressions you want to use to filter the log files. 
    If any matches are made against your regular expression, then the event will be dropped.
  13. Select the Forwarding Protocol from the drop-down.
  14. Enter the IP address in Forwarding to IP.
  15. Select the Port number in Forwarding to Port field.
  16. Click Save

Notes:

  • If you want the same sender IP to forward events to multiple destinations, create a rule for each destination.
  •  FortiSIEM will implement all rules that you create and enable, so if you create a duplicate of an event forwarding rule, two copies of the same log will be sent to the destination IP. 

Event Organization Mapping

FortiSIEM can handle reporting devices that are themselves Service Provider and hence have organization names in events that they send. This section describes how you can map organization names in external events to those on FortiSIEM so that those events have the correct FortiSIEM organizations.

  1. Go to ADMIN > General Settings > Event Handling > Event Org Mapping
  2. Click New.
  3. Select or search the Device Type of the sender, from the drop-down.
    This has to be a device that FortiSIEM understands and able to parse events.
  4. Select or search the Event Attribute that contains the external organization name, from the drop-down.
    FortiSIEM will map the value in this field to FortiSIEM Organization.
  5. Select or search the Collectors that has to receive the events, from the drop-down. To include all Collectors, select All Collectors.
  6. Specify the IP/IP Range of the Service Provider devices that are sending events.
    Format of this field is a comma separated list of IP addresses intermixed with IP ranges, e.g. 10.1.1.1,10.1.1.2,10.10.1.1-10.10.1.250.
  7. Click on any event organization cell to edit.
  8. Click Save.

Note: Do not define overlapping rules - make sure there are no overlaps in (Collector, Reporting IP/Range, Event Attribute) between multiple rules.

Multiline Syslog

Often applications generate a single syslog in multiple lines. For analysis purposes, the multiple lines need to put together into a single log. This feature enables you to do that. User can write multiple multi-line syslog combining rules based on reporting IP and begin and ending patterns. All matching syslog within the begin and ending pattern are combined into a single log.

  1. Go to ADMIN > General Settings > Event Handling > Event Multiline Syslog tab.
  2. Click New.
  3. Enter or select the following information:
    1. Organization - syslog from devices belonging to this Organization will be combined to one line.
    2. Sender IP - the source of the syslog. Format is a single IP, IP range, CIDR and a combination of the above separated by comma.
    3. Protocol - TCP or UDP since syslog can come via either of these protocols.
    4. Begin Pattern - combining syslog starts when the regular expression specified here is encountered.
    5. End Pattern - combining syslog stops when the regular expression specified here is encountered.
  4. Click Save

Note: For all the above configurations, use the Edit button to modify any setting or Delete to remove any setting.

The current conception is only for UDP, which is different from TCP. If a single event is sent by multiple UDP packets, you need a multiline rule to combine them. Otherwis, FortiSIEM treats them as multiple events. If a continuous TCP stream contains multiple events, you need a multiline rule to separate them. Otherwise, FortiSIEM treats LF (new line character \n) as the separator.