Event Handling Settings

This section provides the procedures to configure Event Handling.

• Event Dropping
• Event Forwarding
• Event Organization Mapping
• Multiline Syslog

Event Dropping

Some devices and applications generate a significant number of logs, which may be very verbose, contain little valuable information, and consume storage resources. You can configure Event Dropping rules that will drop events just after they have been received by FortiSIEM, preventing these event logs from being collected and processed. Implementing these rules may require some thought to accurately set the event type, reporting device, and event regular expression match, for example. However, dropped events do not count towards licensed Events per Second (EPS), and are not stored in the Event database. Dropped events also do not appear in reports, and do not trigger rules. You can also specify that events should be dropped but stored, so event information will be available for searches and reports, but will not trigger rules. An example of an event type that you might want to store but not have trigger any rules would be an IPS event that is a false positive.

1. Go to ADMIN > Settings > Event Handling > Dropping tab.
2. Click New.
3. Deselect All and click the drop-down next to Reporting Device and browse the folders to select the device group or individual devices for which you must create a rule.
4. Click Save.
5. Deselect All and click the drop-down next to Event Type and browse the folders to find the group of event types, or a specific event type for which you must create a rule.
6. Click Save.
7. Enter Source IP or Destination IP that you want to filter. The value can be IP range.
8. Select the Action that should be taken when the event dropping rule is triggered from the available options.
   • Drop event
   • Store event:
     • Do not trigger rules
     • Drop attributes - to select the drop attributes, use the edit icon.
9. For Regex Filter, enter any regular expressions you want to use to filter the log files. 
   If any matches are made against your regular expression, then the event will be dropped.
10. Enter any Description for the rule. 
11. Click Save.

Notes:

• All matching rules are implemented by FortiSIEM, and inter-rule order is not important. If you create a duplicate of an event dropping rule, the first rule is in effect.
• If you leave a rule definition field blank, then that field is not evaluated. For example, leaving Event Type blank is the same as selecting All Event Types.
• FortiSIEM drops the event at the first entry point. If your deployment uses Collectors, events are dropped by the Collectors. If your deployment doesn't use Collectors, then the event will be dropped by the Worker or Supervisor where the event is received.
• You can use the report System Event Processing Statistics to view the statistics for dropped events. When you run the report, select AVG(Policy Dropped Event Rate (/sec) as one of the dimensions for Chart to see events that have been dropped to this policy.

Event Forwarding

In systems management, many servers may need access to forward logs, traps and Netflows from network devices and servers, but it is often resource intensive for network devices and servers to forward logs, traps and Netflows to multiple destinations. For example, most Cisco routers can forward Netflow to two locations at most. However, FortiSIEM can forward/relay specific logs, traps and Netflows to one or more destinations. A Super, Worker or Collector can forward events - the one which receives and parses the event forwards it. If you want to send a log to multiple destinations, you can send it to FortiSIEM, which will use an event forwarding rule to send it to the desired locations. 

1. Go to ADMIN > Settings > Event Handling > Forwarding tab.
2. Click New.
3. Select the Organization for which the rule will apply.
4. Click the drop-down next to Reporting Device and browse the folders to find the group of devices, or a specific device for which you must create a rule.
5. Click the drop-down next to Event Type and browse the folders to find the group of event types, or a specific event type for which you must create a rule.
6. Click Save.
7. Select the Traffic Type to which the rule should apply.
   
8. For Source IP, enter the IP address of the device that will be sending the logs.
9. For Destination IP, enter the IP address of the device to which the logs are sent.
10. For Severity, select an operator and enter a severity level that must match for the log to be forwarded.
11. For Regex Filter, enter any regular expressions you want to use to filter the log files. 
    If any matches are made against your regular expression, then the event will be forwarded.
12. Select the forwarding Protocol from the drop-down.
    • UDP - If you use this protocol, events may be lost.
    • TCP - This method ensures reliability.
    • TCP over SSL - This method ensures reliability and security. See Note 3 below.
13. Based on your selection of Traffic Type, enter the following information:
    1. Enter the IP address in Forward to > IP.
    2. Select the Port number in Forward to > Port field.
    3. Select a Forward to > Protocol from the drop-down list.
    4. Select the Forward to > Format:
       • Incoming - outgoing format is same as incoming.
       • CEF - outgoing events are CEF formatted. See here for details on CEF formatted logs.
14. Click Save.

Notes:

1. If you want the same sender IP to forward events to multiple destinations, create a rule for each destination.
2.  FortiSIEM will implement all rules that you create and enable, so if you create a duplicate of an event forwarding rule, two copies of the same log will be sent to the destination IP. 
3. If you want to use public CA certificates for TCP over SSL communication, then note the following:

   • FortiSIEM's SSL library can validate an external system’s certificate if it is signed by a public CA.

   • If the external system wants to verify the FortiSIEM node's certificate, then you need to add the following certificate and key to the phoenix_config.txt file of the FortiSIEM nodes forwarding the event.

     [BEGIN phEventForwarder]
     tls_certificate_file= #/opt/phoenix/bin/.ssh/my_cert.crt
     …
     tls_key_file= #/opt/phoenix/bin/.ssh/my_cert.key
     [END]

Event Organization Mapping

FortiSIEM can handle multi-tenant reporting devices that already have Organization names in the events they send, for example, VDOM attribute in FortiGate. This section shows how to map Organization names in external events to those in FortiSIEM. FortiSIEM will create a separate reporting device in each Organization and associate the events to the reporting device in the corresponding FortiSIEM Organization.

This feature requires that:

• One or more (multi-tenant) Collectors are created under Super-Local Organization.
• Multi-tenant devices send logs to the multi-tenant Collectors under Super-Local Organization.

Follow the steps below:

1. Go to ADMIN > Settings > Event Handling > Event Org Mapping tab.
2. Click New.
3. Select or search the Device Type of the sender from the drop-down.
   This has to be a device that FortiSIEM understands and able to parse events.
4. Select or search the Event Attribute that contains the external organization name from the drop-down.
   FortiSIEM will map the value in this field to the FortiSIEM Organization.
5. Select or search the multi-tenant Collectors under Super-Local Organization that will receive the events from the drop-down.
   To include all Collectors, select All Collectors.
   
6. Specify the IP/IP Range of the multi-tenant devices that are sending events.
   Only a single IP or an IP Range is allowed, for example, 10.1.1.1 or 10.1.1.1-10.1.1.2. Comma-separated values, such as 10.1.1.1,10.1.1.2, are not allowed.
7. Click the edit icon next to Org Mapping to map an organization to an event.
   • Click on any Event Organization cell in the Event Organization Mapping dialog box to edit. Click Save.
8. Click Save.

Note: Do not define overlapping rules - make sure there are no overlaps in (Collector, Reporting IP/Range, Event Attribute) between multiple rules.

Multiline Syslog

Often applications generate a single syslog in multiple lines. For analysis purposes, the multiple lines must be put together into a single log. This feature enables you to do that. User can write multiple multiline syslog combining rules based on reporting IP and begin and ending patterns. All matching syslog within the begin and ending pattern are combined into a single log.

1. Go to ADMIN > Settings > Event Handling > Multiline Syslog tab.
2. Click New.
3. Enter or select the following information:
   1. Organization - syslog from devices belonging to this Organization will be combined to one line.
   2. Sender IP - the source of the syslog. Format is a single IP, IP range, CIDR and a combination of the above separated by comma.
   3. Protocol - TCP or UDP since syslog can come via either of these protocols.
   4. Begin Pattern - combining syslog starts when the regular expression specified here is encountered.
   5. End Pattern - combining syslog stops when the regular expression specified here is encountered.
4. Click Save.

Note: For all the above configurations, use the Edit button to modify any setting or Delete to remove any setting.

The current conception is only for UDP, which is different from TCP. If a single event is sent by multiple UDP packets, you need a multiline rule to combine them. Otherwise, FortiSIEM treats them as multiple events. If a continuous TCP stream contains multiple events, you need a multiline rule to separate them. Otherwise, FortiSIEM treats LF (new line character \n) as the separator.