Ingesting JSON Formatted Events Received via HTTP(S) POST
FortiSIEM can receive, parse, and store JSON formatted events received via HTTP(S) POST. Follow these steps to implement this.
- Configure the FortiSIEM node with the HTTPS credential for receiving the HTTP(S) POST event.
- Identity the FortiSIEM node receiving the events. Most likely, this will be the Collector.
- SSH to the Collector and run the command:
htpasswd -b /etc/httpd/accounts/passwds <user> <password>
- Modify the built-in JSON parser to parse event attributes and set the Event Type.
Login to the Supervisor.
Go to ADMIN > Device Support > Parsers.
- Clone
PHCustomJSONParser.xml
and make the changes so that additional event attributes are parsed. - Validate, Test, and Save the parser.
- Click Apply All to deploy the parser changes.
- Make sure the events are being pushed to the FSM node using the credentials in Step 1 via this REST API:
https://<FSMNodeName>/rawupload?vendor=<vendor>&model=<model>&reptIp=<reptIp>&reptName=<reptHost>
where
FSNNodeName
is the resolvable host name or FQDN in Step 1. The parameters Reporting Vendor (vendor
), Reporting Model (model
), Reporting Device (reptHost
), and Reporting IP (reptIP
) are needed to create a CMDB entry and populate events. - Query the events by using the Reporting Device Name or IP in Step 3 and Event Type in Step 2c.