Transfer FortiGate firewall log into the Wazuh server via Rsyslog

 Transfer FortiGate firewall log into the Wazuh server via Rsyslog

FortiGate Firewall                          Rsyslog                                                Wazuh Server

IP- 172.16.xx.xx                             IP- 172.16.xx.xx                                  IP- 172.16.xx.xx

 

 

1.      INSTALL AND CONFIGURE RSYSLOG IN LINUX

#yum install rsyslog

#systemctl start rsyslog

#systemctl enable rsyslog

#systemctl status rsyslog

Edit the file /etc/rsyslog.conf

Uncomment below tcp & udp port

#UDP

module(load="imudp") # needs to be done just once

input(type="imudp" port="514")

#TCP

module(load="imtcp") # needs to be done just once

input(type="imtcp" port="514")

2.      In the FortiGate firewall setup below configuration

#config log syslogd setting

#set status enable

#set format

#set format default

#set port 514 (by defauld udp 512)

#set server 172.16.xx.xx (log server IP)

#set source-IP 172.16.xx.xx (fortigate own IP)

#set facility user

#end

 

3.      After that you can check in rsyslog server log.

Here we can see firewall logs are generating.

cd /var/log/messages

4.      In the end install the Wazuh agent into rsyslog server

#rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH

cat > /etc/yum.repos.d/wazuh.repo << EOF

[wazuh]

gpgcheck=1

gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH

enabled=1

name=EL-\$releasever - Wazuh

baseurl=https://packages.wazuh.com/4.x/yum/

protect=1

EOF

 

#WAZUH_MANAGER="172.16.xx.xx" yum install wazuh-agent

#systemctl daemon-reload

#systemctl enable wazuh-agent

#systemctl start wazuh-agent