IBM QRadar

IBM QRadar

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  Uppercase usernames in logs from FortiGate

    Posted Thu April 08, 2021 07:46 AM

    Please help us to solve this issue. FortiGate Firewall is sending to us usernames with uppercase. All other systems are using lowercase when sending the username in logs.

    Tried to search valid regex patterns - nothing was found.

    1) Is it possible to change the logs themselves before or during the appointment?

    2) If we talk about changing the logs before admission, can you offer some tool (from a number of open sources), which can change logs and then forward them to QRadar?



    #QRadar
    #Support
    #SupportMigration


  • 2.  RE: Uppercase usernames in logs from FortiGate

    Posted Fri April 09, 2021 08:25 PM

    Unfortunately, QRadar does not have a method to force lowercase when the event data is being processed/parsed by the DSM. Have you tried to use AQL and added LOWER to your advanced search? As AQL when it returns search results can force values to LOWER when you run a search in AQL.

    For example:

    Select LOWER(username) LOWER(LOGSOURCENAME(logsourceid)) FROM events

    The other common method that users might take to resolve this type of issue would be to use an AQL Custom Function, which can do lots of fancy things like remote calls, data conversion, and advanced mathematical functions. Unfortunately, the Username field is a normalized property and not a Custom Event Property. AQL Custom Functions are only available for custom properties, not for standardized fields like Username.

    You might need to see if there is a method to disable this on the FortiOS side of things or confirm if this a case-sensitive enable/disable would resolve the issue: https://kb.fortinet.com/kb/documentLink.do?externalID=FD38692

    There is no tool for this that I'm aware of and you might need to try the AQL I listed to see if that helps.



    #QRadar
    #Support
    #SupportMigration


  • 3.  RE: Uppercase usernames in logs from FortiGate

    Posted Mon April 12, 2021 06:44 AM

    Thank you very much for this kind of information. Unfortunately, we need to resolve the uppercase to lowercase issue not only for AQL searches but also for rules. We have a lot of rules with username test enabled.


    Is it possible to somehow receive Forti logs by another system, change it and send to QRadar for processing? Something like Graylog and etc.


    Fortinet itself denied the possibility to make changes to log generating in lowercase by any command. The command you issued is used for forcing FortiGate firewall to make lowercase to uppercase (or to not forcing it by disabling the feature).



    #QRadar
    #Support
    #SupportMigration


  • 4.  RE: Uppercase usernames in logs from FortiGate

    Posted Wed April 14, 2021 10:24 AM

    Anyone else have a suggestion?



    #QRadar
    #Support
    #SupportMigration


Related Content