Hi Cherbani,
Some of our DSMs (parsers) do support parsing CEF format (like Windows, as shown in the video), but the Fortinet one does not. Additionally, based on your screenshots, those events are being routed directly to the "ArcSight Syslog Redirect" log source, which is of type Universal DSM, which can't parse anything without a log source extension being attached. In the video, Jose is using his syslog redirect log source as a "gateway log source", meaning it is a collection/ingress point for event data from many sources and based on the value extracted with its configured regex, it will tag each event with that extracted value as its "source". There needs to be a separate log source with a Log Source Identifier that matches that extracted value, for each possible value. In the video, these "receiver" log sources autodetect because our Windows DSM recognizes the CEF format so they don't need to be manually created.
In your case, because the events are being routed to the ArcSight Syslog Redirect log source, it means your regex is capturing a value that matches the Log Source Identifier of that same log source.
So what you should do is change the Log Source Identifier of your gateway log source to something else (it doesn't matter what, since it doesn't need to receive any events itself), then use the DSM Editor to add parsing support for the CEF format to the Fortinet DSM. At that point, because the DSM will now be able to parse and recognize the events, "receiver" log sources of type Fortinet should autodetect for each unique value of the dvc field which you are extracting with the Syslog Redirect gateway.
Cheers
Colin
------------------------------
COLIN HAY
IBM Security
------------------------------
Original Message:
Sent: Wed June 10, 2020 07:19 AM
From: cherbani samir
Subject: Forward logs from ArcSight to Qradar
Hi Colin;
The event are in the ArcSight CEF format see the example below, sent from a Fortinet Firewall to the ArcSight Logger and then from the logger to Qradar. I know that Qradar dosn't support ArcSight natevely but in the video I share we can see that Qradar can parse events received from ArcSight
CEF:0|Fortinet|Fortigate|v.XXX|00013|traffic:forward server-rst|Low| eventId=46125042 type=1 start=1591787473000 app=TCP-8445 proto=TCP in=320 out=480 categorySignificance=/Informational categoryBehavior=/Access categoryDeviceGroup=/Firewall catdt=Network-based IDS/IPS categoryOutcome=/Success categoryObject=/Host/Application/Service art=1591787519718 cat=traffic:forward deviceSeverity=3 act=server-rst rt=1591787509000 src=XX.XX.XX.XX sourceZoneURI=/All Zones/ArcSight System/Private Address Space Zones/RFC1918: XX.XX.XX.XX-XX.XX.XX.XX dst=XX.XX.XX.XX destinationZoneURI=/All Zones/ArcSight System/Private Address Space Zones/RFC1918: XX.XX.XX.XX.255.255.255 dpt=8445 cnt=8 ahost=test.local agt=XX.XX.XX.XX agentZoneURI=/All Zones/ArcSight System/Private Address Space Zones/RFC1918: XX.XX.XX.XX.255.255.255 amac=XX.XX.XX.XX av=7.14.0.8241.0 atz=Europe at=syslog dvchost=FW-2000APP13 dtz=Europe/ deviceExternalId=XXXXXXX deviceInboundInterface=XXXXX deviceOutboundInterface=XXXXXX geid=68000615683515951 _cefVer=0.1 aid=\=\=
------------------------------
cherbani samir
Original Message:
Sent: Tue June 09, 2020 11:44 AM
From: COLIN HAY
Subject: Forward logs from ArcSight to Qradar
What do the events look like? If they aren't of a type/format that QRadar supports out-of-the-box, you may need to use the DSM Editor to define your own parsing and categorization logi.
Cheers
Colin
------------------------------
COLIN HAY
IBM Security
Original Message:
Sent: Mon June 08, 2020 01:42 PM
From: cherbani samir
Subject: Forward logs from ArcSight to Qradar
Hello all,
I have an ArcSight Logger in one of our datacenter and I configure this logger to send events to our Qradar we did exactly the same as the video below Arcsight Migration Syslog Redirect. see the attached files, The issue now is that all event are Unknown if anyone can help I will be very grateful
Regards.
------------------------------
cherbani samir
------------------------------