Hi,
For security monitoring matters, we are trying to collect authentication logs from Fortigate and Palo Alto devices but we only receive success events. We also need to get failed events.
We don't think the problem is due to devices configuration because other SIEM can read failed authentication events with the same Log forward filters applied.
Same for
index=firewall_fortigate
index=firewall_paloalto
Thanks by advance for your feedback
Hi @yanisA,
Let me understand:
is it correct?
one question: are you receiving only success events or can you identificate only success events?
If you receive only success events there are two choices:
In the first case you can work only on the source systems.
In the second case, you have to check the configuration files (on Indexers and Heavy Forwarders) related to the sourcetypes of Fortigate and Palo Alto and verify if there's a filter that discards a part of events.
If instead you aren't able to identify events, you have to analyze the documentation of Fortinet and Palo Alto to find the related messages.
Installing the Technical Add-Ons (TA) of Fortigate and Palo Alto, will help you in this job.
Ciao.
Giuseppe
Hi @gcusello
Thanks for your response 🙂
Exactly, your understanding is good. We are going to check the configuration files related to the sourcetypes, both TA are already installed.
I will come back to you soon
Yanis