All Apps and Add-ons

Problem on collect of Firewalls failed authentication events

yanisA
Explorer

Hi,

For security monitoring matters, we are trying to collect authentication logs from Fortigate and Palo Alto devices but we only receive success events. We also need to get failed events.

We don't think the problem is due to devices configuration because other SIEM can read failed authentication events with the same Log forward filters applied.

Same for

index=firewall_fortigate

index=firewall_paloalto

 

Thanks by advance for your feedback

Labels (3)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @yanisA,

Let me understand:

  • you're receiving Fortigate and Palo Alto logs,
  • the same systems (with the same configuration) are sending all logs (success and failed authentications) to another SIEM,
  • Splunk is receiving only success logs;

is it correct?

one question: are you receiving only success events or can you identificate only success events?

If you receive only success events there are two choices:

  • the source systems are configurated to send only success events and don't trace failed events;
  • all the events arrive in Splunk but all the events except success, are discarded.

In the first case you can work only on the source systems.

In the second case, you have to check the configuration files (on Indexers and Heavy Forwarders) related to the sourcetypes of Fortigate and Palo Alto and verify if there's a filter that discards a part of events.

If instead you aren't able to identify events, you have to analyze the documentation of Fortinet and Palo Alto to find the related messages.

Installing the Technical Add-Ons (TA) of Fortigate and Palo Alto, will help you in this job.

Ciao.

Giuseppe

yanisA
Explorer

Hi @gcusello

Thanks for your response 🙂

Exactly, your understanding is good. We are going to check the configuration files related to the sourcetypes, both TA are already installed.

I will come back to you soon

Yanis

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...