Collect FortiWeb WAF logs
Supported in:
This document describes how you can collect the FortiWeb web application firewall (WAF) logs by using a Google Security Operations forwarder.
For more information, see Data ingestion to Google Security Operations overview .
An ingestion label identifies the parser which normalizes raw log data to structured
UDM format. The information in this document applies to the parser with the FORTINET_FORTIWEB
ingestion label.
Configure the FortiWeb WAF logs
To configure the FortiWeb WAF to send logs to a Google Security Operations forwarder, do the following:
Create a syslog policy
- Sign in to the Fortinet FortiWebconsole.
- In the Fortinet FortiWebconsole, select Log & report > Log policy > Syslog policy.
- Click Create new.
-
In the New syslog policywindow that appears, do the following:
- In the Policy namefield, specify a name for the policy that you want to use in the configuration.
- In the IP addressfield, specify the IP address or hostname for the remote syslog server.
- In the Portfield, specify the port for the syslog server.
- Clear the Enable CSV formatcheckbox, if it is selected.
-
Click OK.
Enable the syslog types and log level
- In the Fortinet FortiWebconsole, select Log & report > Log config > Global log settings.
-
In the Global log settingswindow that appears, select the Syslogcheckbox and do the following:
- In the Syslog policylist, select the syslog policy that you created earlier.
- In the Log levellist, choose the minimum severity level for logs to collect.
- In the Facilitylist, select the log facility.
-
Click Apply.
Create a trigger
- In the Fortinet FortiWebconsole, select Log & report > Log policy > Trigger policy.
- Click Create new.
-
In the New trigger policywindow that appears, do the following:
- In the Policy namefield, specify a name for the policy that you want to use in the configuration.
- In the Syslog policylist, select the syslog policy that you created earlier.
-
Click OK.
Update your syslog policy with the newly created trigger to ensure all required events are logged to Google Security Operations syslog forwarder.
Configure the Google Security Operations forwarder to ingest FortiWeb WAF logs
- Go to SIEM Settings > Forwarders.
- Click Add new forwarder.
- In the Forwarder Namefield, enter a unique name for the forwarder.
- Click Submit. The forwarder is added and the Add collector configurationwindow appears.
- In the Collector namefield, type a name.
- Select Fortinet Web Application Firewallas the Log type.
- Select Syslogas the Collector type.
- Configure the following mandatory input parameters:
- Protocol: specify the connection protocol that the collector uses to listen to syslog data.
- Address: specify the target IP address or hostname where the collector resides and listens to syslog data.
- Port: specify the target port where the collector resides and listens to syslog data.
- Click Submit.
For more information about the Google Security Operations forwarders, see Manage forwarder configurations through the Google Security Operations UI .
If you encounter issues when you create forwarders, contact Google Security Operations support .
Field mapping reference
This parser handles logs from FORTINET FORTIWEB in key-value (KV) format, transforming them into UDM. It processes both CEF and non-CEF formatted logs, extracting fields, normalizing values, and mapping them to the appropriate UDM fields based on the log format.
UDM Mapping Table
| Log Field | UDM Mapping | Logic |
|---|---|---|
action
|
additional.fields[].value.string_value
|
Value is directly mapped. |
action
|
security_result.action_details
|
If action
is "Allow" or "accept", security_result.action_details
is set to "ALLOW". If action
is "Denied", "deny", "block", or "Block", security_result.action_details
is set to "BLOCK". |
app
|
network.application_protocol
|
Value is directly mapped after being uppercased. Only if value is one of HTTPS, HTTP, DNS, DHCP, SMB. |
app_name
|
additional.fields[].key
|
Key is set to "appName". |
app_name
|
additional.fields[].value.string_value
|
Value is directly mapped. |
backend_service
|
additional.fields[].key
|
Key is set to "backend_service". |
backend_service
|
additional.fields[].value.string_value
|
Value is directly mapped. |
cat
|
security_result.category_details
|
Value is directly mapped. |
client_level
|
security_result.category
|
If client_level
is "Malicious", security_result.category
is set to "NETWORK_MALICIOUS". |
cn1
|
additional.fields[].value.string_value
|
Mapped to threatWeight field. |
cn1Label
|
additional.fields[].key
|
Key is set to cn1Label value. |
cn2
|
additional.fields[].value.string_value
|
Mapped to length field. |
cn2Label
|
additional.fields[].key
|
Key is set to cn2Label value. |
cn3
|
additional.fields[].value.string_value
|
Mapped to signatureID field. |
cn3Label
|
additional.fields[].key
|
Key is set to cn3Label value. |
cs1
|
additional.fields[].value.string_value
|
Value is directly mapped. |
cs1Label
|
additional.fields[].key
|
Key is set to cs1Label value. |
cs1
|
principal.user.product_object_id
|
Value is directly mapped when cs1Label
matches "userID" (case-insensitive). |
cs2
|
additional.fields[].value.string_value
|
Value is directly mapped. |
cs2Label
|
additional.fields[].key
|
Key is set to cs2Label value. |
cs2
|
principal.user.userid
|
Value is directly mapped when cs2Label
matches "userName" (case-insensitive) and suid
is empty. |
cs3
|
additional.fields[].value.string_value
|
Value is directly mapped. |
cs3Label
|
additional.fields[].key
|
Key is set to cs3Label value. |
cs3
|
metadata.severity
|
Value is directly mapped when cs3Label
is "level" and cs3
is not empty. |
cs4
|
additional.fields[].value.string_value
|
Mapped to subType field. |
cs4Label
|
additional.fields[].key
|
Key is set to cs4Label value. |
cs5
|
additional.fields[].value.string_value
|
Mapped to threatLevel field. |
cs5Label
|
additional.fields[].key
|
Key is set to cs5Label value. |
cs6
|
additional.fields[].value.string_value
|
Mapped to owaspTop10 field. |
cs6Label
|
additional.fields[].key
|
Key is set to cs6Label value. |
date
|
metadata.event_timestamp.seconds
|
Combined with time
and parsed to generate epoch seconds. |
dev_id
|
principal.resource.id
|
Value is directly mapped. |
devname
|
principal.resource.name
|
Value is directly mapped. |
device_event_class_id
|
metadata.product_event_type
|
Used in CEF parsing. |
device_product
|
metadata.product_name
|
Used in CEF parsing. |
device_vendor
|
metadata.vendor_name
|
Used in CEF parsing. |
device_version
|
metadata.product_version
|
Used in CEF parsing. |
dhost
|
target.hostname
|
Value is directly mapped. |
dpt
|
target.port
|
Value is directly mapped and converted to integer. |
dst
|
target.ip
|
Value is directly mapped. |
dst_port
|
target.port
|
Value is directly mapped and converted to integer. |
dstepid
|
target.process.pid
|
Value is directly mapped. |
dsteuid
|
target.user.userid
|
Value is directly mapped. |
event_name
|
metadata.product_event_type
|
Used in CEF parsing. |
http_agent
|
network.http.parsed_user_agent
|
Value is parsed as a user agent string. |
http_method
|
network.http.method
|
Value is directly mapped. |
http_refer
|
network.http.referral_url
|
Value is directly mapped. |
http_session_id
|
network.session_id
|
Value is directly mapped. |
http_url
|
target.url
|
Value is directly mapped. |
http_version
|
metadata.product_version
|
Value is directly mapped. |
length
|
additional.fields[].key
|
Key is set to "length". |
length
|
additional.fields[].value.string_value
|
Value is directly mapped. |
log_type
|
metadata.log_type
|
Hardcoded to "FORTINET_FORTIWEB". |
main_type
|
additional.fields[].key
|
Key is set to "mainType". |
main_type
|
additional.fields[].value.string_value
|
Value is directly mapped. |
message
|
Various fields | Parsed using grok and kv filters to extract different fields. |
ml_allow_method
|
additional.fields[].key
|
Key is set to "ml_allow_method". |
ml_allow_method
|
additional.fields[].value.string_value
|
Value is directly mapped. |
ml_arg_dbid
|
additional.fields[].key
|
Key is set to "ml_arg_dbid". |
ml_arg_dbid
|
additional.fields[].value.string_value
|
Value is directly mapped. |
ml_domain_index
|
additional.fields[].key
|
Key is set to "ml_domain_index". |
ml_domain_index
|
additional.fields[].value.string_value
|
Value is directly mapped. |
ml_log_arglen
|
additional.fields[].key
|
Key is set to "ml_log_arglen". |
ml_log_arglen
|
additional.fields[].value.string_value
|
Value is directly mapped. |
ml_log_hmm_probability
|
additional.fields[].key
|
Key is set to "ml_log_hmm_probability". |
ml_log_hmm_probability
|
additional.fields[].value.string_value
|
Value is directly mapped. |
ml_log_sample_arglen_mean
|
additional.fields[].key
|
Key is set to "ml_log_sample_arglen_mean". |
ml_log_sample_arglen_mean
|
additional.fields[].value.string_value
|
Value is directly mapped. |
ml_log_sample_prob_mean
|
additional.fields[].key
|
Key is set to "ml_log_sample_prob_mean". |
ml_log_sample_prob_mean
|
additional.fields[].value.string_value
|
Value is directly mapped. |
ml_svm_accuracy
|
additional.fields[].key
|
Key is set to "ml_svm_accuracy". |
ml_svm_accuracy
|
additional.fields[].value.string_value
|
Value is directly mapped. |
ml_svm_log_main_types
|
additional.fields[].key
|
Key is set to "ml_svm_log_main_types". |
ml_svm_log_main_types
|
additional.fields[].value.string_value
|
Value is directly mapped. |
ml_svm_log_match_types
|
additional.fields[].key
|
Key is set to "ml_svm_log_match_types". |
ml_svm_log_match_types
|
additional.fields[].value.string_value
|
Value is directly mapped. |
ml_url_dbid
|
additional.fields[].key
|
Key is set to "ml_url_dbid". |
ml_url_dbid
|
additional.fields[].value.string_value
|
Value is directly mapped. |
monitor_status
|
additional.fields[].key
|
Key is set to "monitor_status". |
monitor_status
|
additional.fields[].value.string_value
|
Value is directly mapped. |
msg
|
metadata.description
|
Value is directly mapped. |
owasp_top10
|
additional.fields[].key
|
Key is set to "owaspTop10". |
owasp_top10
|
additional.fields[].value.string_value
|
Value is directly mapped. |
principal_app
|
principal.application
|
Value is directly mapped. |
principal_host
|
principal.hostname
|
Value is directly mapped. |
proto
|
network.ip_protocol
|
Value is directly mapped after being uppercased. |
request
|
target.url
|
Value is directly mapped. |
requestMethod
|
network.http.method
|
Value is directly mapped. |
rt
|
metadata.event_timestamp.seconds
|
Parsed as milliseconds since epoch and converted to seconds. |
security_result.severity
|
security_result.severity
|
Derived from severity_level
. Mapped to different UDM severity values based on the raw log value. Defaults to UNKNOWN_SEVERITY
if no match is found. |
server_pool_name
|
additional.fields[].key
|
Key is set to "server_pool_name". |
server_pool_name
|
additional.fields[].value.string_value
|
Value is directly mapped. |
service
|
network.application_protocol
|
Value is directly mapped after being uppercased. |
service
|
target.application
|
Value is directly mapped after being uppercased if it's not one of HTTPS, HTTP, DNS, DHCP, or SMB. |
severity
|
security_result.severity
|
If severity
is empty and cs3Label
is "level", the value of cs3
is used. Then mapped to a UDM severity value (LOW, HIGH, etc.). |
signature_id
|
security_result.rule_id
|
Value is directly mapped. |
signature_subclass
|
security_result.detection_fields[].key
|
Key is set to "signature_subclass". |
signature_subclass
|
security_result.detection_fields[].value
|
Value is directly mapped. |
src
|
principal.ip
|
Value is directly mapped. |
src_country
|
principal.location.country_or_region
|
Value is directly mapped. |
src_ip
|
principal.ip
|
Value is directly mapped. |
src_port
|
principal.port
|
Value is directly mapped and converted to integer. |
srccountry
|
principal.location.country_or_region
|
Value is directly mapped. |
sub_type
|
additional.fields[].key
|
Key is set to "subType". |
sub_type
|
additional.fields[].value.string_value
|
Value is directly mapped. |
subtype
|
target.resource.resource_subtype
|
Value is directly mapped. |
suid
|
principal.user.userid
|
Value is directly mapped. |
threat_level
|
additional.fields[].key
|
Key is set to "threatLevel". |
threat_level
|
additional.fields[].value.string_value
|
Value is directly mapped. |
threat_weight
|
security_result.detection_fields[].key
|
Key is set to "threat_weight". |
threat_weight
|
security_result.detection_fields[].value
|
Value is directly mapped. |
time
|
metadata.event_timestamp.seconds
|
Combined with date
and parsed to generate epoch seconds. |
user_id
|
principal.user.product_object_id
|
Value is directly mapped. |
user_name
|
additional.fields[].key
|
Key is set to "userName". |
user_name
|
additional.fields[].value.string_value
|
Value is directly mapped. |
user_name
|
principal.user.userid
|
Value is directly mapped. |
|
N/A
|
metadata.event_type
|
Set to "NETWORK_CONNECTION" if both principal.ip
and target.ip
are present. Set to "USER_UNCATEGORIZED" if principal.ip
and principal.user
are present. Set to "STATUS_UPDATE" if only principal.ip
is present. Otherwise, set to "GENERIC_EVENT". |
|
N/A
|
metadata.log_type
|
Hardcoded to "FORTINET_FORTIWEB". |
|
N/A
|
metadata.product_name
|
Hardcoded to "FORTINET FORTIWEB" or "FortiWEB Cloud" based on the log format. |
|
N/A
|
metadata.vendor_name
|
Hardcoded to "FORTINET" or "Fortinet" based on the log format. |
|
N/A
|
principal.resource.resource_type
|
Hardcoded to "DEVICE" if dev_id
is present. |
Need more help? Get answers from Community members and Google SecOps professionals.
