Cybersecurity
DevOps Cloud
IT Operations Cloud
Summary
When Fortigate logs, the “time zone” field is not being used, therefore there may be time discrepancy between the indexed event and the real one.
Products
ArcSight Standard Connectors
Environment
SmartConnectors 8.4 and below
Situation
When parsing Fortigate logs, the “time zone” field is not being used, therefore there may be time discrepancy between the indexed event and the real one.
Consider two formats of events, the "fortigate_syslog" parser, and the "cef_syslog".
The following line is from the "syslog.properties" file in /user/agent folder:
syslog.subagentdef=
fortigate_host1\:fortigate_syslog,
fortigate_host2\:cef_syslog
Sample from device "fortigate_host1" (see field "tz"):
"<189>date=2023-04-17 time=17:40:26 devname="fw-devicename" devid="FG100xxxx" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" eventtime=1681746028064168644 tz="+0200" srcip=192.xx.xx.xx srcport=10125 srcintf="xxx.xxx" srcintfrole="undefined" dstip=172.20.0.250 dstport=53 dstintf="wanx" dstintfrole="wan" ...TRUNCATED..."
Sample from device "fortigate_host2" (see field "FTNTFGTtz"):
"<189>Apr 17 17:51:45 fortigate_host2 CEF:0|Fortinet|Fortigate|v7.2.4|00013|traffic:forward accept|3|deviceExternalId=FG1xxxxxx FTNTFGTeventtime=1681746705667344390 FTNTFGTtz=+0200 FTNTFGTlogid=0000000013 cat=traffic:forward FTNTFGTsubtype=forward FTNTFGTlevel=notice FTNTFGTvd=root src=172.xx.xx.xx spt=50461 deviceInboundInterface=port2 FTNTFGTsrcintfrole=undefined dst=xx.20.0.xx dpt=53 deviceOutboundInterface=port3 FTNTFGTdstintfrole=undefined ...TRUNCATED..."
Cause
The above timezone information in the events are not recognized and thus results in time discrepancy in events from different timezones when received at Logger/ESM dashboard.
Resolution
A fix for this has been confirmed, tested and to be implemented in the next parser release.
URL Name
KM000017342