This article provides a guide and common examples of FortiSIEM customized rules encountering errors for synchronization.
FortiSIEM.
In the FortiSIEM environment, customized rules are commonly explored by users to track incidents happening in the network. However, users may encounter 'Sync Errors' as shown in the example below:
However, the Sync Errors will not provide details information for further troubleshooting.
In this case, it is recommended to check errors from the backend:
cat /opt/phoenix/log/phoenix.log | grep “<Rule Name>”
There are a few examples below:
In the backend logs, user should see error below:
2024-02-20T09:50:00.370251+08:00 Supervisor phRuleMaster[2757670]: [PH_RULEMOD_SUBPATTERN_INVALID]:[eventSeverity]=PHL_ERROR,[procName]=phRuleMaster,[fileName]=phRuleIncident.cpp,[lineNumber]=281,[ruleId]=42844401,[ruleName]=ttest-Traffic to FortiGuard Malware IP List 17/01/2024,[errReason]=srcIpAddr is not a group-by attribute,[phLogDetail]=Invalid rule subpattern FortiGuard
2024-02-20T09:50:00.370265+08:00 Supervisor phRuleMaster[2757670]: [PH_RULEMOD_INCIDENT_DEF_INVALID]:[eventSeverity]=PHL_ERROR,[procName]=phRuleMaster,[fileName]=phRuleIncident.cpp,[lineNumber]=172,[ruleId]=42844401,[ruleName]=ttest-Traffic to FortiGuard Malware IP List 17/01/2024,[phLogDetail]=Invalid incident definition
If the error above is found, go under Edit Rule -> Step 2 Define Condition -> Edit the SubPattern -> Make sure the Group by: is defined.
The 'Group By' in Step 2 will be applied in Step 3: Define Action:
2024-02-20T11:35:30.002741+08:00 Supervisor phRuleWorker[2757673]: [PH_RULEMOD_DATA_REQUEST_PARSE_FAILED]:[eventSeverity]=PHL_ERROR,[procName]=phRuleWorker,[fileName]=phRuleXmlParser.cpp,[lineNumber]=225,[phCustId]=1,[phLogDetail]=Failed to parse data request ttest-Traffic to FortiGuard Malware IP List 17/01/2024 of type Rule
2024-02-20T11:35:30.198965+08:00 Supervisor phRuleMaster[2757670]: [PH_RULEMOD_DATA_REQUEST_PARSE_FAILED]:[eventSeverity]=PHL_ERROR,[procName]=phRuleMaster,[fileName]=phRuleXmlParser.cpp,[lineNumber]=225,[phCustId]=1,[phLogDetail]=Failed to parse data request ttest-Traffic to FortiGuard Malware IP List 17/01/2024 of type Rule
If the error above occurred, it should be related to the Category & SubCategory configured in the rules. It is recommended to follow the Category designed in FortiSIEM default rules as few conditions are depending on it.
If users are unable to resolve the sync error for the rules, export the rules and attach them to the ticket or contact Fortinet support for further troubleshooting.
Related link:
https://help.fortinet.com/fsiem/5-1-0/Online-Help/HTML5_Help/Creating-rules.html
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.