Help
FortiSIEM
FortiSIEM provides Security Information and Event Management (SIEM) and User and Entity Behavior Analytics (UEBA)
RuiChang
Staff
Staff

Created on ‎04-22-2024 10:35 PM

Article Id 310965

Technical Tip: FortiSIEM customize rules encounter sync error

Description

 

This article provides a guide and common examples of FortiSIEM customized rules encountering errors for synchronization.

 

Scope

 

FortiSIEM.

 

Solution

 

In the FortiSIEM environment, customized rules are commonly explored by users to track incidents happening in the network. However, users may encounter 'Sync Errors' as shown in the example below:

 

RuiChang_0-1713838266277.png

 

However, the Sync Errors will not provide details information for further troubleshooting.

 

RuiChang_0-1713838298933.png

 

In this case, it is recommended to check errors from the backend:

 

cat /opt/phoenix/log/phoenix.log | grep “<Rule Name>”

 

There are a few examples below:

 

  1. Invalid incident definition.

In the backend logs, user should see error below:

 

2024-02-20T09:50:00.370251+08:00 Supervisor phRuleMaster[2757670]: [PH_RULEMOD_SUBPATTERN_INVALID]:[eventSeverity]=PHL_ERROR,[procName]=phRuleMaster,[fileName]=phRuleIncident.cpp,[lineNumber]=281,[ruleId]=42844401,[ruleName]=ttest-Traffic to FortiGuard Malware IP List 17/01/2024,[errReason]=srcIpAddr is not a group-by attribute,[phLogDetail]=Invalid rule subpattern FortiGuard

2024-02-20T09:50:00.370265+08:00 Supervisor phRuleMaster[2757670]: [PH_RULEMOD_INCIDENT_DEF_INVALID]:[eventSeverity]=PHL_ERROR,[procName]=phRuleMaster,[fileName]=phRuleIncident.cpp,[lineNumber]=172,[ruleId]=42844401,[ruleName]=ttest-Traffic to FortiGuard Malware IP List 17/01/2024,[phLogDetail]=Invalid incident definition

 

If the error above is found, go under Edit Rule -> Step 2 Define Condition -> Edit the SubPattern -> Make sure the Group by: is defined.

 

RuiChang_0-1713838320359.png

 

The 'Group By' in Step 2 will be applied in Step 3: Define Action:

 

RuiChang_0-1713838340619.png

 

 

  1. Failed to parse data request.

 

2024-02-20T11:35:30.002741+08:00 Supervisor phRuleWorker[2757673]: [PH_RULEMOD_DATA_REQUEST_PARSE_FAILED]:[eventSeverity]=PHL_ERROR,[procName]=phRuleWorker,[fileName]=phRuleXmlParser.cpp,[lineNumber]=225,[phCustId]=1,[phLogDetail]=Failed to parse data request ttest-Traffic to FortiGuard Malware IP List 17/01/2024 of type Rule

2024-02-20T11:35:30.198965+08:00 Supervisor phRuleMaster[2757670]: [PH_RULEMOD_DATA_REQUEST_PARSE_FAILED]:[eventSeverity]=PHL_ERROR,[procName]=phRuleMaster,[fileName]=phRuleXmlParser.cpp,[lineNumber]=225,[phCustId]=1,[phLogDetail]=Failed to parse data request ttest-Traffic to FortiGuard Malware IP List 17/01/2024 of type Rule

 

If the error above occurred, it should be related to the Category & SubCategory configured in the rules. It is recommended to follow the Category designed in FortiSIEM default rules as few conditions are depending on it.

 

RuiChang_0-1713838372196.png

 

 

If users are unable to resolve the sync error for the rules, export the rules and attach them to the ticket or contact Fortinet support for further troubleshooting.

 

Related link:

https://help.fortinet.com/fsiem/5-1-0/Online-Help/HTML5_Help/Creating-rules.html

63
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.