Fortigate Add extra patterns

[Jüri Schultz]

Hi

I tried to add extra patterns to fortigate traffic ruleset(fortinet_traffic).

1. Added patterns are:

<pattern>date=@ESTRING:: @time=@ESTRING:: @devname=@ESTRING:: @device_id=@ESTRING:: @log_id=@ESTRING:: @type=traffic subtype=@ESTRING:: @pri=@ESTRING:: @vd=@ESTRING:: @src=@IPv4:i0:@ src_port=@NUMBER:i1:@ src_int=@ESTRING::"" @dst=@IPv4:i2:@ dst_port=@NUMBER:i3:@ dst_int=@ESTRING::"" @SN=@ESTRING:: @status=deny policyid=@ESTRING:: @dst_country=@ESTRING::"" @service=@ESTRING:: @proto=@NUMBER:i4:@ duration=@NUMBER:i5:@ sent=@ESTRING:: @rcvd=@ESTRING:: @msg</pattern>

<pattern>date=@ESTRING:: @time=@ESTRING:: @devname=@ESTRING:: @devid=@ESTRING:: @logid=@ESTRING:: @type=traffic subtype=@ESTRING:: @level=@ESTRING:: @vd=@ESTRING:: @srcip=@IPv4:i0:@ srcport=@NUMBER:i1:@ srcintf=@ESTRING::"" @dstip=@IPv4:i2:@ dstport=@NUMBER:i3:@ dstintf=@ESTRING::"" @sessionid=@ESTRING:: @status=@ESTRING:: @policyid=@ESTRING:: @dstcountry=@QSTRING::"" @srccountry=@QSTRING::"" @trandisp=@ESTRING:: @tranip=@ESTRING:: @tranport=@ESTRING:: @service=@ESTRING:: @proto=@NUMBER:i4:@ duration=@NUMBER:i5:@ sentbyte=@ESTRING:: @rcvdbyte=@ESTRING:: @sentpkt=@ESTRING:: @rcvdpkt</pattern>

2. If I do patterndb test I get error

Testing message program='kernel' message='date=2012-11-16 time=09:14:28 devname=FWF60C9999999999 devid=FWF60C9999999999 logid=0000000013 type=traffic subtype=forward level=notice vd=root srcip=1.1.1.1 srcport=43022 srcintf="wan1" dstip=2.2.2.2 dstport=80 dstintf="dmz" sessionid=3786483 status=close policyid=9 dstcountry="Estonia" srccountry="United States" trandisp=dnat tranip=3.3.3.3 tranport=80 service=HTTP proto=6 duration=158 sentbyte=7286 rcvdbyte=169314 sentpkt=110 rcvdpkt=122'

 Wrong match name='.classifier.rule_id', value='', expected='22'

 Wrong match name='i0', value='', expected='1.1.1.1'

 Wrong match name='i1', value='', expected='43022'

 Wrong match name='i2', value='', expected='2.2.2.2'

 Wrong match name='i3', value='', expected='80'

 Wrong match name='i4', value='', expected='6'

 Wrong match name='i5', value='', expected='158'

Testing message program='kernel' message='date=2012-11-15 time=22:04:05 devname=FGT30B9999999999 device_id=FGT30B9999999999 log_id=0038000007 type=traffic subtype=other pri=warning vd=root src=1.1.1.1 src_port=137 src_int="internal" dst=2.2.2.2 dst_port=137 dst_int="root" SN=1592474 status=deny policyid=0 dst_country="Reserved" service=137/udp proto=17 duration=0 sent=0 rcvd=0 msg="iprope_in_check() check failed, drop"'

 Wrong match name='.classifier.rule_id', value='', expected='22'

 Wrong match name='i0', value='', expected='1.1.1.1'

 Wrong match name='i1', value='', expected='137'

 Wrong match name='i2', value='', expected='2.2.2.2'

 Wrong match name='i3', value='', expected='137'

 Wrong match name='i4', value='', expected='17'

 Wrong match name='i5', value='', expected='0'

Can anyone point out what is wrong with my pattern? 

First pattern should match FGT30B9999999999 log and second pattern FWF60C9999999999 log.

Thanks

[Martin Holste]

Your QSTRING's were a bit off.  You want to say capture between the double quotes, and the following space won't count, so the pattern needs to be this:

<pattern>date=@ESTRING:: @time=@ESTRING:: @devname=@ESTRING:: @devid=@ESTRING:: @logid=@ESTRING:: @type=traffic subtype=@ESTRING:: @level=@ESTRING:: @vd=@ESTRING:: @srcip=@IPv4:i0:@ srcport=@NUMBER:i1:@ srcintf=@QSTRING::""@ dstip=@IPv4:i2:@ dstport=@NUMBER:i3:@ dstintf=@QSTRING::""@ sessionid=@ESTRING:: @status=@ESTRING:: @policyid=@ESTRING:: @dstcountry=@QSTRING::""@ srccountry=@QSTRING::""@ trandisp=@ESTRING:: @tranip=@ESTRING:: @tranport=@ESTRING:: @service=@ESTRING:: @proto=@NUMBER:i4:@ duration=@NUMBER:i5:@ sentbyte=@ESTRING:: @rcvdbyte=@ESTRING:: @sentpkt=@ESTRING:: @rcvdpkt</pattern>

I'll include the traffic pattern, but I don't have a URL pattern to test your first pattern with.  If you get the URL pattern working like the traffic pattern, I'll include it as well.

Thanks,

Martin

[Jüri Schultz]

Hi, new pattern is working fine. 

Now its problem with incoming log format, it doesn't contain PROGRAM part. When I redirect syslog to file I see

 

Nov 17 20:32:13 3.3.3.3 date=2012-11-17 time=20:32:01 devname=FWF60C3G11000166 devid=FWF60C3G11000166 logid=0000000013 type=traffic subtype=forward level=notice vd=root srcip=80.235.52.148 srcport=59252 srcintf="wan1" dstip=1.1.1.1 dstport=80 dstintf="dmz" sessionid=4218053 status=close policyid=9 dstcountry="Estonia" srccountry="Estonia" trandisp=dnat tranip=2.2.2.2 tranport=80 service=HTTP proto=6 duration=120 sentbyte=498 rcvdbyte=1762 sentpkt=7 rcvdpkt=5

All messages are classified as Class 1 and no parsing is happening.

Also checked database table all messages are in database starting from "time=" part

I'm not very familiar with syslog-ng but seems that i need to rewrite incoming log.

Any help is appreciated

Thanks

Jüri

[Martin Holste]

Looks like Fortinet is omitting the program name and so syslog-ng is interpreting the first term in the message (date) as the program.  I looked through their docs and didn't see config related to program, just facility, so I'm not sure exactly what to tell you.  Since previous messages used the "kernel" program, I'm assuming that there is a config somewhere that makes sure it uses this.  Did you set the logging destination on the Fortinet appliance to be syslog specifically?  I see there are many different kinds of devices you can have it send logs to, and if it's not specifically configured to use syslog, that's probably the cause.

There is a workaround if you can't get the Fortinet to send properly formatted messages:  You can copy the current ruleset for Fortinet and change the program from "kernel" to "date" and then strip off the "date=@ESTRING:: @" from the start of the pattern. 

Please let me know what you come up with.

--Martin

[Jüri Schultz]

Thanks for hint. For fortigate you have to set "facility". Right now I set it to facility=kernel and parsing started to work.

I found out that fortigate sends different type of traffic logs, I will create patterns for them and send them to you also.

Thanks

Jüri

[Martin Holste]

Great!  We've got one there for URL, but it may be different than what yours is sending.  Please send me what you come up with so I can include another in the standard ELSA file.

[William Söderberg]

Has this been included in the latest release? I've got a Fortigate 300B, I've set the facility to kernel, it still doesn't parse.

[Martin Holste]

No, I never added these since I wasn't sure these were the final version.  Juri, are the patterns that you submitted in the previous emails working for you (should I add these to the official set)?

[Jüri-Kaur Schultz]

These are traffic patterns what I use on my FWF60B. Unfortunately I haven't got any chance to upgrade URL pattern, I don't use this functionality on my firewall.

<pattern>date=@ESTRING:: @time=@ESTRING:: @devname=@ESTRING:: @device_id=@ESTRING:: @log_id=@ESTRING:: @subtype=@ESTRING:: @type=traffic pri=@ESTRING:: @vd=@ESTRING:: @dir_disp=@ESTRING:: @tran_disp=@ESTRING:: @src=@IPv4:i0:@ srcname=@ESTRING:: @src_port=@NUMBER:i1:@ dst=@IPv4:i2:@ dstname=@ESTRING:: @dst_port=@NUMBER:i3:@ tran_ip=@ESTRING:: @tran_port=@ESTRING:: @service=@ESTRING:: @proto=@NUMBER:i4@ app_type=@ESTRING:: @duration=@NUMBER:i5@ rule=@ESTRING:: @policyid=@ESTRING:: @identidx=@ESTRING:: @sent=@ESTRING:: @rcvd=@ESTRING:: @shaper_drop_sent=@ESTRING:: @shaper_drop_rcvd=@ESTRING:: @perip_drop=@ESTRING:: @sent_pkt=@ESTRING:: @rcvd_pkt=@ESTRING:: @src_int=@ESTRING:: @dst_int=@ESTRING:: @SN=@ESTRING:: @app=@ESTRING:: @app_cat=@ESTRING:: @carrier_ep=@ESTRING:: @vpn=@ESTRING:: @status=@ESTRING:: @user=@ESTRING:: @group=@ESTRING:: @shaper_sent_name=@ESTRING:: @shaper_rcvd_name=@ESTRING:: @perip_name</pattern>
<pattern>date=@ESTRING:: @time=@ESTRING:: @devname=@ESTRING:: @devid=@ESTRING:: @logid=@ESTRING:: @type=traffic subtype=@ESTRING:: @level=@ESTRING:: @vd=@ESTRING:: @srcip=@IPv4:i0:@ srcport=@NUMBER:i1:@ srcintf=@QSTRING::""@ dstip=@IPv4:i2:@ dstport=@NUMBER:i3:@ dstintf=@QSTRING::""@ sessionid=@ESTRING:: @status=@ESTRING:: @policyid=@ESTRING:: @dstcountry=@QSTRING::""@ srccountry=@QSTRING::""@ trandisp=@ESTRING:: @tranip=@ESTRING:: @tranport=@ESTRING:: @transip=@ESTRING:: @transport=@ESTRING:: @service=@ESTRING:: @proto=@NUMBER:i4:@ duration=@NUMBER:i5:@ sentbyte=@ESTRING:: @rcvdbyte=@ESTRING:: @sentpkt=@ESTRING:: @rcvdpkt</pattern>

<pattern>date=@ESTRING:: @time=@ESTRING:: @devname=@ESTRING:: @devid=@ESTRING:: @logid=@ESTRING:: @type=traffic subtype=@ESTRING:: @level=@ESTRING:: @vd=@ESTRING:: @srcip=@IPv4:i0:@ srcport=@NUMBER:i1:@ srcintf=@QSTRING::""@ dstip=@IPv4:i2:@ dstport=@NUMBER:i3:@ dstintf=@QSTRING::""@ sessionid=@ESTRING:: @status=@ESTRING:: @policyid=@ESTRING:: @dstcountry=@QSTRING::""@ srccountry=@QSTRING::""@ trandisp=@ESTRING:: @tranip=@ESTRING:: @tranport=@ESTRING:: @service=@ESTRING:: @proto=@NUMBER:i4:@ duration=@NUMBER:i5:@ sentbyte=@ESTRING:: @rcvdbyte=@ESTRING:: @sentpkt=@ESTRING:: @rcvdpkt</pattern>

<pattern>date=@ESTRING:: @time=@ESTRING:: @devname=@ESTRING:: @device_id=@ESTRING:: @log_id=@ESTRING:: @type=traffic subtype=@ESTRING:: @pri=@ESTRING:: @vd=@ESTRING:: @src=@IPv4:i0:@ src_port=@NUMBER:i1:@ src_int=@QSTRING::""@ dst=@IPv4:i2:@ dst_port=@NUMBER:i3:@ dst_int=@QSTRING::""@ SN=@ESTRING:: @status=@ESTRING:: @policyid=@ESTRING:: @dst_country=@QSTRING::""@ src_country=@QSTRING::""@ service=@ESTRING:: @proto=@NUMBER:i4:@ duration=@NUMBER:i5:@ sent=@ESTRING:: @rcvd=@ESTRING:: @msg</pattern>

So far so good.

Jüri

[William Söderberg]

So, I'll just edit the patterndb.xml file and it just works? :)

2013/1/28 Jüri-Kaur Schultz <juri...@gmail.com>

--
Med vänliga hälsningar / Kind regards,
William

[Jüri-Kaur Schultz]

Yep, should work for traffic log.

I haven't got any time to parse FG event messages, like system status and user login/out.

Hopefully I get system messages also parsed.

I will let you know

Jüri

--
You received this message because you are subscribed to the Google Groups "enterprise-log-search-and-archive" group.
To unsubscribe from this group and stop receiving emails from it, send an email to enterprise-log-search-...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
 
 

[Martin Holste]

Great, thanks.  I've added these to the official set, so you should be able to use the stock patterndb.xml now.

[William Söderberg]

Hmm. None of those patterns worked for me. I had to write my own:

<pattern>date=@ESTRING:: @time=@ESTRING:: @devname=@ESTRING:: @device_id=@ESTRING:: @log_id=@ESTRING:: @type=traffic subtype=@ESTRING:: @pri=@ESTRING:: @status=@ESTRING:: @vd=@ESTRING:: @dir_disp=@ESTRING:: @tran_disp=@ESTRING:: @src=@IPv4:i0:@ srcname=@ESTRING:: @src_port=@NUMBER:i1:@ dst=@IPv4:i2:@ dstname=@ESTRING:: @dst_port=@NUMBER:i3:@ tran_ip=@ESTRING:: @tran_port=@ESTRING:: @service=@ESTRING:: @proto=@NUMBER:i4:@ app_type=@ESTRING:: @duration=@NUMBER:i5:@ rule=@ESTRING:: @policyid=@ESTRING:: @identidx=@ESTRING:: @sent=@ESTRING:: @rcvd=@ESTRING:: @shaper_drop_sent=@ESTRING:: @shaper_drop_rcvd=@ESTRING:: @perip_drop=@ESTRING:: @shaper_sent_name=@QSTRING::""@ shaper_rcvd_name=@QSTRING::""@ perip_name=@QSTRING::""@ sent_pkt=@ESTRING:: @rcvd_pkt=@ESTRING:: @vpn=@QSTRING::""@ src_int=@QSTRING::""@ dst_int=@QSTRING::""@ SN=@ESTRING:: @app=@QSTRING::""@ app_cat=@QSTRING::""@ user=@QSTRING::""@ group=@QSTRING::""@ carrier_ep=@QSTRING::""@</pattern>

The test message works fine when I run it through pdbtool with the test/match commands. However, when I add it to ELSAs syslog-ng patterndb.xml, nothing seems to happen. I've added it under the fortinet_traffic ruleset. I've told the firewall to send it with "kernel" as program. So the program pattern matches. I've restarted syslog-ng (don't know if necessary), it says:

# service syslog-ng start
Starting syslog-ng
Duplicate key in radix tree; key='perip_name', value='22'
Duplicate key in radix tree; key='rcvdpkt', value='22'

I removed Juri's patterns, then syslog-ng restarted without a problem. Then the node stopped receiving logs from my Fortigate instead.. /data/elsa/log/node.log says:

 ERROR [2013/01/29 23:16:19] /usr/local/elsa/node/elsa.pl (251) main::_process_batch 5188 Unable to parse valid class id from log line 1359497779 [ .. omit ]

I haven't touched the class id in the patterndb.xml file. :)

To unsubscribe from this group and stop receiving emails from it, send an email to enterprise-log-search-and-archive+unsubscribe@googlegroups.com.

For more options, visit https://groups.google.com/groups/opt_out.
 
 

--
You received this message because you are subscribed to the Google Groups "enterprise-log-search-and-archive" group.

To unsubscribe from this group and stop receiving emails from it, send an email to enterprise-log-search-and-archive+unsubscribe@googlegroups.com.

[William Söderberg]

Does the database need some modifications regarding to i0,i1 etc?

[Martin Holste]

Ok, I added your parser.  You should be able to replace your current patterndb.xml with the one found in the project's SVN repository (you don't need to reload syslog-ng, it automatically picks up the change).  If you look at the pattern, you'll see that I commented out the full version you provided because you don't need to parse after you've stopped capturing fields (it just adds more CPU time), so I truncated the pattern after duration was captured.  You shouldn't need to change any database settings.  Please try this new pattern file out and let me know if it works for you.

To unsubscribe from this group and stop receiving emails from it, send an email to enterprise-log-search-...@googlegroups.com.

[William Söderberg]

Ok. Thanks, but it still doesn't work though.

My node.log is full of entries such as these:
* ERROR [2013/01/30 19:50:45] /usr/local/elsa/node/elsa.pl (251) main::_process_batch 30420 Unable to parse valid class id from log line 1359571845     192.168.0.1    kernel  22      date=2013-01-30 time=19:11:16 devname=fortigate device_id=FG300B0000000000 log_id=0021000002 type=traffic subtype=allowed pri=notice status=accept vd="root" dir_disp=org tran_disp=noop src=10.0.0.1 srcname=10.0.0.1 src_port=0 dst=10.0.2.1 dstname=10.0.2.1 dst_port=0 tran_ip=N/A tran_port=0 service=8/icmp proto=1 app_type=N/A duration=60 rule=6 policyid=6 identidx=0 sent=480 rcvd=480 shaper_drop_sent=0 shaper_drop_rcvd=0 perip_drop=0 shaper_sent_name="N/A" shaper_rcvd_name="N/A" perip_name="N/A" sent_pkt=5 rcvd_pkt=5 vpn="N/A" src_int="int0" dst_int="int1" SN=000000001 app="N/A" app_cat="N/A" user="N/A" group="N/A" carrier_ep="N/A"     10.0.0.1   0       10.0.2.1     0       1       60                           .  Only parsed into:
$VAR1 = [
          '1359571845',
          '192.168.0.1',
          'kernel',
          '22',
          'date=2013-01-30 time=19:11:16 devname=fortigate device_id=FG300B0000000000 log_id=0021000002 type=traffic subtype=allowed pri=notice status=accept vd="root" dir_disp=org tran_disp=noop src=10.0.0.1 srcname=10.0.0.1 src_port=0 dst=10.0.2.1 dstname=10.0.2.1 dst_port=0 tran_ip=N/A tran_port=0 service=8/icmp proto=1 app_type=N/A duration=60 rule=6 policyid=6 identidx=0 sent=480 rcvd=480 shaper_drop_sent=0 shaper_drop_rcvd=0 perip_drop=0 shaper_sent_name="N/A" shaper_rcvd_name="N/A" perip_name="N/A" sent_pkt=5 rcvd_pkt=5 vpn="N/A" src_int="int0" dst_int="int1" SN=000000001 app="N/A" app_cat="N/A" user="N/A" group="N/A" carrier_ep="N/A"',
          '10.0.0.1',
          '0',
          '10.0.2.1',
          '0',
          '1',
          '60'
        ];

Note that the above message is obfuscated with dummy values.

# pdbtool match -p patterndb.xml -P kernel -M 'date=2013-01-30 time=19:11:16 devname=fortigate device_id=FG300B0000000000 log_id=0021000002 type=traffic subtype=allowed pri=notice status=accept vd="root" dir_disp=org tran_disp=noop src=10.0.0.1 srcname=10.0.0.1 src_port=0 dst=10.0.2.1 dstname=10.0.2.1 dst_port=0 tran_ip=N/A tran_port=0 service=8/icmp proto=1 app_type=N/A duration=60 rule=6 policyid=6 identidx=0 sent=480 rcvd=480 shaper_drop_sent=0 shaper_drop_rcvd=0 perip_drop=0 shaper_sent_name="N/A" shaper_rcvd_name="N/A" perip_name="N/A" sent_pkt=5 rcvd_pkt=5 vpn="N/A" src_int="int0" dst_int="int1" SN=000000001 app="N/A" app_cat="N/A" user="N/A" group="N/A" carrier_ep="N/A"'
MESSAGE=date=2013-01-30 time=19:11:16 devname=fortigate device_id=FG300B0000000000 log_id=0021000002 type=traffic subtype=allowed pri=notice status=accept vd="root" dir_disp=org tran_disp=noop src=10.0.0.1 srcname=10.0.0.1 src_port=0 dst=10.0.2.1 dstname=10.0.2.1 dst_port=0 tran_ip=N/A tran_port=0 service=8/icmp proto=1 app_type=N/A duration=60 rule=6 policyid=6 identidx=0 sent=480 rcvd=480 shaper_drop_sent=0 shaper_drop_rcvd=0 perip_drop=0 shaper_sent_name="N/A" shaper_rcvd_name="N/A" perip_name="N/A" sent_pkt=5 rcvd_pkt=5 vpn="N/A" src_int="int0" dst_int="int1" SN=000000001 app="N/A" app_cat="N/A" user="N/A" group="N/A" carrier_ep="N/A"
PROGRAM=kernel
.classifier.class=13
.classifier.rule_id=13
i0=10.0.0.1
i1=0
i2=10.0.2.1
i3=0
i4=1
i5=60

# pdbtool test --validate patterndb.xml
patterndb.xml validates
Testing message program='kernel' message='date=2013-01-30 time=19:11:16 devname=fortigate device_id=FG300B0000000000 log_id=0021000002 type=traffic subtype=allowed pri=notice status=accept vd="root" dir_disp=org tran_disp=noop src=10.0.0.1 srcname=10.0.0.1 src_port=0 dst=10.0.2.1 dstname=10.0.2.1 dst_port=0 tran_ip=N/A tran_port=0 service=8/icmp proto=1 app_type=N/A duration=60 rule=6 policyid=6 identidx=0 sent=480 rcvd=480 shaper_drop_sent=0 shaper_drop_rcvd=0 perip_drop=0 shaper_sent_name="N/A" shaper_rcvd_name="N/A" perip_name="N/A" sent_pkt=5 rcvd_pkt=5 vpn="N/A" src_int="int0" dst_int="int1" SN=000000001 app="N/A" app_cat="N/A" user="N/A" group="N/A" carrier_ep="N/A"'

[Martin Holste]

The parsing is working, but you don't have the class_id available to the node.  In /usr/local/elsa/node/conf/schema.sql, near the top fo the file, you'll see the entry for inserting class 22 which is "FORTINET_TRAFFIC" but it's commented out.  You need to run that plus the below inserts which contain "FORTINET_TRAFFIC" so the database knows about Fortinet logs.

To unsubscribe from this group and stop receiving emails from it, send an email to enterprise-log-search-...@googlegroups.com.

[William Söderberg]

Awesome! It seems to be working now. There's only one thing left before I'm 100% satisfied. the srcip and dstip values gets mangled somehow. Let's say the destination IP is 10.254.20.2 in the message, the value becomes 0.0.40.14 after the parser has done it's job. Any ideas? 

[William Söderberg]

Nevermind. It fixed itself somehow. :)

Thank you so much for your help.

2013/1/30 William Söderberg <william....@gmail.com>

To unsubscribe from this group and stop receiving emails from it, send an email to enterprise-log-search-...@googlegroups.com.

For more options, visit https://groups.google.com/groups/opt_out.
 
 

--

[William Söderberg]

Here's another pattern you can add. I noticed my FG sent two types of logs:

<pattern>date=@ESTRING:: @time=@ESTRING:: @devname=@ESTRING:: @device_id=@ESTRING:: @log_id=@ESTRING:: @type=traffic subtype=@ESTRING:: @pri=@ESTRING:: @status=@ESTRING:: @vd=@ESTRING:: @src=@IPv4:i0:@ srcname=@ESTRING:: @src_port=@NUMBER:i1:@ dst=@IPv4:i2:@ dstname=@ESTRING:: @dst_port=@NUMBER:i3:@ service=@ESTRING:: @proto=@NUMBER:i4:@ app_type=@ESTRING:: @duration=@NUMBER:i5:@</pattern>

2013/1/30 William Söderberg <william....@gmail.com>

[Martin Holste]

Included, thanks!

[manish...@kapstonellc.com]

IHey gays,

                   currently I am working in Apache metron project . I need to parse fortinet traffic log . i have already below log

Oct 26 13:34:52 gateway date=2017-10-26 time=10:34:53 devname=FortiGate-VM64 devid=FGVMEV0000000000 logid="0001000014" type="traffic" subtype="local" level="notice" vd="root" srcip=192.168.145.30 srcport=18387 srcintf="root" dstip=192.168.145.10 dstport=601 dstintf="port2" sessionid=2279302 proto=6 action="server-rst" policyid=0 dstcountry="Reserved" srccountry="Reserved" trandisp="noop" service="tcp/601" app="tcp/601" duration=4 sentbyte=60 rcvdbyte=40 sentpkt=1 rcvdpkt=1 appcat="unscanned" dstdevtype="Linux PC" dstosname="Linux" dstosversion="(x64)" masterdstmac="08:00:27:4a:1a:ff" dstmac="08:00:27:4a:1a:ff" dstserver=0


and I have regex pattern also is there


(?:.*)\s(\S+)\sdate=(\d{4})-(\d{2})-(\d{2})\stime=(\d{2}):(\d{2}):(\d{2})\sdevname=(\S+)\sdevid=(\S+)\slogid="\d{4}(\d+)"\stype="(\S+)"\ssubtype="(\S+)"\s(.*)

now I don't have idea how to make pattern and how add topology in strom UI side please any one have idea how to make pattern ?? please help me how to make pattern and how to add New Telemetry Data Source in Apache metron

[manish...@kapstonellc.com]

Hey gays,

                   currently I am working in Apache metron project . I need to parse fortinet traffic log . i have already below log

Oct 26 13:34:52 gateway date=2017-10-26 time=10:34:53 devname=FortiGate-VM64 devid=FGVMEV0000000000 logid="0001000014" type="traffic" subtype="local" level="notice" vd="root" srcip=192.168.145.30 srcport=18387 srcintf="root" dstip=192.168.145.10 dstport=601 dstintf="port2" sessionid=2279302 proto=6 action="server-rst" policyid=0 dstcountry="Reserved" srccountry="Reserved" trandisp="noop" service="tcp/601" app="tcp/601" duration=4 sentbyte=60 rcvdbyte=40 sentpkt=1 rcvdpkt=1 appcat="unscanned" dstdevtype="Linux PC" dstosname="Linux" dstosversion="(x64)" masterdstmac="08:00:27:4a:1a:

ff" dstmac="08:00:27:4a:1a:ff" dstserver=0


and I have regex pattern also is there


(?:.*)\s(\S+)\sdate=(\d{4})-(\d{2})-(\d{2})\stime=(\d{2}):(\d{2}):(\d{2})\sdevname=(\S+)\sdevid=(\S+)\slogid="\d{4}(\d+)"\stype="(\S+)"\ssubtype="(\S+)"\s(.*)

now I don't have idea how to make pattern and how add topology in strom UI side please any one have idea how to make pattern ?? please help me how to make pattern and how to add New Telemetry Data Source in Apache metron ????

Included, thanks!

2013/1/30 William Söderberg <william....@gmail.com>

Med vänliga hälsningar / Kind regards,
William

--
Med vänliga hälsningar / Kind regards,
William

--
You received this message because you are subscribed to the Google Groups "enterprise-log-search-and-archive" group.