Help with decoder

[RWagner]

Hi Guys!

I'm making a decoder for problems with vpn phase_2 for the fortigate.

Sample log:
date=2017-05-20 time=07:31:20 devname=Fw1-sa-dc2d-g56 devid=FGT60D0000000000 logid=01016745858 type=event subtype=vpn level=notice vd=root logdesc="IPsec phase 2 status changed" msg="IPsec phase 2 status change" action=phase2-down remip=1.1.1.1 locip=2.2.2.2 remport=500 locport=500 outintf="wan2" cookies="dfaf555664477957/b55566998873c6f9" user="N/A" group="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="VPN_XPTO" phase2_name=VPN_XPTO


Decoder parent:
<Decoder name = "fortigate-firewall-v5">
    <Divatch> date = \ S + time = \. + Devname = \ S + devid = FG \ w + logid = \ d +
    <Type> syslog </ type>
</ Decoder>


My decoder:
<Decoder name = "fortigate-firewall-v5-event-vpn-fields4">
    <Parent> fortigate-firewall-v5 </ parent>
    </ Div> </ div> </ div> </ div> </ div> <div class =
    <Regex> logdesc = "\. +" Msg = "(\. +)" Action = (\. *) Remip = (\ S +) locip = </ Regex>
    <Order> extra_data, action, dstip, srcip, status </ order>
</ Decoder>

In the image with the test done with the logtest, does not show data extra_data, action, dstip, srcip, status.

I wonder what's wrong with my decoder.

[RWagner]

Ooops!

Correcting the decoder parent and my decoder:

Decoder parent:
<decoder name="fortigate-firewall-v5">
    <prematch>date=\S+ time=\.+ devname=\S+ devid=FG\w+ logid=\d+ </prematch>
    <type>syslog</type>
</decoder>


My decoder:
<decoder name="fortigate-firewall-v5-event-vpn-fields4">
    <parent>fortigate-firewall-v5</parent>
    <prematch offset="after_parent">type=event subtype=vpn level=\S+ vd="\.+" logdesc="\.+" msg=</prematch>
    <regex>logdesc="\.+" msg="(\.+)" action=(\.*) remip=(\S+) locip=(\S+) \.*vpntunnel="(\.*)"</regex>
    <order>extra_data,action,dstip,srcip,status</order>
</decoder>

[Jesus Linares]

Hi,

your prematch is wrong:

• log: [...] vd=root logdesc [...]
• prematch: [...] vd="\.+" [...]

Try this one:

<!--

date=2017-05-20 time=07:31:20 devname=Fw1-sa-dc2d-g56 devid=FGT60D0000000000 logid=01016745858 type=event subtype=vpn level=notice vd=root logdesc="IPsec phase 2 status changed" msg="IPsec phase 2 status change" action=phase2-down remip=1.1.1.1 locip=2.2.2.2 remport=500 locport=500 outintf="wan2" cookies="dfaf555664477957/b55566998873c6f9" user="N/A" group="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="VPN_XPTO" phase2_name=VPN_XPTO

-->

<decoder name="fortigate-firewall-v5-event-vpn-fields4">
    <parent>fortigate-firewall-v5</parent>

    <prematch offset="after_parent">type=event subtype=vpn level=</prematch>

    <regex>logdesc="\.+" msg="(\.+)" action=(\.*) remip=(\S+) locip=(\S+) \.*vpntunnel="(\.*)"</regex>
    <order>extra_data,action,dstip,srcip,status</order>
</decoder>

**Phase 2: Completed decoding.
       decoder: 'fortigate-firewall-v5'
       extra_data: 'IPsec phase 2 status change'
       action: 'phase2-down'
       dstip: '1.1.1.1'
       srcip: '2.2.2.2'
       status: 'VPN_XPTO'


**Phase 3: Completed filtering (rules).
       Rule id: '81603'
       Level: '0'
       Description: 'Fortigate messages grouped.'

I hope it helps.

Regards.

[RWagner]

Hi Jesus, thanks for the help!

I had tested this too, but I did not succeed.
I tried put vd=\.* and it did not work. I think there was some junk in the file.

I ran update_ruleset.py, I put the rule there and it worked. I do not know what happened.