Working Parser for Fortigate Logs

1,997 views
Skip to first unread message

Peter Keenan

unread,
Dec 31, 2017, 3:44:44 PM12/31/17
to security-onion
I modified the standard parser and added some instructions about how to get the logs into logstash and how to send the from the fortigate in CSV format which is easier to parse. Apologies if this is beyond securityonion purpose but it makes for some nice blended dashboards, enrichment, and hunting data

would love feedback if anyone has improvement suggestions

# Author: Justin Henderson
# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
# Email: jus...@hasecuritysolution.com
# Last Update: 12/9/2016
# Updated by Peter Keenan, pe...@keenan.net
# updated 12/29/2017
# add the below lines to the fortigate
# config log syslogd setting
# set status enable
# set server "IP.OF.SECURITY.ONION"
# set port 6054
# set facility kernel
# set source-ip "IP.OF.FIREWALL.X"
# set format csv
# end
# add the below to the so-elasatic-start-logstash to open the port
# --publish 0.0.0.0:6054:6054/udp \
# Run run: "sudo ufw allow 6054 IP.OF.FIREWALL.X" from the logstash server
input {
syslog {
type => "fortigate"
port => 6054
}
}

filter {
if [type] == "fortigate" {
grok {
match => [ 'message', '<%{POSINT:ruleID}>%{GREEDYDATA:fgtlogmsg}' ]
}
kv {
source => "fgtlogmsg"
field_split => ","
exclude_keys => [ "type" ]
}
mutate {
add_tag => [ "fortigate" ]
add_tag => [ "firewall" ]
add_field => { "fgtdatetime" => "%{date} %{time}" }
}
date {
match => [ "fgtdatetime", "YYYY-MM-dd HH:mm:ss" ]
timezone => "America/New_York"
}
geoip {
source => "dstip"
target => "geoip"
add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ]
}
geoip {
source => "srcip"
target => "geoip"
add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ]
}
mutate {
convert => [ "[geoip][coordinates]", "float" ]
}
mutate {
rename => { "action" => "action" }
rename => { "addr" => "addr_ip" }
rename => { "age" => "age" }
rename => { "assigned" => "assigned_ip" }
rename => { "assignip" => "assign_ip" }
rename => { "ap" => "access_point" }
rename => { "app" => "application" }
rename => { "appcat" => "application_category" }
rename => { "applist" => "application_list" }
rename => { "apprisk" => "application_risk" }
rename => { "approfile" => "accessPoint_profile" }
rename => { "apscan" => "access_point_scan" }
rename => { "apstatus" => "acces_point_status" }
rename => { "aptype" => "access_point_type" }
rename => { "authproto" => "authentication_protocol" }
rename => { "bandwidth" => "bandwidth" }
rename => { "banned_src" => "banned_source" }
rename => { "cat" => "category" }
rename => { "catdesc" => "category_description" }
rename => { "cfgattr" => "configuration_attribute" }
rename => { "cfgobj" => "configuration_object" }
rename => { "cfgpath" => "configuration_path" }
rename => { "cfgtid" => "configuration_transaction_id" }
rename => { "channel" => "channel" }
rename => { "community" => "community" }
rename => { "cookies" => "cookies" }
rename => { "craction" => "cr_action" }
rename => { "crlevel" => "cr_level" }
rename => { "crscore" => "cr_score" }
rename => { "datarange" => "data_range" }
rename => { "desc" => "description" }
rename => { "detectionmethod" => "detection_method" }
rename => { "devid" => "device_id" }
rename => { "devname" => "device_name" }
rename => { "devtype" => "device_type" }
rename => { "dhcp_msg" => "dhcp_message" }
rename => { "disklograte" => "disk_lograte" }
rename => { "dstcountry" => "destination_country" }
rename => { "dstintf" => "destination_interface" }
rename => { "dstip" => "destination_ip" }
rename => { "dstport" => "destination_port" }
rename => { "duration" => "elapsed_time" }
rename => { "error_num" => "error_number" }
rename => { "espauth" => "esp_authentication" }
rename => { "esptransform" => "esp_transform" }
rename => { "eventid" => "event_id" }
rename => { "eventtype" => "event_type" }
rename => { "fazlograte" => "faz_lograte" }
rename => { "filename" => "file_name" }
rename => { "filesize" => "file_size" }
rename => { "filetype" => "file_type" }
rename => { "hostname" => "hostname" }
rename => { "ip" => "source_ip" }
rename => { "localip" => "source_ip" }
rename => { "locip" => "local_ip" }
rename => { "locport" => "source_port" }
rename => { "logid" => "log_id" }
rename => { "logver" => "log_version" }
rename => { "manuf" => "manufacturer" }
rename => { "mem" => "memory" }
rename => { "meshmode" => "mesh_mode" }
rename => { "msg" => "message" }
rename => { "nextstat" => "next_stat" }
rename => { "onwire" => "on_wire" }
rename => { "osname" => "os_name" }
rename => { "osversion" => "os_version" }
rename => { "outintf" => "outbound_interface" }
rename => { "peer_notif" => "peer_notification" }
rename => { "phase2_name" => "phase2_name" }
rename => { "policyid" => "policy_id" }
rename => { "policytype" => "policy_type" }
rename => { "port" => "port" }
rename => { "probeproto" => "probe_protocol" }
rename => { "proto" => "protocol_number" }
rename => { "radioband" => "radio_band" }
rename => { "radioidclosest" => "radio_id_closest" }
rename => { "radioiddetected" => "radio_id_detected" }
rename => { "rcvd" => "bytes_received" }
rename => { "rcvdbyte" => "bytes_received" }
rename => { "rcvdpkt" => "packets_received" }
rename => { "remip" => "destination_ip" }
rename => { "remport" => "remote_port" }
rename => { "reqtype" => "request_type" }
rename => { "scantime" => "scan_time" }
rename => { "securitymode" => "security_mode" }
rename => { "sent" => "bytes_sent" }
rename => { "sentbyte" => "bytes_sent" }
rename => { "sentpkt" => "packets_sent" }
rename => { "session_id" => "session_id" }
rename => { "setuprate" => "setup_rate" }
rename => { "sn" => "serial" }
rename => { "snclosest" => "serial_closest_access_point" }
rename => { "sndetected" => "serial_access_point_that_detected_rogue_ap" }
rename => { "snmeshparent" => "serial_mesh_parent" }
rename => { "srccountry" => "source_country" }
rename => { "srcip" => "source_ip" }
rename => { "srcmac" => "source_mac" }
rename => { "srcname" => "source_name" }
rename => { "srcintf" => "source_interface" }
rename => { "srcport" => "source_port" }
rename => { "stacount" => "station_count" }
rename => { "stamac" => "static_mac" }
rename => { "srccountry" => "source_country" }
rename => { "srcip" => "source_ip" }
rename => { "srcmac" => "source_mac" }
rename => { "srcname" => "source_name" }
rename => { "sn" => "serial" }
rename => { "srcintf" => "source_interface" }
rename => { "srcport" => "source_port" }
rename => { "total" => "total_bytes" }
rename => { "totalsession" => "total_sessions" }
rename => { "trandisp" => "nat_translation_type" }
rename => { "tranip" => "nat_destination_ip" }
rename => { "tranport" => "nat_destination_port" }
rename => { "transip" => "nat_source_ip" }
rename => { "transport" => "nat_source_port" }
rename => { "tunnelid" => "tunnel_id" }
rename => { "tunnelip" => "tunnel_ip" }
rename => { "tunneltype" => "tunnel_type" }
rename => { "unauthuser" => "unauthenticated_user_source" }
rename => { "vendorurl" => "vendor_url" }
rename => { "vpntunnel" => "vpn_tunnel" }
rename => { "vulncat" => "vulnerability_category" }
rename => { "vulncmt" => "vulnerability_count" }
rename => { "vulnid" => "vulnerability_id" }
rename => { "vulnname" => "vulnerability_name" }
rename => { "vulnref" => "vulnerability_reference" }
rename => { "vulnscore" => "vulnerability_score" }
rename => { "xauthgroup" => "x_authentication_group" }
rename => { "xauthuser" => "x_authentication_user" }
strip => [ "bytes_sent", "bytes_received" ]
convert => [ "bytes_sent", "integer" ]
convert => [ "bytes_received", "integer" ]
convert => [ "cr_score", "integer" ]
convert => [ "cr_action", "integer" ]
convert => [ "elapsed_time", "integer" ]
convert => [ "destination_port", "integer" ]
convert => [ "source_port", "integer" ]
convert => [ "local_port", "integer" ]
convert => [ "remote_port", "integer" ]
convert => [ "packets_sent", "integer" ]
convert => [ "packets_received", "integer" ]
convert => [ "port", "integer" ]
convert => [ "ProtocolNumber", "integer" ]
convert => [ "total_bytes", "integer" ]
convert => [ "XAuthUser", "string" ]
remove_field => [ "kv", "log" ]
}
}
}

filter {
if "fortigate" in [tags] {
mutate {
add_tag => [ "conf_file_6200"]
}
}
}

Doug Burks

unread,
Dec 31, 2017, 5:35:58 PM12/31/17
to securit...@googlegroups.com
Hi Peter,

Thanks for sharing!

Have you considered sending via standard syslog port 514 instead of
opening a separate port?
> --
> Follow Security Onion on Twitter!
> https://twitter.com/securityonion
> ---
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at https://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.



--
Doug Burks

Peter Keenan

unread,
Dec 31, 2017, 7:31:32 PM12/31/17
to security-onion
Using a separate port seemed the most reliable way to get the fortigate tag on them, I was going to use the host IP but it gets replaced with the docker IP. I couldn't easily pick out another way to tag them reliably.
Reply all
Reply to author
Forward
0 new messages