splunk
FortiAnalyzer support
Please add FortiAnalyzer support or help me customizing, timestamp is not recognized.
Thanks Luca
sample events:
<185>logver=506061630 timestamp=1650619870 tz="UTC+2:00" devname="NAME" devid="DEV" vd="root" date=2022-04-22 time=11:31:10 logid="0419016384" type="utm" subtype="ips" eventtype="signature" level="alert" eventtime=1650619870 severity="info" srcip=123.123.123.123 srccountry="United States" dstip=321.321.321.321 srcintf="port1" srcintfrole="undefined" dstintf="port2" dstintfrole="undefined" sessionid=1234567890 action="detected" proto=6 service="HTTP" policyid=56 attack="HTTP.Unknown.Tunnelling" srcport=46690 dstport=80 direction="outgoing" attackid=123456789 profile="PROFILE-1" ref="http://www.fortinet.com/ids/VID107347981" incidentserialno=1234567890 msg="http_decoder: HTTP.Unknown.Tunnelling,"
<189>logver=506061630 timestamp=1650622061 tz="UTC+2:00" devname="NAME2" devid="DEV2" vd="root" date=2022-04-22 time=12:07:42 logid="0000000015" type="traffic" subtype="forward" level="notice" eventtime=1650622062 srcip=123.123.123.123 srcport=57094 srcintf="port1" srcintfrole="undefined" dstip=321.321.321.321 dstport=443 dstintf="port1" dstintfrole="undefined" poluuid="12345678-1234-1234-1234-123456789098" sessionid=123456789 proto=6 action="start" policyid=161 policytype="policy" service="HTTPS" dstcountry="Reserved" srccountry="Reserved" trandisp="noop" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 appcat="unscanned"
FYI in "app-syslog-fortigate_fortios.conf" lines 44, 50, 52 timestamp parsing fails because 'eventtime' has 10 digits lines 59, 62 timestamp parsing fails because 'tz' has a non-standard format
block parser app-syslog-fortigate_fortios() {
channel {
parser {
kv-parser(prefix(".values.") template("$(template t_hdr_msg)"));
};
filter {
"${.values.eventtime}" ne ""
or (
"${.values.date}" ne ""
and "${.values.time}" ne ""
)
};
parser {
regexp-parser(
patterns('^F(?<dev_type>[A-Z]|\dK)(?<serial>.+)')
prefix(".tmp.")
template('${.values.devid}')
);
};
rewrite {
r_set_splunk_dest_default(
index('netops')
sourcetype('`SC4S_OPTION_FORTINET_SOURCETYPE_PREFIX`_log')
vendor("fortinet")
product("fortios")
class("log")
template('t_msg_only')
);
set("${.values.devname}", value("HOST"));
set("$(template t_hdr_msg)" value("MESSAGE"));
unset(value("PROGRAM"));
};
if {
filter {
"${.values.eventtime}" ne ""
};
parser {
regexp-parser(
prefix(".tmp.")
template("${.values.eventtime}")
patterns('^(?<timestamp>\d{10})\.?(?<fraq>\d{3,6})')
);
};
parser {
date-parser-nofilter(
format(
'%s.%f',
)
template("${.tmp.timestamp}.${.tmp.fraq:-000}")
);
};
} else {
parser {
date-parser-nofilter(
format(
'%Y-%m-%d:%H:%M:%S%z',
'%Y-%m-%d:%H:%M:%S'
)
template("${.values.date}:${.values.time}${.values.tz}")
);
};
};
if {
filter{
"${.values.type}" eq "event"
};
rewrite {
r_set_splunk_dest_update_v2(
class('${.values.type}')
index('netops')
sourcetype('`SC4S_OPTION_FORTINET_SOURCETYPE_PREFIX`_${.values.type}')
);
};
} elif {
filter {
match("traffic|utm|anomaly" value(".values.type"));
};
rewrite {
r_set_splunk_dest_update_v2(
class('${.values.type}')
index('netfw')
sourcetype('`SC4S_OPTION_FORTINET_SOURCETYPE_PREFIX`_${.values.type}')
);
};
} else {
rewrite {
r_set_splunk_dest_update_v2(
class('${.values.type}')
sourcetype('`SC4S_OPTION_FORTINET_SOURCETYPE_PREFIX`_${.values.type}')
);
};
};
};
};
application fortinet_fortios[sc4s-syslog] {
parser { app-syslog-fortigate_fortios(); };
};
Hello,
i'm trying to parse that kind of events too.
My events are like this:
<189>logver=604055653 timestamp=1666192780 devname="device1" devid="FG000FT000000000" vd="root" date=2022-10-19 time=17:19:40 eventtime=1666192780360004618 tz="+0200" logid="0000000013" type="traffic" subtype="forward" level="notice" srcip=192.168.1.90 srcport=63097 srcintf="V_LAN" srcintfrole="lan" dstip=192.168.2.10 dstport=53 dstintf="INT01" dstintfrole="undefined" srccountry="Reserved" dstcountry="Reserved" sessionid=7133814 proto=17 action="accept" policyid=1 policytype="policy" poluuid="849cfef4-51eb-fd33-c9b6-afe4b8d3c3e8" policyname="Temporary_Allow" service="DNS" trandisp="noop" duration=180 sentbyte=58 rcvdbyte=525 sentpkt=1 rcvdpkt=1 vpn="VPN_service_OL" vpntype="ipsec-static" vwlid=7 vwlquality="Seq_num(4 XXXXXX), alive, selected" vwlname="All_to_all" appcat="unscanned" mastersrcmac="00:ca:00:00:00:00" srcmac="00:ca:00:00:00:00" srcserver=0.
@lucalopreiato did you arrive to send the logs to the index in your splunk instance?
Thanks.
hello, we implemented a workaround by placing in /opt/sc4s/local/config/app_parsers/syslog a customized app-syslog-fortigate_fortios.conf
block parser app-syslog-fortigate_fortios() { channel { parser { kv-parser(prefix(".values.") template("$(template t_hdr_msg)")); }; filter { "${.values.eventtime}" ne "" or ( "${.values.date}" ne "" and "${.values.time}" ne "" ) }; parser { regexp-parser( patterns('^F(?<dev_type>[A-Z]|\dK)(?<serial>.+)') prefix(".tmp.") template('${.values.devid}') ); }; rewrite { r_set_splunk_dest_default( index('netops') sourcetype('SC4S_OPTION_FORTINET_SOURCETYPE_PREFIX_log') vendor("fortinet") product("fortios") class("log") template('t_msg_only') ); set("${.values.devname}", value("HOST")); set("$(template t_hdr_msg)" value("MESSAGE")); unset(value("PROGRAM")); }; if { filter { "${.values.eventtime}" ne "" }; parser { regexp-parser( prefix(".tmp.") template("${.values.eventtime}") # rimosse frazioni di secondo patterns('^(?<timestamp>\d{10})') ); }; parser { date-parser-nofilter( format( # rimosse frazioni di secondo '%s', ) template("${.tmp.timestamp}") ); }; } else { parser { date-parser-nofilter( format( # rimossa timezone '%Y-%m-%d:%H:%M:%S' ) # rimossa timezone template("${.values.date}:${.values.time}") ); }; }; if { # inserire qui filtro per forzare timezone in Europe/Rome filter { netmask(10.19.15.197/32); and "${.values.eventtime}" eq "" }; rewrite { fix-time-zone("Europe/Rome"); }; }; if { filter{ "${.values.type}" eq "event" }; rewrite { r_set_splunk_dest_update_v2( class('${.values.type}') index('netops') sourcetype('SC4S_OPTION_FORTINET_SOURCETYPE_PREFIX_${.values.type}') ); }; } elif { filter { match("traffic|utm|anomaly" value(".values.type")); }; rewrite { r_set_splunk_dest_update_v2( class('${.values.type}') index('netfw') sourcetype('SC4S_OPTION_FORTINET_SOURCETYPE_PREFIX_${.values.type}') ); }; } else { rewrite { r_set_splunk_dest_update_v2( class('${.values.type}') sourcetype('SC4S_OPTION_FORTINET_SOURCETYPE_PREFIX_${.values.type}') ); }; }; }; }; application fortinet_fortios[sc4s-syslog] { parser { app-syslog-fortigate_fortios(); }; };
@lucalopreiato, Thank you for the update. We are closing this issue.
Please reach out in case of further queries.