Error Events with ">"

akrog79 · February 22, 2023, 3:27pm

Hello people!

I have a trouble with the ingestion of a anomaly events in fortigate.

The raw event is:

<185>logver=702032456 timestamp=1676305141 devname="FG200-E" devid="FG200ETK189243" vd="root" date=2023-02-13 time=17:19:01 eventtime=1676305141602895749 tz="+0100" logid="0720018433" type="utm" subtype="gorkapablo" eventtype="anomaly" level="alert" severity="critical" srcip=63.222.61.134 srccountry="France" dstip=109.111.111.203 dstcountry="Spain" srcintf="port13" srcintfrole="wan" sessionid=0 action="detected" proto=1 service="PING" count=236 attack="icmp_flood" icmpid="0x3721" icmptype="0x08" icmpcode="0x00" attackid=16777316 policyid=1 policytype="DoS-policy" ref="[http://www.fortinet.com/ids/VID16777316"](http://www.fortinet.com/ids/VID16777316%22) msg="anomaly: icmp_flood, 251 > threshold 250, repeats 236 times since last log, pps 30 of prior second" crscore=50 craction=4096 crlevel="critical"

As you can see, the field msg (anomaly: icmp_flood, 251 > threshold 250, repeats 236 times since last log, pps 30 of prior second) have a ">" symbol. This symbol makes me crazy because when appears, the event doesn't appear in Elastic, but if I erase it, the event appears.

My logstash conf.d file is:

input {
  tcp {
    port => 1025
    tags => ["fortigate"]
  }
}

filter {
    if "fortigate" in [tags] {
        grok {
                match => {"message" => "<(?<ruleID>.*)>(?<msg>.*)"}
        }
        kv { source => "msg" }
        mutate {
            rename => ["msg","message"]
            rename => ["type","log_type"]
            rename => [ "dst", "DestinationIP" ]
            rename => [ "dstip", "DestinationIP" ]
            rename => [ "dstport", "DestinationPort" ]
            rename => [ "dstintf", "DestinationZone" ]
            rename => [ "devname", "DeviceName" ]
            rename => [ "status", "Action" ]
            rename => [ "src", "SourceIP" ]
            rename => [ "srcip", "SourceIP" ]
            rename => [ "zone", "SourceZone" ]
            rename => [ "srcintf", "SourceZone" ]
            rename => [ "srcport", "SourcePort" ]
            rename => [ "service", "Application" ]
            rename => [ "policyname", "RuleName" ]
            rename => [ "action", "Action" ]
            rename => [ "rcvdbyte", "BytesReceived" ]
            rename => [ "sentbyte", "BytesSent" ]
            convert => {"DestinationZone" => "string"}
        }
}
}

output {
  if "fortigate" in [tags] {
          elasticsearch {
              hosts => ["X.X.X.X:9200"]
              index => "fortigate-%{+YYYY.MM.dd}"
              document_type => "fortigate"
              template => "/etc/logstash/elastic-fortigate-template.json"
              template_name => "fortigate"
              template_overwrite => true
          }
         }
 }

Someone can help me?

leandrojmp · February 22, 2023, 3:43pm

The issue is that the character > breaks your grok filter as the first regex will capture everything between a < and a >.

In your case you do not even need to use grok as the fortigate messages will always have the same format, you can use the dissect filter to parse the message.

Replace your grok filter with this dissect and it will work:

    dissect {
        mapping => {
            "message" => "<%{ruleId}>%{msg}"
        }
    }

system · March 22, 2023, 3:44pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
[Working example]Fortigate config for Logstash Logstash	2	16029	December 19, 2017
Filebeat Fortinet Module: Mismatch between event.action and event.type in Fortigate Logs Beats filebeat	1	570	September 22, 2023
Error in parsing some logs from firewall due to object being returned Logstash	2	312	April 20, 2023
FortiGate Firewall Logstash	11	17490	May 22, 2018
Logstash Fortinet Grok Pattern Logstash	5	26	October 17, 2024

Error Events with ">"

Related topics