[Filebeat][Fortinet Module] Failed to parse field

Danilo_PC · May 19, 2021, 5:03pm

Hi, I'm running filebeat 7.12.1 receiving data from my Fortigate (FortiOS v6.4.1 build1637).
Looking at filebeat log files, I can see that there is happening and parse error on "fortinet.firewall.cat" field:

May 19 12:16:50 test filebeat[24619]: 2021-05-19T12:16:50.514-0300#011WARN#011[elasticsearch]#011elasticsearch/client.go:408#011Cannot index event publisher.Event{Content:beat.Event{Timestamp:time.Time{wall:0xc02168d862b40e4d, ext:153681752585, loc:(*time.Location)(0x637e5a0)}, Meta:{"pipeline":"filebeat-7.12.1-fortinet-firewall-pipeline","truncated":false}, Fields:{"agent":{"ephemeral_id":"b53e8141-99a8-41ab-8240-1179451b123d","hostname":"test","id":"6d8c2434-8acc-4892-892d-0f0632910345","name":"soc","type":"filebeat","version":"7.12.1"},"ecs":{"version":"1.8.0"},"event":{"dataset":"fortinet.firewall","module":"fortinet"},"fileset":{"name":"firewall"},"input":{"type":"udp"},"log":{"source":{"address":"10.200.144.1:18591"}},"message":"\u003c189\u003eMay 19 12:16:49 FW_FORTINET_BR2 CEF:0|Fortinet|Fortigate|v7.0.0|00020|traffic:forward accept|3|deviceExternalId=FG200ETK18909344 FTNTFGTeventtime=1621437408866460258 FTNTFGTtz=-0300 FTNTFGTlogid=0000000020 cat=traffic:forward FTNTFGTsubtype=forward FTNTFGTlevel=notice FTNTFGTvd=root src=IP spt=61970 deviceInboundInterface=VPN FTNTFGTsrcintfrole=undefined dst=13.107.136.9 dpt=443 deviceOutboundInterface=port2 FTNTFGTdstintfrole=wan FTNTFGTsrccountry=Reserved FTNTFGTdstcountry=United States externalId=131409673 proto=6 act=accept FTNTFGTpolicyid=90 FTNTFGTpolicytype=policy FTNTFGTpoluuid=509935b8-6abd-51ea-9647-0840e65af00e FTNTFGTpolicyname=INTERNET_VPN duser=user FTNTFGTauthserver=Local FSSO Agent app=HTTPS FTNTFGTtrandisp=snat sourceTranslatedAddress=201.87.145.69 sourceTranslatedPort=61970 FTNTFGTappid=40568 FTNTFGTapp=HTTPS.BROWSER FTNTFGTappcat=Web.Client FTNTFGTapprisk=medium FTNTFGTapplist=ICTS-BR2 FTNTFGTduration=3200 out=354996 in=227767 FTNTFGTsentpkt=593 FTNTFGTrcvdpkt=452 FTNTFGTvwlid=47 FTNTFGTvwlservice=Microsoft-Office365.Published FTNTFGTvwlquality=Seq_num(3 port2), alive, latency: 36.621, selected FTNTFGTvwlname=Microsoft_365_Portal FTNTFGTsentdelta=11546 FTNTFGTrcvddelta=7075","service":{"type":"fortinet"},"tags":["fortinet-firewall","forwarded"]}, Private:interface {}(nil), TimeSeries:false}, Flags:0x1, Cache:publisher.EventCache{m:common.MapStr(nil)}} (status=400): {"type":"mapper_parsing_exception","reason":"failed to parse field [fortinet.firewall.cat] of type [long] in document with id 'aO4zhXkBSyVR8uqFa5jx'. Preview of field's value: 'traffic:forward FTNTFGTsubtype=forward FTNTFGTlevel=notice FTNTFGTvd=root'","caused_by":{"type":"illegal_argument_exception","reason":"For input string: \"traffic:forward FTNTFGTsubtype=forward FTNTFGTlevel=notice FTNTFGTvd=root\""}}

Does anyone had this problem before?

Danilo_PC · May 19, 2021, 8:05pm

Ok, I see what's going on. The IT team just updated the FortiOS to 7.0 (as show on the log, my bad), and the plugin doesn't support this version yet!

legoguy1000 · May 24, 2021, 2:16am

If u create a GitHub issue, the appropriate changes can be made to the module to support the newer version.

system · June 21, 2021, 4:16am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.