Filter firewall : Fortigat


Please, can someone help me to create a filter grok to separate the fields of logs that came from a Fortigat firewall.

This is an example of log :

May 9 09:40:15 frkeofwglo01 date=2018-05-09 time=09:40:15 devname=frkeofwglo01 devid=FG900D3916800170 logid=0000000013 type=traffic subtype=forward level=notice vd=frkeofwin01 srcip=x.x.x.x srcport=17473 srcintf="INT-PROXYs" dstip=x.x.x.x dstport=443 dstintf="KEO-INT_DMZ" poluuid=c77d5f40-a592-51e6-c3c6-8cd462826a48 sessionid=4130745007 proto=6 action=close policyid=382 policytype=policy dstcountry="France" srccountry="Reserved" trandisp=noop service="HTTPS" duration=3 sentbyte=1114 rcvdbyte=4013 sentpkt=14 rcvdpkt=12 appcat="unscanned" devtype="Router/NAT Device" mastersrcmac=74:a0:2f:29:e5:06 srcmac=74:a0:2f:29:e5:06

I would not use grok for that. Use dissect.

dissect { mapping => { "message" => "%{ts} %{+ts} %{+ts} %{host} %{restofline}" } }
kv { source => "restofline" }
1 Like

You could use a kv{} filter.

kv {
  source => "message",
  seperator => "="
1 Like

kv is a no brainer in this case. I also use it for Sonicwall fw log.

It works better !!

grok { match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{HOSTNAME:hostname} %{GREEDYDATA:source_data}"}}

kv { source => "data" }

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.