Hi everyone, I am having trouble when I want to parse this Fortigate Log
<189>devname="FWFG240D" type="traffic" subtype="forward" level="notice" vd="root" eventtime=1565130979 srcip=146.0.138.202 srcport=61103 dstip=192.168.1.1 dstport=80 proto=6 action="accept" sentbyte=617
Your log is basically a key-value message, you do not need grok to parse it, you just need to split the part where you have the key-value pairs from the static part, the <189>, you can do this combining the dissect filter and the kv filter.
The dissect filter you get the key-value pairs into the nested field @metadata.kvmsg, I use the @metadata field because this field will not be present in the output document, you can user any other field name if you want the original key-value document present in your output, also, if the dissect is succesful, the original message field will be removed.
The kv filter will then parse your key-value document and give you the fields as named, for example, devname, type, subtype etc.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.