Hi everyone, I am having trouble when I want to parse this Fortigate Log
<189>devname="FWFG240D" type="traffic" subtype="forward" level="notice" vd="root" eventtime=1565130979 srcip=146.0.138.202 srcport=61103 dstip=192.168.1.1 dstport=80 proto=6 action="accept" sentbyte=617
If someone can help me, please
Your log is basically a key-value message, you do not need grok to parse it, you just need to split the part where you have the key-value pairs from the static part, the <189>, you can do this combining the dissect filter and the kv filter.
This is what I use to parse those Fortigate logs.
filter {
dissect {
mapping => {
"message" => "<%{}>%{[@metadata][kvmsg]}"
}
remove_field => ["message"]
}
kv {
source => "[@metadata][kvmsg]"
}
}
The dissect filter you get the key-value pairs into the nested field @metadata.kvmsg, I use the @metadata field because this field will not be present in the output document, you can user any other field name if you want the original key-value document present in your output, also, if the dissect is succesful, the original message field will be removed.
The kv filter will then parse your key-value document and give you the fields as named, for example, devname, type, subtype etc.
Thank you, sir, it's really helpful I'll try it 
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.