Kv filter - Fortigate Logs

Elastic Stack Logstash
1

Hello everyone,

I met ELK a short time ago and started to analyze logs generated from a Fortigate switch. The message is coming in the following format:

<189>date = 2017-10-25 time = 14:25:25 devname = ELSEN01 ...

I'm able to separate all tuples (key / value), but this beginning keeps coming in as a unique variable:

<189>date => October 24th 2017, 21:00:00.000

I would like a opnion of someone who understands Kv to help me separate this into two variables:

syslog_index => 189
date => October 24th 2017

Thanks =D

2

Use a grok filter before your kv filter to separate the <integer> prefix from the rest of the string.

^<%{INT:syslog_index}>%{GREEDYDATA:message}

You'll probably have to set the grok filter's overwrite option.

(syslog_index is a weird field name.)

1 Like
3

Thanks for the reply @magnusbaeck,

Oh, this filter GROK is very interesting, I did not know it! From what I read on the site, it manages to fill some holes that KV can not handle, and that's probably going to work! Unfortunately, I can't test this solution now, but tomorrow I will return with news!

in fact is a bad name :joy: , this solution comes from the fortigate itself and has the function of identifying an event based on the type -> subtype -> level, but I will think of an alternative name haha

Thanks for all help!

4

<189>
I thought the above field is the priority from which you can calculate the Facility and Severity, so maybe Priority would be a suitable name

189 / 8 = 23.625
Facility is 23

189 - (23 x 8) = 5
Severity is 5 (Error)

1 Like
5

Um, now you've left me in doubt @VamPikmin! I just start to work with fortigate and i do not know it very well, so I may have confused, but I will try to confirm this information!

I like that, definitely a more appropriate name!

Thank you anyway!

6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.