No "New Line" in syslog - can logstash create new line based off of a match

Elastic Stack Logstash
1

I have a crazy issue that really stems from Fortinet log forwarding jumbling syslog. It seems that the log forwarding is not generating new lines for each log entry.

An example is:

<190>date=2019-05-17,time=20:08:41,devname="7334-DHEYW_SM",devid="FG100D3G11111111",logid="1059028704",type="utm",subtype="app-ctrl",eventtype="app-ctrl-all",level="information",vd="root",eventtime=1558120121,appid=15893,srcip=10.2.2.214,dstip=199.38.221.38,srcport=6387,dstport=80,srcintf="LAN",srcintfrole="undefined",dstintf="wan1",dstintfrole="undefined",proto=6,service="HTTP",direction="outgoing",policyid=2,sessionid=136153731,applist="default",appcat="Web.Client",app="HTTP.BROWSER",action="pass",hostname="gatekeeper.rapidfiretools.com",incidentserialno=1398045202,url="/rapidfire/getcmdts.php?rid=NDA1-31LA",msg="Web.Client: HTTP.BROWSER,",apprisk="medium"651 <189>date=2019-05-17,time=20:08:41,devname="7334-DHEYW_SM",devid="FG100D3G11111111",logid="0000000013",type="traffic",subtype="forward",level="notice",vd="root",eventtime=1558120121,srcip=10.111.110.106,srcport=60164,srcintf="LAN",srcintfrole="undefined",dstip=204.154.222.120,dstport=80,dstintf="Zscaler-PT",dstintfrole="undefined",poluuid="d156bb0a-9f0b-51e8-9fe9-5e4665f0a617",sessionid=136153631,proto=6,action="close",policyid=40,policytype="policy",service="HTTP",dstcountry="United States",srccountry="Reserved",trandisp="noop",duration=2,sentbyte=651,rcvdbyte=1304,sentpkt=5,rcvdpkt=4,vpn="Zscaler-PT",vpntype="ipsec-static",appcat="unscanned"684

Instead of:

<190>date=2019-05-17,time=20:08:41,devname="7334-DHEYW_SM",devid="FG100D3G11111111",logid="1059028704",type="utm",subtype="app-ctrl",eventtype="app-ctrl-all",level="information",vd="root",eventtime=1558120121,appid=15893,srcip=10.2.2.214,dstip=199.38.221.38,srcport=6387,dstport=80,srcintf="LAN",srcintfrole="undefined",dstintf="wan1",dstintfrole="undefined",proto=6,service="HTTP",direction="outgoing",policyid=2,sessionid=136153731,applist="default",appcat="Web.Client",app="HTTP.BROWSER",action="pass",hostname="gatekeeper.rapidfiretools.com",incidentserialno=1398045202,url="/rapidfire/getcmdts.php?rid=NDA1-31LA",msg="Web.Client: HTTP.BROWSER,",apprisk="medium"651

<189>date=2019-05-17,time=20:08:41,devname="7334-DHEYW_SM",devid="FG100D3G11111111",logid="0000000013",type="traffic",subtype="forward",level="notice",vd="root",eventtime=1558120121,srcip=10.111.110.106,srcport=60164,srcintf="LAN",srcintfrole="undefined",dstip=204.154.222.120,dstport=80,dstintf="Zscaler-PT",dstintfrole="undefined",poluuid="d156bb0a-9f0b-51e8-9fe9-5e4665f0a617",sessionid=136153631,proto=6,action="close",policyid=40,policytype="policy",service="HTTP",dstcountry="United States",srccountry="Reserved",trandisp="noop",duration=2,sentbyte=651,rcvdbyte=1304,sentpkt=5,rcvdpkt=4,vpn="Zscaler-PT",vpntype="ipsec-static",appcat="unscanned"684

I have been able to "Jerry Rig" this by performing a netcat and piping the data to a raw text file, then parse the raw file and use the cleaned file in the input. I don't want to go about it this way because I feel it is messy and it is another process that I have to monitor and it could cause missed events.

Has anyone had an issue like this? It seems like I need a function that is the "Opposite" of multiline.

Any help would be greatly appreciated.

Versions: Elasticsearch 6.7.0 | Logstash 6.5.4. I have also tested with Logstash 7.0.0

2

Example of bad json output

{
  "port": 26917,
  "srcport": [
    "6387",
    "60164"
  ],
  "dstintfrole": [
    "undefined",
    "undefined"
  ],
  "time": [
    "20:08:41",
    "20:08:41"
  ],
  "hostname": "gatekeeper.rapidfiretools.com",
  "@timestamp": "2019-05-20T20:49:43.299Z",
  "duration": "2",
  "sentbyte": 651,
  "direction": "outgoing",
  "sentpkt": "5",
  "srcintf": [
    "LAN",
    "LAN"
  ],
  "dstintf": [
    "wan1",
    "Zscaler-PT"
  ],
  "logid": [
    "1059028704",
    "0000000013"
  ],
  "poluuid": "d156bb0a-9f0b-51e8-9fe9-5e4665f0a617",
  "vd": [
    "root",
    "root"
  ],
  "srccountry": "Reserved",
  "policytype": "policy",
  "msg": "Web.Client: HTTP.BROWSER,",
  "ftg_type": [
    "utm",
    "traffic"
  ],
  "appcat": [
    "Web.Client",
    "\"unscanned\"684"
  ],
  "incidentserialno": "1398045202",
  "policyid": [
    "2",
    "40"
  ],
  "@version": "1",
  "dstcountry": "United States",
  "vpntype": "ipsec-static",
  "date": "2019-05-17",
  "dstip": [
    "199.38.221.38",
    "204.154.222.120"
  ],
  "srcintfrole": [
    "undefined",
    "undefined"
  ],
  "msspcust": "fnbsm",
  "eventtime": [
    "1558120121",
    "1558120121"
  ],
  "sessionid": [
    "136153731",
    "136153631"
  ],
  "url": "/rapidfire/getcmdts.php?rid=NDA1-31LA",
  "host": "localhost",
  "type": "network_fortinet_fw",
  "applist": "default",
  "trandisp": "noop",
  "temp_time": "2019-05-17 20:08:41,20:08:41",
  "rcvdpkt": "4",
  "proto": [
    "6",
    "6"
  ],
  "eventtype": "app-ctrl-all",
  "message": "date=2019-05-17,time=20:08:41,devname=\"7334-DHEYW_SM\",devid=\"FG100D3G11111111\",logid=\"1059028704\",type=\"utm\",subtype=\"app-ctrl\",eventtype=\"app-ctrl-all\",level=\"information\",vd=\"root\",eventtime=1558120121,appid=15893,srcip=10.2.2.214,dstip=199.38.221.38,srcport=6387,dstport=80,srcintf=\"LAN\",srcintfrole=\"undefined\",dstintf=\"wan1\",dstintfrole=\"undefined\",proto=6,service=\"HTTP\",direction=\"outgoing\",policyid=2,sessionid=136153731,applist=\"default\",appcat=\"Web.Client\",app=\"HTTP.BROWSER\",action=\"pass\",hostname=\"gatekeeper.rapidfiretools.com\",incidentserialno=1398045202,url=\"/rapidfire/getcmdts.php?rid=NDA1-31LA\",msg=\"Web.Client: HTTP.BROWSER,\",apprisk=\"medium\"651 date=2019-05-17,time=20:08:41,devname=\"7334-DHEYW_SM\",devid=\"FG100D3G11111111\",logid=\"0000000013\",type=\"traffic\",subtype=\"forward\",level=\"notice\",vd=\"root\",eventtime=1558120121,srcip=10.111.110.106,srcport=60164,srcintf=\"LAN\",srcintfrole=\"undefined\",dstip=204.154.222.120,dstport=80,dstintf=\"Zscaler-PT\",dstintfrole=\"undefined\",poluuid=\"d156bb0a-9f0b-51e8-9fe9-5e4665f0a617\",sessionid=136153631,proto=6,action=\"close\",policyid=40,policytype=\"policy\",service=\"HTTP\",dstcountry=\"United States\",srccountry=\"Reserved\",trandisp=\"noop\",duration=2,sentbyte=651,rcvdbyte=1304,sentpkt=5,rcvdpkt=4,vpn=\"Zscaler-PT\",vpntype=\"ipsec-static\",appcat=\"unscanned\"684",
  "level": [
    "information",
    "notice"
  ],
  "ftg_subtype": [
    "app-ctrl",
    "forward"
  ],
  "service": [
    "HTTP",
    "HTTP"
  ],
  "devid": [
    "FG100D3G11111111",
    "FG100D3G11111111"
  ],
  "devname": [
    "7334-DHEYW_SM",
    "7334-DHEYW_SM"
  ],
  "srcip": [
    "10.2.2.214",
    "10.111.110.106"
  ],
  "app": "HTTP.BROWSER",
  "apprisk": "\"medium\"651 date=2019-05-17",
  "rcvdbyte": 1304,
  "vpn": "Zscaler-PT",
  "dstport": [
    "80",
    "80"
  ],
  "action": [
    "pass",
    "close"
  ],
  "appid": "15893"
}
3

Example of when the log is correct

{
  "port": 26989,
  "srcport": "6387",
  "dstintfrole": "undefined",
  "time": "20:08:41",
  "date": "2019-05-17",
  "dstip": "199.38.221.38",
  "hostname": "gatekeeper.rapidfiretools.com",
  "@timestamp": "2019-05-20T21:24:52.541Z",
  "srcintfrole": "undefined",
  "msspcust": "fnbsm",
  "eventtime": "1558120121",
  "direction": "outgoing",
  "sessionid": "136153731",
  "url": "/rapidfire/getcmdts.php?rid=NDA1-31LA",
  "host": "localhost",
  "type": "network_fortinet_fw",
  "applist": "default",
  "srcintf": "LAN",
  "dstintf": "wan1",
  "logid": "1059028704",
  "temp_time": "2019-05-17 20:08:41",
  "proto": "6",
  "eventtype": "app-ctrl-all",
  "message": "date=2019-05-17,time=20:08:41,devname=\"7334-DHEYW_SM\",devid=\"FG100D3G11111111\",logid=\"1059028704\",type=\"utm\",subtype=\"app-ctrl\",eventtype=\"app-ctrl-all\",level=\"information\",vd=\"root\",eventtime=1558120121,appid=15893,srcip=10.2.2.214,dstip=199.38.221.38,srcport=6387,dstport=80,srcintf=\"LAN\",srcintfrole=\"undefined\",dstintf=\"wan1\",dstintfrole=\"undefined\",proto=6,service=\"HTTP\",direction=\"outgoing\",policyid=2,sessionid=136153731,applist=\"default\",appcat=\"Web.Client\",app=\"HTTP.BROWSER\",action=\"pass\",hostname=\"gatekeeper.rapidfiretools.com\",incidentserialno=1398045202,url=\"/rapidfire/getcmdts.php?rid=NDA1-31LA\",msg=\"Web.Client: HTTP.BROWSER,\",apprisk=\"medium\"651",
  "level": "information",
  "vd": "root",
  "service": "HTTP",
  "msg": "Web.Client: HTTP.BROWSER,",
  "ftg_subtype": "app-ctrl",
  "devid": "FG100D3G11111111",
  "devname": "7334-DHEYW_SM",
  "srcip": "10.2.2.214",
  "app": "HTTP.BROWSER",
  "apprisk": "\"medium\"651",
  "ftg_type": "utm",
  "appcat": "Web.Client",
  "dstport": "80",
  "policyid": "2",
  "@version": "1",
  "appid": "15893",
  "action": "pass",
  "incidentserialno": "1398045202"
}
{
  "port": 26989,
  "srcport": "60164",
  "dstintfrole": "undefined",
  "time": "20:08:41",
  "@timestamp": "2019-05-20T21:24:52.542Z",
  "duration": "2",
  "sentbyte": 651,
  "sentpkt": "5",
  "srcintf": "LAN",
  "dstintf": "Zscaler-PT",
  "logid": "0000000013",
  "poluuid": "d156bb0a-9f0b-51e8-9fe9-5e4665f0a617",
  "vd": "root",
  "srccountry": "Reserved",
  "policytype": "policy",
  "ftg_type": "traffic",
  "appcat": "\"unscanned\"684",
  "policyid": "40",
  "@version": "1",
  "dstcountry": "United States",
  "vpntype": "ipsec-static",
  "date": "2019-05-17",
  "dstip": "204.154.222.120",
  "srcintfrole": "undefined",
  "msspcust": "fnbsm",
  "eventtime": "1558120121",
  "sessionid": "136153631",
  "host": "localhost",
  "type": "network_fortinet_fw",
  "trandisp": "noop",
  "temp_time": "2019-05-17 20:08:41",
  "rcvdpkt": "4",
  "proto": "6",
  "message": "date=2019-05-17,time=20:08:41,devname=\"7334-DHEYW_SM\",devid=\"FG100D3G11111111\",logid=\"0000000013\",type=\"traffic\",subtype=\"forward\",level=\"notice\",vd=\"root\",eventtime=1558120121,srcip=10.111.110.106,srcport=60164,srcintf=\"LAN\",srcintfrole=\"undefined\",dstip=204.154.222.120,dstport=80,dstintf=\"Zscaler-PT\",dstintfrole=\"undefined\",poluuid=\"d156bb0a-9f0b-51e8-9fe9-5e4665f0a617\",sessionid=136153631,proto=6,action=\"close\",policyid=40,policytype=\"policy\",service=\"HTTP\",dstcountry=\"United States\",srccountry=\"Reserved\",trandisp=\"noop\",duration=2,sentbyte=651,rcvdbyte=1304,sentpkt=5,rcvdpkt=4,vpn=\"Zscaler-PT\",vpntype=\"ipsec-static\",appcat=\"unscanned\"684",
  "level": "notice",
  "ftg_subtype": "forward",
  "service": "HTTP",
  "devid": "FG100D3G11111111",
  "devname": "7334-DHEYW_SM",
  "srcip": "10.111.110.106",
  "rcvdbyte": 1304,
  "vpn": "Zscaler-PT",
  "dstport": "80",
  "action": "close"
}
4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.