I have a crazy issue that really stems from Fortinet log forwarding jumbling syslog. It seems that the log forwarding is not generating new lines for each log entry.
An example is:
<190>date=2019-05-17,time=20:08:41,devname="7334-DHEYW_SM",devid="FG100D3G11111111",logid="1059028704",type="utm",subtype="app-ctrl",eventtype="app-ctrl-all",level="information",vd="root",eventtime=1558120121,appid=15893,srcip=10.2.2.214,dstip=199.38.221.38,srcport=6387,dstport=80,srcintf="LAN",srcintfrole="undefined",dstintf="wan1",dstintfrole="undefined",proto=6,service="HTTP",direction="outgoing",policyid=2,sessionid=136153731,applist="default",appcat="Web.Client",app="HTTP.BROWSER",action="pass",hostname="gatekeeper.rapidfiretools.com",incidentserialno=1398045202,url="/rapidfire/getcmdts.php?rid=NDA1-31LA",msg="Web.Client: HTTP.BROWSER,",apprisk="medium"651 <189>date=2019-05-17,time=20:08:41,devname="7334-DHEYW_SM",devid="FG100D3G11111111",logid="0000000013",type="traffic",subtype="forward",level="notice",vd="root",eventtime=1558120121,srcip=10.111.110.106,srcport=60164,srcintf="LAN",srcintfrole="undefined",dstip=204.154.222.120,dstport=80,dstintf="Zscaler-PT",dstintfrole="undefined",poluuid="d156bb0a-9f0b-51e8-9fe9-5e4665f0a617",sessionid=136153631,proto=6,action="close",policyid=40,policytype="policy",service="HTTP",dstcountry="United States",srccountry="Reserved",trandisp="noop",duration=2,sentbyte=651,rcvdbyte=1304,sentpkt=5,rcvdpkt=4,vpn="Zscaler-PT",vpntype="ipsec-static",appcat="unscanned"684
Instead of:
<190>date=2019-05-17,time=20:08:41,devname="7334-DHEYW_SM",devid="FG100D3G11111111",logid="1059028704",type="utm",subtype="app-ctrl",eventtype="app-ctrl-all",level="information",vd="root",eventtime=1558120121,appid=15893,srcip=10.2.2.214,dstip=199.38.221.38,srcport=6387,dstport=80,srcintf="LAN",srcintfrole="undefined",dstintf="wan1",dstintfrole="undefined",proto=6,service="HTTP",direction="outgoing",policyid=2,sessionid=136153731,applist="default",appcat="Web.Client",app="HTTP.BROWSER",action="pass",hostname="gatekeeper.rapidfiretools.com",incidentserialno=1398045202,url="/rapidfire/getcmdts.php?rid=NDA1-31LA",msg="Web.Client: HTTP.BROWSER,",apprisk="medium"651
<189>date=2019-05-17,time=20:08:41,devname="7334-DHEYW_SM",devid="FG100D3G11111111",logid="0000000013",type="traffic",subtype="forward",level="notice",vd="root",eventtime=1558120121,srcip=10.111.110.106,srcport=60164,srcintf="LAN",srcintfrole="undefined",dstip=204.154.222.120,dstport=80,dstintf="Zscaler-PT",dstintfrole="undefined",poluuid="d156bb0a-9f0b-51e8-9fe9-5e4665f0a617",sessionid=136153631,proto=6,action="close",policyid=40,policytype="policy",service="HTTP",dstcountry="United States",srccountry="Reserved",trandisp="noop",duration=2,sentbyte=651,rcvdbyte=1304,sentpkt=5,rcvdpkt=4,vpn="Zscaler-PT",vpntype="ipsec-static",appcat="unscanned"684
I have been able to "Jerry Rig" this by performing a netcat and piping the data to a raw text file, then parse the raw file and use the cleaned file in the input. I don't want to go about it this way because I feel it is messy and it is another process that I have to monitor and it could cause missed events.
Has anyone had an issue like this? It seems like I need a function that is the "Opposite" of multiline.
Any help would be greatly appreciated.
Versions: Elasticsearch 6.7.0 | Logstash 6.5.4. I have also tested with Logstash 7.0.0