Above was an event_class_id (0000000020) that doesnt happen very often. I need those indexed properly but one similar to below (0000000013) occurs probably more than 90% of the time.
{
"_index": "filebeat-7.5.1-2020.01.14-000001",
"_type": "_doc",
"_id": "CXhMrm8BNzoPuM1b3DyI",
"_version": 1,
"_score": null,
"_source": {
"@version": "1",
"ecs": {
"version": "1.1.0"
},
"fileset": {
"name": "log"
},
"source": {
"port": 58154,
"bytes": 5854,
"nat": {
"ip": "66.194.18.134",
"port": 58154
},
"ip": "10.201.0.22",
"domain": "Bowens-iPad"
},
"input": {
"type": "syslog"
},
"observer": {
"hostname": "FG100D_1",
"vendor": "Fortinet",
"version": "5.6.11,build1700 (GA)",
"product": "FortiGate-100D"
},
"log": {
"source": {
"address": "192.168.11.19:55682"
}
},
"process": {
"program": "CEF"
},
"service": {
"type": "cef"
},
"tags": [
"cef",
"beats_input_codec_plain_applied"
],
"destination": {
"port": 443,
"bytes": 1622,
"ip": "198.200.171.198"
},
"cef": {
"device": {
"event_class_id": "0000000013",
"vendor": "Fortinet",
"version": "5.6.11,build1700 (GA)",
"product": "FortiGate-100D"
},
"severity": "5",
"version": "0",
"name": "forward traffic client-rst",
"extensions": {
"transportProtocol": "6",
"deviceOutboundInterface": "wan1",
"destinationAddress": "198.200.171.198",
"deviceInboundInterface": "BTMPublic-5G",
"deviceHostName": "FG100D_1",
"deviceSeverity": "notice",
"bytesIn": "5854",
"bytesOut": "1622",
"externalID": "105910840",
"ad": {
"policyid": "28",
"trandisp": "snat",
"app": "HTTPS.BROWSER",
"appid": "40568",
"sentpkt": "13",
"srcserver": "0\n\u0000",
"mastersrcmac": "04:52:f3:0a:58:ea",
"apsn": "FP221C3X15037300",
"channel": "153",
"radioband": "802.11ac",
"devtype": "iPad",
"duration": "18",
"apprisk": "medium",
"ap": "Transactional",
"policytype": "policy",
"appcat": "Web.Client",
"dstcountry": "United States",
"osname": "iPad",
"osversion": "iOS 13.2.3",
"vd": "root",
"applist": "default",
"srcmac": "04:52:f3:0a:58:ea",
"logid": "0000000013",
"srccountry": "Reserved",
"countapp": "1",
"subtype": "forward",
"srcintfrole": "lan",
"dstintfrole": "wan",
"utmaction": "allow",
"eventtime": "1579177270",
"countweb": "1",
"srcssid": "BTMPublic-5G",
"poluuid": "3c5b4556-1b13-51e8-1a03-e2eabd4d4878"
},
"sourceTranslatedAddress": "66.194.18.134",
"applicationProtocol": "Opentable",
"deviceEventCategory": "traffic",
"deviceAction": "client-rst",
"sourceTranslatedPort": "58154",
"sourceHostName": "Bowens-iPad",
"logver": "56",
"destinationPort": "443",
"sourcePort": "58154",
"startTime": "Jan 16 2020 07:21:08",
"deviceExternalId": "FG100D3G15820636",
"sourceAddress": "10.201.0.22"
}
},
"syslog": {},
"message": "forward traffic client-rst",
"agent": {
"ephemeral_id": "ab596b42-d39a-491c-ad48-8d8a51ea7d5e",
"hostname": "btm-node1",
"version": "7.5.1",
"type": "filebeat",
"id": "eb878b3e-8816-434e-a4be-6406f67509a3"
},
"@timestamp": "2020-01-16T07:21:08.000Z",
"hostname": "FG100D",
"host": {
"containerized": false,
"hostname": "btm-node1",
"os": {
"platform": "ubuntu",
"kernel": "4.15.0-74-generic",
"family": "debian",
"version": "18.04.3 LTS (Bionic Beaver)",
"name": "Ubuntu",
"codename": "bionic"
},
"architecture": "x86_64",
"name": "btm-node1",
"id": "dfa0f552294645e6a57be2f18cb61e7f"
},
"network": {
"community_id": "1:AIve9tHTa7FGrB3o5GsKveiGAuY=",
"transport": "6",
"application": "Opentable"
},
"event": {
"dataset": "cef.log",
"original": "CEF:0|Fortinet|FortiGate-100D|5.6.11,build1700 (GA)|0000000013|forward traffic client-rst|5|start=Jan 16 2020 07:21:08 logver=56 deviceExternalId=FG100D3G15820636 dvchost=FG100D_1 ad.vd=root ad.logid=0000000013 cat=traffic ad.subtype=forward deviceSeverity=notice ad.eventtime=1579177270 src=10.201.0.22 shost=Bowens-iPad spt=58154 deviceInboundInterface=BTMPublic-5G ad.srcintfrole=lan ad.srcssid=BTMPublic-5G ad.apsn=FP221C3X15037300 ad.ap=Transactional ad.channel=153 ad.radioband=802.11ac dst=198.200.171.198 dpt=443 deviceOutboundInterface=wan1 ad.dstintfrole=wan ad.poluuid=3c5b4556-1b13-51e8-1a03-e2eabd4d4878 externalID=105910840 proto=6 act=client-rst ad.policyid=28 ad.policytype=policy app=Opentable ad.dstcountry=United States ad.srccountry=Reserved ad.trandisp=snat sourceTranslatedAddress=66.194.18.134 sourceTranslatedPort=58154 ad.appid=40568 ad.app=HTTPS.BROWSER ad.appcat=Web.Client ad.apprisk=medium ad.applist=default ad.duration=18 out=1622 in=5854 ad.sentpkt=13 ad.utmaction=allow ad.countweb=1 ad.countapp=1 ad.devtype=iPad ad.osname=iPad ad.osversion=iOS 13.2.3 ad.mastersrcmac=04:52:f3:0a:58:ea ad.srcmac=04:52:f3:0a:58:ea ad.srcserver=0\n\u0000",
"code": "0000000013",
"severity": 5,
"start": "2020-01-16T07:21:08.000Z",
"module": "cef",
"action": "client-rst"
}
},
"fields": {
"event.start": [
"2020-01-16T07:21:08.000Z"
],
"suricata.eve.flow.start": [
"2020-01-16T07:21:08.000Z"
],
"suricata.eve.timestamp": [
"2020-01-16T07:21:08.000Z"
],
"@timestamp": [
"2020-01-16T07:21:08.000Z"
]
},
"highlight": {
"event.module": [
"@kibana-highlighted-field@cef@/kibana-highlighted-field@"
]
},
"sort": [
1579159268000
]
}