So, I was parsing Fortigate events in a compliant way to ECS with some enrichment by adding categorization fields with logstash but instead of getting this :
I get this :
Even though I respected categorization field in the event mapping to the ECS documentation :
Here is a small part my logstash ECS mapping :
if "utm" in [type] and "1059028704" in [logid] {
if "pass" in [action] {
mutate {
add_tag => [ "utm" ]
add_field => { "event.module" => "UTM" }
add_field => { "observer.type" => "firewall" }
add_field => { "event.kind" => "event" }
add_field => { "event.category" => "network" }
add_field => { "event.code" => "Utm Allowed" }
add_field => { "event.id" => "1059028704" }
add_field => { "event.type" => "allowed" }
add_field => { "event.outcome" => "success" }
}
} else if "block" in [action] {
mutate {
add_tag => [ "utm" ]
add_field => { "event.module" => "UTM" }
add_field => { "observer.type" => "firewall" }
add_field => { "event.kind" => "event" }
add_field => { "event.category" => "network" }
add_field => { "event.code" => "Utm Denied" }
add_field => { "event.id" => "1059028704" }
add_field => { "event.type" => "denied" }
add_field => { "event.outcome" => "failure" }
}
}
mutate {
lowercase => [ "service" ]
lowercase => [ "app" ]
copy => { "srcip" => "source.ip" }
copy => { "dstip" => "destination.ip" }
#rename => { "xauthuser" => "user.name" }
#rename => { "vpntunnel" => "group.id" }
rename => { "logid" => "event.id" }
rename => { "devname" => "observer.hostname" }
rename => { "dir" => "netowrk.direction" }
rename => { "status" => "event.outcome" }
rename => { "srcport" => "source.port" }
rename => { "dstport" => "destination.port" }
rename => { "srcintf" => "observer.ingress.interface.name" }
rename => { "dstintf" => "observer.egress.interface.name" }
rename => { "sentbyte" => "source.bytes" }
rename => { "rcvdbyte" => "destination.bytes" }
rename => { "sentpkt" => "source.packets" }
rename => { "rcvdpkt" => "destination.packets" }
rename => { "proto" => "network.iana_number" }
#copy => { "service" => "service.type" }
copy => { "service" => "network.protocol" }
rename => { "action" => "event.action" }
rename => { "app" => "network.application" }
rename => { "url" => "url.path" }
rename => { "hostname" => "url.domain" }
}
Am I missing some fields ? can you provide extra info about this since there is no way to inspect what timelines request are like unlike the other visualizations.
Thank you
, I found a reddit answer for this :
