Created
May 11, 2021 12:12
-
-
Save gose/0c6d3d46228a2467bfbcba39d2d50ec5 to your computer and use it in GitHub Desktop.
Sample Logstash Pipeline for Fortinet
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Sample log line: | |
| May 10 22:50:02 XXX CEF: 0|Fortinet|Fortigate|v6.4.5|000XX|traffic:forward server-rst|X|deviceExternalId=FGVMXXXXXXXXX FortinetFortiGateeventtime=162068340XXXXXXXX FortinetFortiGatetz=+0100 FortinetFortiGatelogid=00000000XX cat=traffic:forward FortinetFortiGatesubtype=forward FortinetFortiGatelevel=notice FortinetFortiGatevd=root src=X.X.X.X spt=XXXXX deviceInboundInterface=portX FortinetFortiGatesrcintfrole=undefined dst=X.X.X.X dpt=443 deviceOutboundInterface=portX FortinetFortiGatedstintfrole=undefined FortinetFortiGatesrccountry=Reserved FortinetFortiGatedstcountry=Netherlands externalId=XXXXXXX proto=X FortinetFortiGateaction=server-rst FortinetFortiGatepolicyid=X FortinetFortiGatepolicytype=policy FortinetFortiGatepoluuid=XXXXXXXXXXXXXXXXXXX FortinetFortiGatepolicyname=To-Internet app=HTTPS FortinetFortiGatetrandisp=snat sourceTranslatedAddress=X.X.X.X sourceTranslatedPort=XXXXX FortinetFortiGateduration=14 out=558 in=3780 FortinetFortiGatesentpkt=7 FortinetFortiGatercvdpkt=6 FortinetFortiGateappcat=unscanned | |
| Sample Logstash pipeline: | |
| input { | |
| file { | |
| start_position => "beginning" | |
| path => "/Users/gose/elastic/logstash-toolkit/data/fortinet.log" | |
| sincedb_clean_after => 0 | |
| } | |
| } | |
| filter { | |
| dissect { | |
| mapping => { | |
| "message" => "%{ts} %{+ts} %{+ts} %{field_1} CEF: %{cef_message}" | |
| } | |
| } | |
| date { | |
| match => [ "ts", "MMM dd HH:mm:ss" ] | |
| } | |
| mutate { | |
| split => ["cef_message", "|"] | |
| add_field => { "cef_version" => "%{[cef_message][0]}" } | |
| add_field => { "cef_device_vendor" => "%{[cef_message][1]}" } | |
| add_field => { "cef_device_product" => "%{[cef_message][2]}" } | |
| add_field => { "cef_device_version" => "%{[cef_message][3]}" } | |
| add_field => { "cef_sig_id" => "%{[cef_message][4]}" } | |
| add_field => { "cef_sig_name" => "%{[cef_message][5]}" } | |
| add_field => { "cef_sig_severity" => "%{[cef_message][6]}" } | |
| add_field => { "cef_kv_message" => "%{[cef_message][7]}" } | |
| } | |
| kv { | |
| source => "cef_kv_message" | |
| trim_value => " " | |
| trim_key => " " | |
| value_split => "=" | |
| remove_field => ["cef_kv_message", "cef_message"] | |
| } | |
| mutate { | |
| remove_field => ["ts", "host", "path", "agent", "input", "@version", "cef_message"] | |
| } | |
| } | |
| output { | |
| stdout { } | |
| } | |
| Sample Logstash output: | |
| { | |
| "FortinetFortiGatevd" => "root", | |
| "deviceExternalId" => "FGVMXXXXXXXXX", | |
| "FortinetFortiGatesrccountry" => "Reserved", | |
| "FortinetFortiGateaction" => "server-rst", | |
| "FortinetFortiGatepolicyname" => "To-Internet", | |
| "FortinetFortiGatetz" => "+0100", | |
| "sourceTranslatedAddress" => "X.X.X.X", | |
| "dpt" => "443", | |
| "FortinetFortiGatedstcountry" => "Netherlands", | |
| "cef_sig_name" => "traffic:forward server-rst", | |
| "FortinetFortiGatelevel" => "notice", | |
| "deviceOutboundInterface" => "portX", | |
| "cef_device_product" => "Fortigate", | |
| "externalId" => "XXXXXXX", | |
| "field_1" => "XXX", | |
| "deviceInboundInterface" => "portX", | |
| "FortinetFortiGatesrcintfrole" => "undefined", | |
| "FortinetFortiGatepolicytype" => "policy", | |
| "app" => "HTTPS", | |
| "FortinetFortiGatesubtype" => "forward", | |
| "message" => "May 10 22:50:02 XXX CEF: 0|Fortinet|Fortigate|v6.4.5|000XX|traffic:forward server-rst|X|deviceExternalId=FGVMXXXXXXXXX FortinetFortiGateeventtime=162068340XXXXXXXX FortinetFortiGatetz=+0100 FortinetFortiGatelogid=00000000XX cat=traffic:forward FortinetFortiGatesubtype=forward FortinetFortiGatelevel=notice FortinetFortiGatevd=root src=X.X.X.X spt=XXXXX deviceInboundInterface=portX FortinetFortiGatesrcintfrole=undefined dst=X.X.X.X dpt=443 deviceOutboundInterface=portX FortinetFortiGatedstintfrole=undefined FortinetFortiGatesrccountry=Reserved FortinetFortiGatedstcountry=Netherlands externalId=XXXXXXX proto=X FortinetFortiGateaction=server-rst FortinetFortiGatepolicyid=X FortinetFortiGatepolicytype=policy FortinetFortiGatepoluuid=XXXXXXXXXXXXXXXXXXX FortinetFortiGatepolicyname=To-Internet app=HTTPS FortinetFortiGatetrandisp=snat sourceTranslatedAddress=X.X.X.X sourceTranslatedPort=XXXXX FortinetFortiGateduration=14 out=558 in=3780 FortinetFortiGatesentpkt=7 FortinetFortiGatercvdpkt=6 FortinetFortiGateappcat=unscanned", | |
| "out" => "558", | |
| "FortinetFortiGateduration" => "14", | |
| "@timestamp" => 2021-05-11T03:50:02.000Z, | |
| "FortinetFortiGatelogid" => "00000000XX", | |
| "cef_device_version" => "v6.4.5", | |
| "FortinetFortiGateappcat" => "unscanned", | |
| "FortinetFortiGatercvdpkt" => "6", | |
| "src" => "X.X.X.X", | |
| "cef_device_vendor" => "Fortinet", | |
| "FortinetFortiGatepoluuid" => "XXXXXXXXXXXXXXXXXXX", | |
| "FortinetFortiGatepolicyid" => "X", | |
| "FortinetFortiGatesentpkt" => "7", | |
| "spt" => "XXXXX", | |
| "in" => "3780", | |
| "sourceTranslatedPort" => "XXXXX", | |
| "cef_sig_severity" => "X", | |
| "FortinetFortiGatedstintfrole" => "undefined", | |
| "cef_version" => "0", | |
| "FortinetFortiGateeventtime" => "162068340XXXXXXXX", | |
| "cat" => "traffic:forward", | |
| "dst" => "X.X.X.X", | |
| "cef_sig_id" => "000XX", | |
| "proto" => "X", | |
| "FortinetFortiGatetrandisp" => "snat" | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment