Skip to content

Instantly share code, notes, and snippets.

@timbutler
Created October 29, 2014 04:15
Show Gist options
  • Save timbutler/55f5ac78aa60b2936e48 to your computer and use it in GitHub Desktop.
Save timbutler/55f5ac78aa60b2936e48 to your computer and use it in GitHub Desktop.
Fortigate FortiOS 5.0 Logstash Patterns
FORTIDATE %{YEAR:year}\-%{MONTHNUM:month}\-%{MONTHDAY:day}
FORTIGATE_LITEBASE <%{NUMBER:syslog_index}>date=%{FORTIDATE:date} time=%{TIME:time} devname=%{HOST:hostname} devid=%{HOST:devid} logid=%{NUMBER:logid} type=%{WORD:type} subtype=%{WORD:subtype} eventtype=%{WORD:eventtype} level=%{WORD:level} vd=\"%{WORD:vdom}\"
FORTIGATE_LITEBASE2 <%{NUMBER:syslog_index}>date=%{FORTIDATE:date} time=%{TIME:time} devname=%{HOST:hostname} devid=%{HOST:devid} logid=%{NUMBER:logid} type=%{WORD:type} subtype=%{WORD:subtype} level=%{WORD:level} vd=\"%{WORD:vdom}\"
# 185 - IPS
FORTIGATE_185 severity=%{WORD:severity} srcip=%{IP:srcip} dstip=%{IP:dstip} srcintf=\"%{HOST:srcintf}\" policyid=%{DATA:policyid} identidx=%{DATA:identidx} sessionid=%{NUMBER:sessionid} status=%{DATA:status} proto=%{NUMBER:proto} service=%{DATA:service} count=%{NUMBER:count} attackname=\"%{DATA:attackname}\" srcport=%{NUMBER:srcport} dstport=%{NUMBER:dstport} attackid=%{NUMBER:attackid} sensor=\"%{DATA:sensor}\" ref=\"%{DATA:ref}\";? msg=\"%{GREEDYDATA:msg}\" crscore=%{NUMBER:crscore} craction=%{NUMBER:craction}
# 185 - IPS Variant
FORTIGATE_185VAR2 severity=%{WORD:severity} srcip=%{IP:srcip} dstip=%{IP:dstip} srcintf=\"%{HOST:srcintf}\" dstintf=\"%{HOST:dstintf}\" policyid=%{DATA:policyid} identidx=%{DATA:identidx} sessionid=%{NUMBER:sessionid} status=%{DATA:status} proto=%{NUMBER:proto} service=%{DATA:service} count=%{NUMBER:count} attackname=\"%{DATA:attackname}\" srcport=%{NUMBER:srcport} dstport=%{NUMBER:dstport} attackid=%{NUMBER:attackid} sensor=\"%{DATA:sensor}\" ref=\"%{DATA:ref}\";? incidentserialno=%{NUMBER:incidentserialno} msg=\"%{GREEDYDATA:msg}\"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment