timbutler/fortigate50.pattern

## fortigate50.pattern
FORTIDATE %{YEAR:year}\-%{MONTHNUM:month}\-%{MONTHDAY:day}

FORTIGATE_LITEBASE <%{NUMBER:syslog_index}>date=%{FORTIDATE:date} time=%{TIME:time} devname=%{HOST:hostname} devid=%{HOST:devid} logid=%{NUMBER:logid} type=%{WORD:type} subtype=%{WORD:subtype} eventtype=%{WORD:eventtype} level=%{WORD:level} vd=\"%{WORD:vdom}\"

FORTIGATE_LITEBASE2 <%{NUMBER:syslog_index}>date=%{FORTIDATE:date} time=%{TIME:time} devname=%{HOST:hostname} devid=%{HOST:devid} logid=%{NUMBER:logid} type=%{WORD:type} subtype=%{WORD:subtype} level=%{WORD:level} vd=\"%{WORD:vdom}\"

# 185 - IPS
FORTIGATE_185 severity=%{WORD:severity} srcip=%{IP:srcip} dstip=%{IP:dstip} srcintf=\"%{HOST:srcintf}\" policyid=%{DATA:policyid} identidx=%{DATA:identidx} sessionid=%{NUMBER:sessionid} status=%{DATA:status} proto=%{NUMBER:proto} service=%{DATA:service} count=%{NUMBER:count} attackname=\"%{DATA:attackname}\" srcport=%{NUMBER:srcport} dstport=%{NUMBER:dstport} attackid=%{NUMBER:attackid} sensor=\"%{DATA:sensor}\" ref=\"%{DATA:ref}\";? msg=\"%{GREEDYDATA:msg}\" crscore=%{NUMBER:crscore} craction=%{NUMBER:craction}

# 185 - IPS Variant
FORTIGATE_185VAR2 severity=%{WORD:severity} srcip=%{IP:srcip} dstip=%{IP:dstip} srcintf=\"%{HOST:srcintf}\" dstintf=\"%{HOST:dstintf}\" policyid=%{DATA:policyid} identidx=%{DATA:identidx} sessionid=%{NUMBER:sessionid} status=%{DATA:status} proto=%{NUMBER:proto} service=%{DATA:service} count=%{NUMBER:count} attackname=\"%{DATA:attackname}\" srcport=%{NUMBER:srcport} dstport=%{NUMBER:dstport} attackid=%{NUMBER:attackid} sensor=\"%{DATA:sensor}\" ref=\"%{DATA:ref}\";? incidentserialno=%{NUMBER:incidentserialno} msg=\"%{GREEDYDATA:msg}\"
	FORTIDATE %{YEAR:year}\-%{MONTHNUM:month}\-%{MONTHDAY:day}

	FORTIGATE_LITEBASE <%{NUMBER:syslog_index}>date=%{FORTIDATE:date} time=%{TIME:time} devname=%{HOST:hostname} devid=%{HOST:devid} logid=%{NUMBER:logid} type=%{WORD:type} subtype=%{WORD:subtype} eventtype=%{WORD:eventtype} level=%{WORD:level} vd=\"%{WORD:vdom}\"

	FORTIGATE_LITEBASE2 <%{NUMBER:syslog_index}>date=%{FORTIDATE:date} time=%{TIME:time} devname=%{HOST:hostname} devid=%{HOST:devid} logid=%{NUMBER:logid} type=%{WORD:type} subtype=%{WORD:subtype} level=%{WORD:level} vd=\"%{WORD:vdom}\"

	# 185 - IPS
	FORTIGATE_185 severity=%{WORD:severity} srcip=%{IP:srcip} dstip=%{IP:dstip} srcintf=\"%{HOST:srcintf}\" policyid=%{DATA:policyid} identidx=%{DATA:identidx} sessionid=%{NUMBER:sessionid} status=%{DATA:status} proto=%{NUMBER:proto} service=%{DATA:service} count=%{NUMBER:count} attackname=\"%{DATA:attackname}\" srcport=%{NUMBER:srcport} dstport=%{NUMBER:dstport} attackid=%{NUMBER:attackid} sensor=\"%{DATA:sensor}\" ref=\"%{DATA:ref}\";? msg=\"%{GREEDYDATA:msg}\" crscore=%{NUMBER:crscore} craction=%{NUMBER:craction}

	# 185 - IPS Variant
	FORTIGATE_185VAR2 severity=%{WORD:severity} srcip=%{IP:srcip} dstip=%{IP:dstip} srcintf=\"%{HOST:srcintf}\" dstintf=\"%{HOST:dstintf}\" policyid=%{DATA:policyid} identidx=%{DATA:identidx} sessionid=%{NUMBER:sessionid} status=%{DATA:status} proto=%{NUMBER:proto} service=%{DATA:service} count=%{NUMBER:count} attackname=\"%{DATA:attackname}\" srcport=%{NUMBER:srcport} dstport=%{NUMBER:dstport} attackid=%{NUMBER:attackid} sensor=\"%{DATA:sensor}\" ref=\"%{DATA:ref}\";? incidentserialno=%{NUMBER:incidentserialno} msg=\"%{GREEDYDATA:msg}\"