This is an experimental decoder for FortiOS 4.0 running on Fortigate devices (http://www.fortinet.com), using the syslog remote logging options (with CSV format turned off). It is not thoroughly tested, may have odd corner cases and can almost certainly be rewritten to be more CPU efficient.
This only decodes the firewall accept/drop logs, but in principle could be extended to the anti-virus, anti-spam etc logs. Enjoy everyone! <!-- Fortigate (FortiOS 4.0) - Examples: - Feb 20 12:26:25 date=2011-02-20 time=12: 26:24 devname=Device_Name device_id=FGXXXX0000000001 log_id=9999999999 type=traffic subtype=other pri=notice status=deny vd="root" src=10.10.10.10 srcname=10.10.10.10 src_port=1111 dst=10.20.30.40 dstname=10.20.30.40 dst_port=2222 service=65535/tcp proto=6 app_type=N/A duration=0 rule=0 policyid=0 identidx=0 sent=0 rcvd=0 shaper_drop_sent=0 shaper_drop_rcvd=0 perip_drop=0 shaper_sent_name="N/A" shaper_rcvd_name="N/A" perip_name="N/A" vpn="N/A" src_int="Interface Name" dst_int="internal" SN=123456 app="N/A" app_cat="N/A" user="N/A" group="N/A" carrier_ep="N/A" - Feb 19 22:00:07 date=2011-02-19 time=22: 00:07 devname=Device_Name device_id=FGXXXX1231231231 log_id=3213213213 type=traffic subtype=other pri=notice status=deny vd="root" src=10.10.10.1 srcname=10.10.10.1 src_port=1111 dst=10.9.8.7 dstname=10.9.8.7 dst_port=2222 service=65535/udp proto=17 app_type=N/A duration=0 rule=0 policyid=0 identidx=0 sent=0 rcvd=0 shaper_drop_sent=0 shaper_drop_rcvd=0 perip_drop=0 shaper_sent_name="N/A" shaper_rcvd_name="N/A" perip_name="N/A" vpn="N/A" src_int="wan1" dst_int="root" SN=333333 app="N/A" app_cat="N/A" user="N/A" group="N/A" carrier_ep="N/A" - Feb 20 12:31:11 date=2011-02-20 time=12: 31:09 devname=Name_of_Device device_id=FGXXXX1000000000 log_id=8888888888 type=traffic subtype=other pri=notice status=accept vd="root" dir_disp=org tran_disp=noop src=192.168.0.1 srcname=192.168.0.1 src_port=0 dst=192.168.254.254 dstname=192.168.254.254 dst_port=0 tran_ip=N/A tran_port=0 service=11/icmp proto=1 app_type=N/A duration=0 rule=0 policyid=0 identidx=0 sent=0 rcvd=0 shaper_drop_sent=0 shaper_drop_rcvd=0 perip_drop=0 shaper_sent_name="N/A" shaper_rcvd_name="N/A" perip_name="N/A" sent_pkt=0 rcvd_pkt=0 vpn="N/A" src_int="wan1" dst_int="root" SN=0987654321 app="N/A" app_cat="N/A" user="N/A" group="N/A" carrier_ep="N/A" --> <decoder name="fortigate"> <prematch>date=\S+ time=\.+ </prematch> <prematch>devname=\S+ device_id=FG\w+ </prematch> <prematch>log_id=\d+ </prematch> </decoder> <decoder name="fortigate-firewall"> <parent>fortigate</parent> <type>firewall</type> <prematch offset="after_parent">type=traffic subtype=other </prematch> <regex>status=(\w+) \.+ </regex> <regex>src=(\d+.\d+.\d+.\d+) \.+ src_port=(\d+) </regex> <regex>dst=(\d+.\d+.\d+.\d+) \.+ dst_port=(\d+) </regex> <regex>service=\d+/(\w+) </regex> <order>action,srcip,srcport,dstip,dstport,protocol</order> </decoder> Dean Takemori Systems Support Supervisor TD Food Group [email protected]
