Hmm. Thought I sent this out already, but I don't see it in the mailing list archives.
This is a decoder I'm using for Fortinet devices using remote syslog to a linux server running OSSEC 2.6. It's still very new, so there may be problems, and the regexes are probably not very optimial <!-- Fortigate - NOTES: This decoder does not grab the hostname of the device - FortiOS 4.0 via syslog examples: - Feb 20 12:26:25 date=2011-02-20 time=12: 26:24 devname=Device_Name device_id=FGXXXX0000000001 log_id=9999999999 type=traffic subtype=other pri=notice status=deny vd="root" src=10.10.10.10 srcname=10.10.10.10 src_port=1111 dst=10.20.30.40 dstname=10.20.30.40 dst_port=2222 service=65535/tcp proto=6 app_type=N/A duration=0 rule=0 policyid=0 identidx=0 sent=0 rcvd=0 shaper_drop_sent=0 shaper_drop_rcvd=0 perip_drop=0 shaper_sent_name="N/A" shaper_rcvd_name="N/A" perip_name="N/A" vpn="N/A" src_int="Interface Name" dst_int="internal" SN=123456 app="N/A" app_cat="N/A" user="N/A" group="N/A" carrier_ep="N/A" - Feb 19 22:00:07 date=2011-02-19 time=22: 00:07 devname=Device_Name device_id=FGXXXX1231231231 log_id=3213213213 type=traffic subtype=other pri=notice status=deny vd="root" src=10.10.10.1 srcname=10.10.10.1 src_port=1111 dst=10.9.8.7 dstname=10.9.8.7 dst_port=2222 service=65535/udp proto=17 app_type=N/A duration=0 rule=0 policyid=0 identidx=0 sent=0 rcvd=0 shaper_drop_sent=0 shaper_drop_rcvd=0 perip_drop=0 shaper_sent_name="N/A" shaper_rcvd_name="N/A" perip_name="N/A" vpn="N/A" src_int="wan1" dst_int="root" SN=333333 app="N/A" app_cat="N/A" user="N/A" group="N/A" carrier_ep="N/A" - Feb 20 12:31:11 date=2011-02-20 time=12: 31:09 devname=Name_of_Device device_id=FGXXXX1000000000 log_id=8888888888 type=traffic subtype=other pri=notice status=accept vd="root" src=192.168.0.1 srcname=192.168.0.1 src_port=0 dst=192.168.254.254 dstname=192.168.254.254 dst_port=0 service=11/icmp proto=1 app_type=N/A duration=0 rule=0 policyid=0 identidx=0 sent=0 rcvd=0 shaper_drop_sent=0 shaper_drop_rcvd=0 shaper_sent_name="N/A" shaper_rcvd_name="N/A" perip_name="N/A" vpn="N/A" src_int="root" dst_int="N/A" SN=123412341234 app="N/A" app_cat="N/A" user="N/A" group="N/A" carrier_ep="N/A" - FortiOS 3.0 via syslog Examples: - Mar 24 12:19:43 date=2011-07-25 time=08: 19:42 devname=Name_of_Device device_id=FGXXXX9999999999 log_id=0038016002 type=traffic subtype=other pri=notice vd=root SN=9999999999 duration=0 user=N/A group=N/A rule=0 policyid=0 proto=1 service=3/icmp app_type=N/A status=accept src=10.1.1.1 srcname=10.1.1.1 dst=10.2.2.2 dstname=10.2.2.2 src_int=N/A dst_int="N/A" sent=0 rcvd=0 sent_pkt=0 rcvd_pkt=0 src_port=0 dst_port=0 vpn="N/A" tran_ip=0.0.0.0 tran_port=0 dir_disp=org tran_disp=noop - Dec 23 11:13:03 date=2011-07-24 time=10: 13:03 devname=Device_Name device_id=FGTXXXX9999999999 log_id=0038016004 type=traffic subtype=other pri=notice vd=root SN=9999999999 duration=0 user=N/A group=N/A rule=0 policyid=0 proto=6 service=tcp app_type=N/A status=deny src=10.3.3.3 srcname=10.3.3.3 dst=10.4.4.4 dstname=10.4.4.4 src_int=N/A dst_int="N/A" sent=0 rcvd=0 --> <!-- FortiOS 4.0 --> <decoder name="fortigate-firewall-1"> <prematch>date=\S+ time=\.+ devname=\S+ device_id=FG\w+ </prematch> <prematch>log_id=\d+ type=traffic subtype=other pri=\S+ status=</prematch> <type>firewall</type> </decoder> <decoder name="fortigate-firewall-1"> <parent>fortigate-firewall-1</parent> <regex offset="after_parent">(\w+) \.+ </regex> <regex>src=(\d+.\d+.\d+.\d+) \.+ src_port=(\d+) </regex> <regex>dst=(\d+.\d+.\d+.\d+) \.+ dst_port=(\d+) </regex> <regex>\.*service=\d+/(\w+) </regex> <order>action,srcip,srcport,dstip,dstport,protocol</order> </decoder> <!-- FortiOS 3.0 --> <decoder name="fortigate-firewall-2"> <prematch>date=\S+ time=\.+ devname=\S+ device_id=FG\w+ </prematch> <prematch>log_id=\d+ type=traffic subtype=other pri=\S+ </prematch> <type>firewall</type> </decoder> <decoder name="fortigate-firewall-2"> <parent>fortigate-firewall-2</parent> <regex offset="after_parent">proto=\d+ service=\d+/(\w+) </regex> <regex>\.+ status=(\w+) </regex> <regex>src=(\d+.\d+.\d+.\d+) \.+ dst=(\d+.\d+.\d+.\d+) </regex> <regex>\.+ src_port=(\d+) dst_port=(\d+) </regex> <order>protocol,action,srcip,dstip,srcport,dstport</order> </decoder> <decoder name="fortigate-firewall-2"> <parent>fortigate-firewall-2</parent> <regex offset="after_parent">proto=\d+ service=(\w+) </regex> <regex>\.+ status=(\w+) </regex> <regex>src=(\d+.\d+.\d+.\d+) \.+ dst=(\d+.\d+.\d+.\d+) </regex> <order>protocol,action,srcip,dstip</order> </decoder> Dean Takemori Systems Support Supervisor TD Food Group [email protected]
