HI Dean, Just found this and can't believe I'm the first to use them (or say thanks). Many thanks for your help and time, I'm putting them in now.
Kind Regards Andy On Saturday, July 30, 2011 1:11:41 AM UTC+1, [email protected] wrote: > > > Hmm. Thought I sent this out already, but I don't see it in the mailing > list archives. > > > This is a decoder I'm using for Fortinet devices using remote syslog > to a linux server running OSSEC 2.6. It's still very new, so there may > be problems, and the regexes are probably not very optimial > > > <!-- Fortigate > - NOTES: This decoder does not grab the hostname of the device > - FortiOS 4.0 via syslog examples: > - Feb 20 12:26:25 date=2011-02-20 time=12: 26:24 devname=Device_Name > device_id=FGXXXX0000000001 log_id=9999999999 type=traffic subtype=other > pri=notice status=deny vd="root" src=10.10.10.10 srcname=10.10.10.10 > src_port=1111 dst=10.20.30.40 dstname=10.20.30.40 dst_port=2222 > service=65535/tcp proto=6 app_type=N/A duration=0 rule=0 policyid=0 > identidx=0 sent=0 rcvd=0 shaper_drop_sent=0 shaper_drop_rcvd=0 perip_drop=0 > shaper_sent_name="N/A" shaper_rcvd_name="N/A" perip_name="N/A" vpn="N/A" > src_int="Interface Name" dst_int="internal" SN=123456 app="N/A" > app_cat="N/A" user="N/A" group="N/A" carrier_ep="N/A" > - Feb 19 22:00:07 date=2011-02-19 time=22: 00:07 devname=Device_Name > device_id=FGXXXX1231231231 log_id=3213213213 type=traffic subtype=other > pri=notice status=deny vd="root" src=10.10.10.1 srcname=10.10.10.1 > src_port=1111 dst=10.9.8.7 dstname=10.9.8.7 dst_port=2222 service=65535/udp > proto=17 app_type=N/A duration=0 rule=0 policyid=0 identidx=0 sent=0 rcvd=0 > shaper_drop_sent=0 shaper_drop_rcvd=0 perip_drop=0 shaper_sent_name="N/A" > shaper_rcvd_name="N/A" perip_name="N/A" vpn="N/A" src_int="wan1" > dst_int="root" SN=333333 app="N/A" app_cat="N/A" user="N/A" group="N/A" > carrier_ep="N/A" > - Feb 20 12:31:11 date=2011-02-20 time=12: 31:09 devname=Name_of_Device > device_id=FGXXXX1000000000 log_id=8888888888 type=traffic subtype=other > pri=notice status=accept vd="root" src=192.168.0.1 srcname=192.168.0.1 > src_port=0 dst=192.168.254.254 dstname=192.168.254.254 dst_port=0 > service=11/icmp proto=1 app_type=N/A duration=0 rule=0 policyid=0 > identidx=0 sent=0 rcvd=0 shaper_drop_sent=0 shaper_drop_rcvd=0 > shaper_sent_name="N/A" shaper_rcvd_name="N/A" perip_name="N/A" vpn="N/A" > src_int="root" dst_int="N/A" SN=123412341234 app="N/A" app_cat="N/A" > user="N/A" group="N/A" carrier_ep="N/A" > - FortiOS 3.0 via syslog Examples: > - Mar 24 12:19:43 date=2011-07-25 time=08: 19:42 devname=Name_of_Device > device_id=FGXXXX9999999999 log_id=0038016002 type=traffic subtype=other > pri=notice vd=root SN=9999999999 duration=0 user=N/A group=N/A rule=0 > policyid=0 proto=1 service=3/icmp app_type=N/A status=accept src=10.1.1.1 > srcname=10.1.1.1 dst=10.2.2.2 dstname=10.2.2.2 src_int=N/A dst_int="N/A" > sent=0 rcvd=0 sent_pkt=0 rcvd_pkt=0 src_port=0 dst_port=0 vpn="N/A" > tran_ip=0.0.0.0 tran_port=0 dir_disp=org tran_disp=noop > - Dec 23 11:13:03 date=2011-07-24 time=10: 13:03 devname=Device_Name > device_id=FGTXXXX9999999999 log_id=0038016004 type=traffic subtype=other > pri=notice vd=root SN=9999999999 duration=0 user=N/A group=N/A rule=0 > policyid=0 proto=6 service=tcp app_type=N/A status=deny src=10.3.3.3 > srcname=10.3.3.3 dst=10.4.4.4 dstname=10.4.4.4 src_int=N/A dst_int="N/A" > sent=0 rcvd=0 > --> > > <!-- FortiOS 4.0 --> > <decoder name="fortigate-firewall-1"> > <prematch>date=\S+ time=\.+ devname=\S+ device_id=FG\w+ </prematch> > <prematch>log_id=\d+ type=traffic subtype=other pri=\S+ > status=</prematch> > <type>firewall</type> > </decoder> > > <decoder name="fortigate-firewall-1"> > <parent>fortigate-firewall-1</parent> > > <regex offset="after_parent">(\w+) \.+ </regex> > <regex>src=(\d+.\d+.\d+.\d+) \.+ src_port=(\d+) </regex> > <regex>dst=(\d+.\d+.\d+.\d+) \.+ dst_port=(\d+) </regex> > <regex>\.*service=\d+/(\w+) </regex> > <order>action,srcip,srcport,dstip,dstport,protocol</order> > </decoder> > > > <!-- FortiOS 3.0 --> > <decoder name="fortigate-firewall-2"> > <prematch>date=\S+ time=\.+ devname=\S+ device_id=FG\w+ </prematch> > <prematch>log_id=\d+ type=traffic subtype=other pri=\S+ </prematch> > <type>firewall</type> > </decoder> > > <decoder name="fortigate-firewall-2"> > <parent>fortigate-firewall-2</parent> > > <regex offset="after_parent">proto=\d+ service=\d+/(\w+) </regex> > <regex>\.+ status=(\w+) </regex> > <regex>src=(\d+.\d+.\d+.\d+) \.+ dst=(\d+.\d+.\d+.\d+) </regex> > <regex>\.+ src_port=(\d+) dst_port=(\d+) </regex> > <order>protocol,action,srcip,dstip,srcport,dstport</order> > </decoder> > > <decoder name="fortigate-firewall-2"> > <parent>fortigate-firewall-2</parent> > > <regex offset="after_parent">proto=\d+ service=(\w+) </regex> > <regex>\.+ status=(\w+) </regex> > <regex>src=(\d+.\d+.\d+.\d+) \.+ dst=(\d+.\d+.\d+.\d+) </regex> > <order>protocol,action,srcip,dstip</order> > </decoder> > > > > Dean Takemori > Systems Support Supervisor > TD Food Group > [email protected] <javascript:>
