I have been working on a rule to parse my fortigate firewall
I have read this over and over couple you please review and see where I have
made my error
Sample Log file
#2021-01-25T17:11:25.000190-07:00 cspcfw01_nas date=2021-01-25 time=16:28:31
devname="CSPCFW01-M" devid="FG3H0E5818903304" logid="0000000013" type="traffic"
subtype="forward" level="notice" vd="root" eventtime=1611617311
srcip=10.82.12.16 srcintf="rootprivate0" srcintfrole="undefined"
dstip=13.226.194.172 dstintf="VLAN2596" dstintfrole="lan"
poluuid="edd53f90-c83a-51ea-7fb9-4d2448507263" sessionid=2818513665 proto=1
action="accept" policyid=236 policytype="policy" service="PING"
dstcountry="United States" srccountry="Reserved" trandisp="snat"
transip=74.115.158.236 transport=0 duration=60 sentbyte=84 rcvdbyte=84
sentpkt=1 rcvdpkt=1 appcat="unscanned" dstdevtype="Router/NAT Device"
masterdstmac="00:11:bc:5f:1c:1a" dstmac="00:11:bc:5f:1c:1a" dstserver=0
# Comment
rule=:%date:date-rfc5424% %host:word% date=%date1:date-iso%
time=%fwtime:time-24hr% devname=%devname:word% devid=%devid:word%
logid="%logid:number%" type="%type:word%" subtype="%subtype:word%"
level="%level:word%" vd="%vd:word%" eventtime=%eventtime:number%
srcip=%srcip:ipv4% srcintf="%srcintf:word%" srcintfrole="%srcintfrole:word%"
dstip=%dstip:ipv4% dstport=%dstport:number% dstintf="%dstintf:word%"
dstintfrole="%dstintfrole:word%" poluuid="%poluuid:word%"
sessionid=%sessionid:number% proto=%proto:number% action="%action:word%"
policyid=%policyid:number% policytype="%policytype:word%"
service=%service:word% dstcountry=\"%dstcountry:char-to:\x22%"
srccountry=\"%srccountry:char-to:\x22%" trandisp=%trandisp:word%
transip=%transisp:ipv4% transport=%transport:number% duration=%duration:number%
sentbyte=%sentbyte:number% rcvdbyte=%rcvdbyte:number% sentpkt=%sentpkt:number%
rcvdpkt=%rcvdpkt:number% appcat="%appcat:word%" sentdelta=%sentdelta:number%
rcvddelta=%rcvddelta:number% dstdevtype="
%dstdevtype:word%" masterdstmac="%masterdstmac:word%" dstmac="%dstmac:word%"
dstserver=%dstserver:number%
output from lognormalizer
{ "originalmsg": "2021-01-25T18:00:25.901380-07:00 cspcfw01_nas date=2021-01-25
time=17:17:32 devname=\"CSPCFW01-M\" devid=\"FG3H0E5818903304\"
logid=\"0000000013\" type=\"traffic\" subtype=\"forward\" level=\"notice\"
vd=\"root\" eventtime=1611620252 srcip=10.82.12.14 srcintf=\"rootprivate0\"
srcintfrole=\"undefined\" dstip=99.84.203.154 dstintf=\"VLAN2596\"
dstintfrole=\"lan\" poluuid=\"edd53f90-c83a-51ea-7fb9-4d2448507263\"
sessionid=2819110384 proto=1 action=\"accept\" policyid=236
policytype=\"policy\" service=\"PING\" dstcountry=\"United States\"
srccountry=\"Reserved\" trandisp=\"snat\" transip=74.115.158.236 transport=0
duration=60 sentbyte=84 rcvdbyte=84 sentpkt=1 rcvdpkt=1 appcat=\"unscanned\"
dstdevtype=\"Router\/NAT Device\" masterdstmac=\"00:11:bc:5f:1c:1a\"
dstmac=\"00:11:bc:5f:1c:1a\" dstserver=0", "unparsed-data": "
subtype=\"forward\" level=\"notice\" vd=\"root\" eventtime=1611620252
srcip=10.82.12.14 srcintf=\"rootprivate0\" srcintfrole=\"undefined\"
dstip=99.84.203
.154 dstintf=\"VLAN2596\" dstintfrole=\"lan\"
poluuid=\"edd53f90-c83a-51ea-7fb9-4d2448507263\" sessionid=2819110384 proto=1
action=\"accept\" policyid=236 policytype=\"policy\" service=\"PING\"
dstcountry=\"United States\" srccountry=\"Reserved\" trandisp=\"snat\"
transip=74.115.158.236 transport=0 duration=60 sentbyte=84 rcvdbyte=84
sentpkt=1 rcvdpkt=1 appcat=\"unscanned\" dstdevtype=\"Router\/NAT Device\"
masterdstmac=\"00:11:bc:5f:1c:1a\" dstmac=\"00:11:bc:5f:1c:1a\" dstserver=0" }
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
