Not sure how to address this in a rule file the field for srcintf sometimes sent as srcintf=unknown-0 other times it is srcintf="rootprivate0" one has quotes the other does not.
Thank you Jason Prouty ________________________________ From: rsyslog <[email protected]> on behalf of Jason Prouty via rsyslog <[email protected]> Sent: Wednesday, January 27, 2021 6:20 PM To: [email protected] <[email protected]> Cc: Jason Prouty <[email protected]> Subject: [rsyslog] rule assistance I have been working on a rule to parse my fortigate firewall I have read this over and over couple you please review and see where I have made my error Sample Log file #2021-01-25T17:11:25.000190-07:00 cspcfw01_nas date=2021-01-25 time=16:28:31 devname="CSPCFW01-M" devid="FG3H0E5818903304" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" eventtime=1611617311 srcip=10.82.12.16 srcintf="rootprivate0" srcintfrole="undefined" dstip=13.226.194.172 dstintf="VLAN2596" dstintfrole="lan" poluuid="edd53f90-c83a-51ea-7fb9-4d2448507263" sessionid=2818513665 proto=1 action="accept" policyid=236 policytype="policy" service="PING" dstcountry="United States" srccountry="Reserved" trandisp="snat" transip=74.115.158.236 transport=0 duration=60 sentbyte=84 rcvdbyte=84 sentpkt=1 rcvdpkt=1 appcat="unscanned" dstdevtype="Router/NAT Device" masterdstmac="00:11:bc:5f:1c:1a" dstmac="00:11:bc:5f:1c:1a" dstserver=0 # Comment rule=:%date:date-rfc5424% %host:word% date=%date1:date-iso% time=%fwtime:time-24hr% devname=%devname:word% devid=%devid:word% logid="%logid:number%" type="%type:word%" subtype="%subtype:word%" level="%level:word%" vd="%vd:word%" eventtime=%eventtime:number% srcip=%srcip:ipv4% srcintf="%srcintf:word%" srcintfrole="%srcintfrole:word%" dstip=%dstip:ipv4% dstport=%dstport:number% dstintf="%dstintf:word%" dstintfrole="%dstintfrole:word%" poluuid="%poluuid:word%" sessionid=%sessionid:number% proto=%proto:number% action="%action:word%" policyid=%policyid:number% policytype="%policytype:word%" service=%service:word% dstcountry=\"%dstcountry:char-to:\x22%" srccountry=\"%srccountry:char-to:\x22%" trandisp=%trandisp:word% transip=%transisp:ipv4% transport=%transport:number% duration=%duration:number% sentbyte=%sentbyte:number% rcvdbyte=%rcvdbyte:number% sentpkt=%sentpkt:number% rcvdpkt=%rcvdpkt:number% appcat="%appcat:word%" sentdelta=%sentdelta:number% rcvddelta=%rcvddelta:number% dstdevtype=" %dstdevtype:word%" masterdstmac="%masterdstmac:word%" dstmac="%dstmac:word%" dstserver=%dstserver:number% output from lognormalizer { "originalmsg": "2021-01-25T18:00:25.901380-07:00 cspcfw01_nas date=2021-01-25 time=17:17:32 devname=\"CSPCFW01-M\" devid=\"FG3H0E5818903304\" logid=\"0000000013\" type=\"traffic\" subtype=\"forward\" level=\"notice\" vd=\"root\" eventtime=1611620252 srcip=10.82.12.14 srcintf=\"rootprivate0\" srcintfrole=\"undefined\" dstip=99.84.203.154 dstintf=\"VLAN2596\" dstintfrole=\"lan\" poluuid=\"edd53f90-c83a-51ea-7fb9-4d2448507263\" sessionid=2819110384 proto=1 action=\"accept\" policyid=236 policytype=\"policy\" service=\"PING\" dstcountry=\"United States\" srccountry=\"Reserved\" trandisp=\"snat\" transip=74.115.158.236 transport=0 duration=60 sentbyte=84 rcvdbyte=84 sentpkt=1 rcvdpkt=1 appcat=\"unscanned\" dstdevtype=\"Router\/NAT Device\" masterdstmac=\"00:11:bc:5f:1c:1a\" dstmac=\"00:11:bc:5f:1c:1a\" dstserver=0", "unparsed-data": " subtype=\"forward\" level=\"notice\" vd=\"root\" eventtime=1611620252 srcip=10.82.12.14 srcintf=\"rootprivate0\" srcintfrole=\"undefined\" dstip=99.84.203 .154 dstintf=\"VLAN2596\" dstintfrole=\"lan\" poluuid=\"edd53f90-c83a-51ea-7fb9-4d2448507263\" sessionid=2819110384 proto=1 action=\"accept\" policyid=236 policytype=\"policy\" service=\"PING\" dstcountry=\"United States\" srccountry=\"Reserved\" trandisp=\"snat\" transip=74.115.158.236 transport=0 duration=60 sentbyte=84 rcvdbyte=84 sentpkt=1 rcvdpkt=1 appcat=\"unscanned\" dstdevtype=\"Router\/NAT Device\" masterdstmac=\"00:11:bc:5f:1c:1a\" dstmac=\"00:11:bc:5f:1c:1a\" dstserver=0" } _______________________________________________ rsyslog mailing list https://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. _______________________________________________ rsyslog mailing list https://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
