Hello! I guess you may want to check `iptables` format in liblognorm: https://github.com/rsyslog/liblognorm/blob/master/doc/configuration.rst#iptables
Naming is a bit confusing but (I guess) it should do the trick for your log as it's a set of key=value pairs as well. If you'd still prefer to define every pair manually then pls check `alternative` field type: https://github.com/rsyslog/liblognorm/blob/master/doc/configuration.rst#alternative I hope this helps! On Thu, 28 Jan 2021 at 07:20, Jason Prouty via rsyslog < [email protected]> wrote: > I have been working on a rule to parse my fortigate firewall > I have read this over and over couple you please review and see where I > have made my error > > Sample Log file > #2021-01-25T17:11:25.000190-07:00 cspcfw01_nas date=2021-01-25 > time=16:28:31 devname="CSPCFW01-M" devid="FG3H0E5818903304" > logid="0000000013" type="traffic" subtype="forward" level="notice" > vd="root" eventtime=1611617311 srcip=10.82.12.16 srcintf="rootprivate0" > srcintfrole="undefined" dstip=13.226.194.172 dstintf="VLAN2596" > dstintfrole="lan" poluuid="edd53f90-c83a-51ea-7fb9-4d2448507263" > sessionid=2818513665 proto=1 action="accept" policyid=236 > policytype="policy" service="PING" dstcountry="United States" > srccountry="Reserved" trandisp="snat" transip=74.115.158.236 transport=0 > duration=60 sentbyte=84 rcvdbyte=84 sentpkt=1 rcvdpkt=1 appcat="unscanned" > dstdevtype="Router/NAT Device" masterdstmac="00:11:bc:5f:1c:1a" > dstmac="00:11:bc:5f:1c:1a" dstserver=0 > > > # Comment > rule=:%date:date-rfc5424% %host:word% date=%date1:date-iso% > time=%fwtime:time-24hr% devname=%devname:word% devid=%devid:word% > logid="%logid:number%" type="%type:word%" subtype="%subtype:word%" > level="%level:word%" vd="%vd:word%" eventtime=%eventtime:number% > srcip=%srcip:ipv4% srcintf="%srcintf:word%" > srcintfrole="%srcintfrole:word%" dstip=%dstip:ipv4% > dstport=%dstport:number% dstintf="%dstintf:word%" > dstintfrole="%dstintfrole:word%" poluuid="%poluuid:word%" > sessionid=%sessionid:number% proto=%proto:number% action="%action:word%" > policyid=%policyid:number% policytype="%policytype:word%" > service=%service:word% dstcountry=\"%dstcountry:char-to:\x22%" > srccountry=\"%srccountry:char-to:\x22%" trandisp=%trandisp:word% > transip=%transisp:ipv4% transport=%transport:number% > duration=%duration:number% sentbyte=%sentbyte:number% > rcvdbyte=%rcvdbyte:number% sentpkt=%sentpkt:number% > rcvdpkt=%rcvdpkt:number% appcat="%appcat:word%" > sentdelta=%sentdelta:number% rcvddelta=%rcvddelta:number% dstdevtype=" > %dstdevtype:word%" masterdstmac="%masterdstmac:word%" > dstmac="%dstmac:word%" dstserver=%dstserver:number% > > > output from lognormalizer > { "originalmsg": "2021-01-25T18:00:25.901380-07:00 cspcfw01_nas > date=2021-01-25 time=17:17:32 devname=\"CSPCFW01-M\" > devid=\"FG3H0E5818903304\" logid=\"0000000013\" type=\"traffic\" > subtype=\"forward\" level=\"notice\" vd=\"root\" eventtime=1611620252 > srcip=10.82.12.14 srcintf=\"rootprivate0\" srcintfrole=\"undefined\" > dstip=99.84.203.154 dstintf=\"VLAN2596\" dstintfrole=\"lan\" > poluuid=\"edd53f90-c83a-51ea-7fb9-4d2448507263\" sessionid=2819110384 > proto=1 action=\"accept\" policyid=236 policytype=\"policy\" > service=\"PING\" dstcountry=\"United States\" srccountry=\"Reserved\" > trandisp=\"snat\" transip=74.115.158.236 transport=0 duration=60 > sentbyte=84 rcvdbyte=84 sentpkt=1 rcvdpkt=1 appcat=\"unscanned\" > dstdevtype=\"Router\/NAT Device\" masterdstmac=\"00:11:bc:5f:1c:1a\" > dstmac=\"00:11:bc:5f:1c:1a\" dstserver=0", "unparsed-data": " > subtype=\"forward\" level=\"notice\" vd=\"root\" eventtime=1611620252 > srcip=10.82.12.14 srcintf=\"rootprivate0\" srcintfrole=\"undefined\" > dstip=99.84.203 > .154 dstintf=\"VLAN2596\" dstintfrole=\"lan\" > poluuid=\"edd53f90-c83a-51ea-7fb9-4d2448507263\" sessionid=2819110384 > proto=1 action=\"accept\" policyid=236 policytype=\"policy\" > service=\"PING\" dstcountry=\"United States\" srccountry=\"Reserved\" > trandisp=\"snat\" transip=74.115.158.236 transport=0 duration=60 > sentbyte=84 rcvdbyte=84 sentpkt=1 rcvdpkt=1 appcat=\"unscanned\" > dstdevtype=\"Router\/NAT Device\" masterdstmac=\"00:11:bc:5f:1c:1a\" > dstmac=\"00:11:bc:5f:1c:1a\" dstserver=0" } > > > > > _______________________________________________ > rsyslog mailing list > https://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > -- Yury Bushmelev _______________________________________________ rsyslog mailing list https://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
