Question
Different log fields order
Hello, I found that there might be some differences between log fields order for different fortiOS implementations. For example (using log from doc: https://docs.fortinet.com/document/fortigate/6.2.3/fortios-log-message-reference/357866/log-message-fields) if we have log:
date=2017-11-15 time=11:44:16 logid="0000000013" type="traffic" subtype="forward" level="notice" vd="vdom1" eventtime=1510775056 srcip=10.1.100.155 srcname="pc1" srcport=40772 srcintf="port12" srcintfrole="undefined" dstip=35.197.51.42 dstname="fortiguard.com" dstport=443 dstintf="port11" dstintfrole="undefined" poluuid="707a0d88-c972-51e7-bbc7-4d421660557b" sessionid=8058 proto=6 action="close" policyid=1 policytype="policy" policymode="learn" service="HTTPS" dstcountry="United States" srccountry="Reserved" trandisp="snat" transip=172.16.200.2 transport=40772 appid=40568 app="HTTPS.BROWSER" appcat="Web.Client" apprisk="medium" duration=2 sentbyte=1850 rcvdbyte=39898 sentpkt=25 rcvdpkt=37 utmaction="allow" countapp=1 devtype="Linux PC" osname="Linux" mastersrcmac="a2:e9:00:ec:40:01" srcmac="a2:e9:00:ec:40:01" srcserver=0 utmref=0-220586some fields may change their order. In the example above, you can see dstcountry before srccountry, but I've also seen implementations which sent logs with a srccountry field before dstcountry. Such reordering affects almost every field that may appear in the log, e.g. field "service" might be earlier or later in log. Does anyone know - what makes that the order of log fields changes? The question is about parsing, but different order of log fields makes this type of task much more difficult