This forum is for all security enthusiasts to discuss Fortinet's latest & evolving technologies and to connect & network with peers in the cybersecurity hemisphere. Share and learn on a broad range of topics like best practices, use cases, integrations and more. For support specific questions/resources, please visit the Support Forum or the Knowledge Base.
</when>
<when test="$_evtId = '111009'">
<!-- <135>Apr 09 2012 18:20:19: %ASA-7-111009: User 'joeUser' executed cmd: show startup-config -->
<collectAndSetAttrByRegex src="$_body">
<regex><![CDATA[User '<user:gPatStrSQ>' executed cmd:\s+<command:gPatMesgBody>]]></regex>
</collectAndSetAttrByRegex>
</when>
<when test="$_evtId = '722011'">
<when test="$_evtId = '313005'">
<!-- <132>Feb 04 2019 02:44:46 ACFASA : %ASA-4-313005: No matching connection for ICMP error message: icmp src inside:172.20.1.1 dst outside:143.215.130.61 (type 11, code 0) on inside interface. Original IP payload: tcp src 143.215.130.61/80 dst 172.16.200.159/37616. -->
<collectFieldsByRegex src="$_body">
<regex><![CDATA[icmp src <srcIntfName:gPatStrEndColon>:<_srcStr:gPatStr> dst <destIntfName:gPatStrEndColon>:<_destStr:gPatStr>]]></regex>
</collectFieldsByRegex>
</when>
This is a bit tough when the vendor's log is putting two different types of data into the same field. What you have to determine first is whether or not there is always something in that field that could help you identify it as one or the other. For instance, in your example, John-computer.domain.com in regex would be "\w+-\w+.\w+.\w+". "John Last" would simply be "\w+ \w+" Since gPatWord is basically a \w+ (e.g. <pattern name="gPatWord"><![CDATA[\w+]]></pattern>), you could string these together to match the text or make your own pattern definition at the top of the parser. I would then just have two CollectFieldsbyRegex statements to catch each condition.
Now, you need to make sure it's always John[space]Last or John[dash]computer[dot]domain[dot]com, if there are other formats of data coming in, it obviously won't work.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.