Cybersecurity Forum

This forum is for all security enthusiasts to discuss Fortinet's latest & evolving technologies and to connect & network with peers in the cybersecurity hemisphere. Share and learn on a broad range of topics like best practices, use cases, integrations and more. For support specific questions/resources, please visit the Support Forum or the Knowledge Base.

AlexDC
New Contributor III

FortiSIEM NginxParser Update

we have found an issue with parsing of nginx logs. The built in parser labeled NginxParser has a hard coded parameter for GMT time that only uses a + value, this will in reality not parse half of the world nginx logs that may use a negative(-) value. sample fix is below. For context we are on version 6.1.1.

Parser name : NginxParser
BEFORE
Section off focus
<collectFieldsByRegex src="$_body"> <regex><![CDATA[^<srcIpAddr:gPatIpAddr>\s+-\s+-\s+\[<:gPatDay>/<:gPatMon>/<:gPatYear>:<:gPatTime>\s+\+\d+\]\s+"<httpMethod:gPatStr>\s+<uriStem:gPatStr>\s+HTTP/<httpVersion:patStrQuoted>"\s+<httpStatusCode:gPatStr>\s+<httpLimitRate:gPatStr>\s+"<httpReferrer:patStrQuoted>"\s+"<httpUserAgent:patStrQuoted>"\s*]]></regex> </collectFieldsByRegex>

AFTER    – adding (?:\+|\-) to parse the time zone as either + or - from GMT time format , seems like only + was hard coded

<collectFieldsByRegex src="$_body"> <regex><![CDATA[^<srcIpAddr:gPatIpAddr>\s+-\s+-\s+\[<:gPatDay>/<:gPatMon>/<:gPatYear>:<:gPatTime>\s+(?:\+|\-)\d+\]\s+"<httpMethod:gPatStr>\s+<uriStem:gPatStr>\s+HTTP/<httpVersion:patStrQuoted>"\s+<httpStatusCode:gPatStr>\s+<httpLimitRate:gPatStr>\s+"<httpReferrer:patStrQuoted>"\s+"<httpUserAgent:patStrQuoted>"\s*]]></regex> </collectFieldsByRegex>
2 REPLIES 2
FSM_FTNT
Staff
Staff

Hi Alex,

Thanks very much for pointing this out.

Do you have a sample event, where this was an issue?

I can use that as a test and then look to improve the built-in parser.

Thanks

Dan

------------------------------
Daniel
FortiSIEM Product Manager
------------------------------
AlexDC
New Contributor III

Hello Daniel,

Thank you for your reply. I have engaged support ticket to share the logs in question and discuss update to parser for next release. 

Regards;
Alex
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.