FortiSIEM NginxParser Update

AlexDC · ‎03-26-2021

we have found an issue with parsing of nginx logs. The built in parser labeled NginxParser has a hard coded parameter for GMT time that only uses a + value, this will in reality not parse half of the world nginx logs that may use a negative(-) value. sample fix is below. For context we are on version 6.1.1.

Parser name : NginxParser
BEFORE
Section off focus
<collectFieldsByRegex src="$_body"> <regex><![CDATA[^<srcIpAddr:gPatIpAddr>\s+-\s+-\s+\[<:gPatDay>/<:gPatMon>/<:gPatYear>:<:gPatTime>\s+\+\d+\]\s+"<httpMethod:gPatStr>\s+<uriStem:gPatStr>\s+HTTP/<httpVersion:patStrQuoted>"\s+<httpStatusCode:gPatStr>\s+<httpLimitRate:gPatStr>\s+"<httpReferrer:patStrQuoted>"\s+"<httpUserAgent:patStrQuoted>"\s*]]></regex> </collectFieldsByRegex>

AFTER – adding (?:\+|\-) to parse the time zone as either + or - from GMT time format , seems like only + was hard coded

<collectFieldsByRegex src="$_body"> <regex><![CDATA[^<srcIpAddr:gPatIpAddr>\s+-\s+-\s+\[<:gPatDay>/<:gPatMon>/<:gPatYear>:<:gPatTime>\s+(?:\+|\-)\d+\]\s+"<httpMethod:gPatStr>\s+<uriStem:gPatStr>\s+HTTP/<httpVersion:patStrQuoted>"\s+<httpStatusCode:gPatStr>\s+<httpLimitRate:gPatStr>\s+"<httpReferrer:patStrQuoted>"\s+"<httpUserAgent:patStrQuoted>"\s*]]></regex> </collectFieldsByRegex>

FSM_FTNT · ‎03-29-2021

Hi Alex,

Thanks very much for pointing this out.

Do you have a sample event, where this was an issue?

I can use that as a test and then look to improve the built-in parser.

Thanks

Dan

------------------------------
Daniel
FortiSIEM Product Manager
------------------------------

AlexDC · ‎03-29-2021

Hello Daniel,

Thank you for your reply. I have engaged support ticket to share the logs in question and discuss update to parser for next release.

Regards;
Alex