132>1 2024-09-30T19:28:50.597024Z adadsads61.irasp.etta asd.asdt.gads.asda.com NILVALUE NILVALUE - {"adf":true,"significant":0,"udf":false,"virtualservice":"virtualservice-333afa37-f201-4d1c-bc3f-3fe7a5e337fa","report_timestamp":"2024-09-30T19:28:50.597024Z","service_engine":"z9900001awaf401-se-jmonv","vcpu_id":0,"log_id":123935,"client_ip":"199.19.253.11","client_src_port":25458,"client_dest_port":443,"client_rtt":8,"ssl_version":"TLSv1.3","ssl_cipher":"TLS_AES_256_GCM_SHA384","sni_hostname":"asd.asdt.gads.asda.com","request_state":"AVI_HTTP_REQUEST_STATE_SSL_HANDSHAKING","significant_log":["ADF_CLIENT_CONNECTION_CLOSED_BEFORE_REQUEST"],"vs_ip":"1.1.111.10","ocsp_status_resp_sent":true,"max_ingress_latency_fe":0,"avg_ingress_latency_fe":0,"conn_est_time_fe":8,"source_ip":"199.19.253.11","vs_name":"asd.asdt.gads.asda.com"}
Solved! Go to Solution.
Most of the log is JSON .. try using the collectAndSetAttrByJSON function ... and map your own attributes below ...
Based on the above log, what would be the best way to map these attributes? The following is a snippet of what I've done, it works to identify the logs and I can define a type based on the significant_log using regex and use to change , but I can't seem to parse the attribute pairs.
patternDefinitions>
<pattern name="patnsxlb"><![CDATA[\"([a-zA-Z_]*?)\":]]></pattern>
<pattern name="patnsxbody"><![CDATA[{.*}]]></pattern>
<pattern name="patsiglog"><![CDATA[\[.*]]]></pattern>
</patternDefinitions>
<eventFormatRecognizer><![CDATA[<:gPatYear>-<:gPatMonNum>-<:gPatDay>T<:gPatTime>\.\d+Z\s+<:gPatFqdn>\s+<:gPatFqdn>\s+NILVALUE\s+NILVALUE]]></eventFormatRecognizer>
<parsingInstructions>
<collectFieldsByRegex src="$_rawmsg">
<regex><![CDATA[<:gPatYear>-<:gPatMonNum>-<:gPatDay>T<:gPatTime>\.\d+Z\s+<:gPatFqdn>\s+<:gPatFqdn>\s+NILVALUE\s+NILVALUE\s+-\s<_body:patnsxbody>]]></regex>
</collectFieldsByRegex>
<collectAndSetAttrByKeyValuePair kvsep=":" sep=" ," src="$_body">
<attrKeyMap attr="Significant" key="Significant"/>
<attrKeyMap attr="virtualservice" key="virtualservice"/>
<attrKeyMap attr="devicetime" key="report_timestamp"/>
<attrKeyMap attr="targetUser" key="runAs"/>
<attrKeyMap attr="destIpAddr" key="server_ip"/>
<attrKeyMap attr="destIpPort" key="server_dest_port"/>
<attrKeyMap attr="srcIpAddr" key="client_ip"/>
<attrKeyMap attr="srcIpPort" key="client_dest_port"/>
<attrKeyMap attr="httpMethod" key="method"/>
<attrKeyMap attr="serverrtt" key="server_rtt"/>
<attrKeyMap attr="httpStatusCode" key="server_response_code"/>
<attrKeyMap attr="httpContentLen" key="server_response_length"/>
<attrKeyMap attr="httpUserAgent" key="user_agent"/>
<attrKeyMap attr="tlsVersion" key="ssl_version"/>
<attrKeyMap attr="webContextPath" key="uri_path"/>
<attrKeyMap attr="uriQuery" key="uri_query"/>
<attrKeyMap attr="rewrittenuriQuery" key="rewritten_uri_query"/>
<attrKeyMap attr="destName" key="host"/>
<attrKeyMap attr="persistenceUsed" key="persistence_used"/>
<attrKeyMap attr="persistent_session_id" key="persistent_session_id"/>
Most of the log is JSON .. try using the collectAndSetAttrByJSON function ... and map your own attributes below ...
Thank you very much for the help, this works perfectly!
Welcome to your new Fortinet Community!
You'll find your previous forum posts under "Forums"
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.