Help
FortiSIEM Discussions
Pascal
New Contributor II

Created on ‎10-01-2024 01:50 PM

Attribute pair when both key and value are within quotation marks. 

132>1 2024-09-30T19:28:50.597024Z adadsads61.irasp.etta asd.asdt.gads.asda.com NILVALUE NILVALUE - {"adf":true,"significant":0,"udf":false,"virtualservice":"virtualservice-333afa37-f201-4d1c-bc3f-3fe7a5e337fa","report_timestamp":"2024-09-30T19:28:50.597024Z","service_engine":"z9900001awaf401-se-jmonv","vcpu_id":0,"log_id":123935,"client_ip":"199.19.253.11","client_src_port":25458,"client_dest_port":443,"client_rtt":8,"ssl_version":"TLSv1.3","ssl_cipher":"TLS_AES_256_GCM_SHA384","sni_hostname":"asd.asdt.gads.asda.com","request_state":"AVI_HTTP_REQUEST_STATE_SSL_HANDSHAKING","significant_log":["ADF_CLIENT_CONNECTION_CLOSED_BEFORE_REQUEST"],"vs_ip":"1.1.111.10","ocsp_status_resp_sent":true,"max_ingress_latency_fe":0,"avg_ingress_latency_fe":0,"conn_est_time_fe":8,"source_ip":"199.19.253.11","vs_name":"asd.asdt.gads.asda.com"}
301
0 Kudos
1 Solution
cdurkin_FTNT
Staff
Staff

Created on ‎10-02-2024 10:37 AM

Most of the log is JSON ..  try using the collectAndSetAttrByJSON function ...  and map your own attributes below ...

<collectAndSetAttrByJSON src="$_body">
<attrKeyMap attr="_adf" key="adf"/>
<attrKeyMap attr="_significant" key="significant"/>
<attrKeyMap attr="_virtualservice" key="virtualservice"/>
<attrKeyMap attr="_report_timestamp" key="report_timestamp"/>
<attrKeyMap attr="_service_engine" key="service_engine"/>
<attrKeyMap attr="_vcpu_id" key="vcpu_id"/>
<attrKeyMap attr="_log_id" key="log_id"/>
<attrKeyMap attr="_client_ip" key="client_ip"/>
<attrKeyMap attr="_client_src_port" key="client_src_port"/>
<attrKeyMap attr="_client_dest_port" key="client_dest_port"/>
<attrKeyMap attr="_client_rtt" key="client_rtt"/>
<attrKeyMap attr="_ssl_version" key="ssl_version"/>
<attrKeyMap attr="_ssl_cipher" key="ssl_cipher"/>
<attrKeyMap attr="_sni_hostname" key="sni_hostname"/>
<attrKeyMap attr="_request_state" key="request_state"/>
<attrKeyMap attr="_significant_log[0]" key="significant_log[0]"/>
<attrKeyMap attr="_vs_ip" key="vs_ip"/>
<attrKeyMap attr="_ocsp_status_resp_sent" key="ocsp_status_resp_sent"/>
<attrKeyMap attr="_max_ingress_latency_fe" key="max_ingress_latency_fe"/>
<attrKeyMap attr="_avg_ingress_latency_fe" key="avg_ingress_latency_fe"/>
<attrKeyMap attr="_conn_est_time_fe" key="conn_est_time_fe"/>
<attrKeyMap attr="_source_ip" key="source_ip"/>
<attrKeyMap attr="_vs_name" key="vs_name"/>
</collectAndSetAttrByJSON>

View solution in original post

255
3 REPLIES 3
Pascal
New Contributor II

Created on ‎10-01-2024 01:52 PM Edited on ‎10-02-2024 10:11 AM

Based on the above log, what would be the best way to map these attributes? The following is a snippet of what I've done, it works to identify the logs and I can define a type based on the significant_log using regex and use to change , but I can't seem to parse the attribute pairs. 

 

patternDefinitions>
<pattern name="patnsxlb"><![CDATA[\"([a-zA-Z_]*?)\":]]></pattern>
<pattern name="patnsxbody"><![CDATA[{.*}]]></pattern>
<pattern name="patsiglog"><![CDATA[\[.*]]]></pattern>
</patternDefinitions>
<eventFormatRecognizer><![CDATA[<:gPatYear>-<:gPatMonNum>-<:gPatDay>T<:gPatTime>\.\d+Z\s+<:gPatFqdn>\s+<:gPatFqdn>\s+NILVALUE\s+NILVALUE]]></eventFormatRecognizer>
<parsingInstructions>
<collectFieldsByRegex src="$_rawmsg">
<regex><![CDATA[<:gPatYear>-<:gPatMonNum>-<:gPatDay>T<:gPatTime>\.\d+Z\s+<:gPatFqdn>\s+<:gPatFqdn>\s+NILVALUE\s+NILVALUE\s+-\s<_body:patnsxbody>]]></regex>
</collectFieldsByRegex>
<collectAndSetAttrByKeyValuePair kvsep=":" sep=" ," src="$_body">
<attrKeyMap attr="Significant" key="Significant"/>
<attrKeyMap attr="virtualservice" key="virtualservice"/>
<attrKeyMap attr="devicetime" key="report_timestamp"/>
<attrKeyMap attr="targetUser" key="runAs"/>
<attrKeyMap attr="destIpAddr" key="server_ip"/>
<attrKeyMap attr="destIpPort" key="server_dest_port"/>
<attrKeyMap attr="srcIpAddr" key="client_ip"/>
<attrKeyMap attr="srcIpPort" key="client_dest_port"/>
<attrKeyMap attr="httpMethod" key="method"/>
<attrKeyMap attr="serverrtt" key="server_rtt"/>
<attrKeyMap attr="httpStatusCode" key="server_response_code"/>
<attrKeyMap attr="httpContentLen" key="server_response_length"/>
<attrKeyMap attr="httpUserAgent" key="user_agent"/>
<attrKeyMap attr="tlsVersion" key="ssl_version"/>
<attrKeyMap attr="webContextPath" key="uri_path"/>
<attrKeyMap attr="uriQuery" key="uri_query"/>
<attrKeyMap attr="rewrittenuriQuery" key="rewritten_uri_query"/>
<attrKeyMap attr="destName" key="host"/>
<attrKeyMap attr="persistenceUsed" key="persistence_used"/>
<attrKeyMap attr="persistent_session_id" key="persistent_session_id"/>

 

  

298
0 Kudos
cdurkin_FTNT
Staff
Staff

Created on ‎10-02-2024 10:37 AM

Most of the log is JSON ..  try using the collectAndSetAttrByJSON function ...  and map your own attributes below ...

<collectAndSetAttrByJSON src="$_body">
<attrKeyMap attr="_adf" key="adf"/>
<attrKeyMap attr="_significant" key="significant"/>
<attrKeyMap attr="_virtualservice" key="virtualservice"/>
<attrKeyMap attr="_report_timestamp" key="report_timestamp"/>
<attrKeyMap attr="_service_engine" key="service_engine"/>
<attrKeyMap attr="_vcpu_id" key="vcpu_id"/>
<attrKeyMap attr="_log_id" key="log_id"/>
<attrKeyMap attr="_client_ip" key="client_ip"/>
<attrKeyMap attr="_client_src_port" key="client_src_port"/>
<attrKeyMap attr="_client_dest_port" key="client_dest_port"/>
<attrKeyMap attr="_client_rtt" key="client_rtt"/>
<attrKeyMap attr="_ssl_version" key="ssl_version"/>
<attrKeyMap attr="_ssl_cipher" key="ssl_cipher"/>
<attrKeyMap attr="_sni_hostname" key="sni_hostname"/>
<attrKeyMap attr="_request_state" key="request_state"/>
<attrKeyMap attr="_significant_log[0]" key="significant_log[0]"/>
<attrKeyMap attr="_vs_ip" key="vs_ip"/>
<attrKeyMap attr="_ocsp_status_resp_sent" key="ocsp_status_resp_sent"/>
<attrKeyMap attr="_max_ingress_latency_fe" key="max_ingress_latency_fe"/>
<attrKeyMap attr="_avg_ingress_latency_fe" key="avg_ingress_latency_fe"/>
<attrKeyMap attr="_conn_est_time_fe" key="conn_est_time_fe"/>
<attrKeyMap attr="_source_ip" key="source_ip"/>
<attrKeyMap attr="_vs_name" key="vs_name"/>
</collectAndSetAttrByJSON>
256
Pascal
New Contributor II
In response to cdurkin_FTNT

Created on ‎10-03-2024 06:01 AM

Thank you very much for the help, this works perfectly!

233
0 Kudos
Announcements

Welcome to your new Fortinet Community!

You'll find your previous forum posts under "Forums"

Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.