Help
FortiSIEM Discussions
adem_netsys
Contributor II

Created on ‎06-22-2025 03:44 AM

Json Log Parsing

Hi all,

 

We convert a log I get with API to syslog with logstash and take it to SIEM. Log comes in json format. I need a parser for this. Has anyone written a parser for json before?

 

thanks in advance

191
0 Kudos
1 REPLY 1
Rob_SIEM
Staff
Staff

Created on ‎06-22-2025 08:40 PM

Hi Adem, 

 

Any custom logs we can build parsers for in FortiSIEM, you just need a distinct header format of the log to make it distinguishable from other logs. 

 

If the data first hits logstash then you have full control to modify how the data appears. The easiest format would be: <timestamp> <hostname> vendor=MyVendor product=MyCustomAppABC json={ ... your json log body received from api .. }

 

e.g. 2025-06-22T10:10:00Z mystash.example.com vendor=SomeVendor product=SomeVendorsApp json={...}

 

Then we can easily build a parser to parse this data, and the <eventFormatRecognizer> of the parser can match on the vendor=xxx product=xxx keywords. 

 

If you update logstash to output in that preferred format attach some sanitized log samples here. 

 

Thanks,

164
0 Kudos
Announcements

Welcome to your new Fortinet Community!

You'll find your previous forum posts under "Forums"

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.