Mailing List Archive

rule assistance
I have been working on a rule to parse my fortigate firewall
I have read this over and over couple you please review and see where I have made my error

Sample Log file
#2021-01-25T17:11:25.000190-07:00 cspcfw01_nas date=2021-01-25 time=16:28:31 devname="CSPCFW01-M" devid="FG3H0E5818903304" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" eventtime=1611617311 srcip=10.82.12.16 srcintf="rootprivate0" srcintfrole="undefined" dstip=13.226.194.172 dstintf="VLAN2596" dstintfrole="lan" poluuid="edd53f90-c83a-51ea-7fb9-4d2448507263" sessionid=2818513665 proto=1 action="accept" policyid=236 policytype="policy" service="PING" dstcountry="United States" srccountry="Reserved" trandisp="snat" transip=74.115.158.236 transport=0 duration=60 sentbyte=84 rcvdbyte=84 sentpkt=1 rcvdpkt=1 appcat="unscanned" dstdevtype="Router/NAT Device" masterdstmac="00:11:bc:5f:1c:1a" dstmac="00:11:bc:5f:1c:1a" dstserver=0


# Comment
rule=:%date:date-rfc5424% %host:word% date=%date1:date-iso% time=%fwtime:time-24hr% devname=%devname:word% devid=%devid:word% logid="%logid:number%" type="%type:word%" subtype="%subtype:word%" level="%level:word%" vd="%vd:word%" eventtime=%eventtime:number% srcip=%srcip:ipv4% srcintf="%srcintf:word%" srcintfrole="%srcintfrole:word%" dstip=%dstip:ipv4% dstport=%dstport:number% dstintf="%dstintf:word%" dstintfrole="%dstintfrole:word%" poluuid="%poluuid:word%" sessionid=%sessionid:number% proto=%proto:number% action="%action:word%" policyid=%policyid:number% policytype="%policytype:word%" service=%service:word% dstcountry=\"%dstcountry:char-to:\x22%" srccountry=\"%srccountry:char-to:\x22%" trandisp=%trandisp:word% transip=%transisp:ipv4% transport=%transport:number% duration=%duration:number% sentbyte=%sentbyte:number% rcvdbyte=%rcvdbyte:number% sentpkt=%sentpkt:number% rcvdpkt=%rcvdpkt:number% appcat="%appcat:word%" sentdelta=%sentdelta:number% rcvddelta=%rcvddelta:number% dstdevtype="
%dstdevtype:word%" masterdstmac="%masterdstmac:word%" dstmac="%dstmac:word%" dstserver=%dstserver:number%


output from lognormalizer
{ "originalmsg": "2021-01-25T18:00:25.901380-07:00 cspcfw01_nas date=2021-01-25 time=17:17:32 devname=\"CSPCFW01-M\" devid=\"FG3H0E5818903304\" logid=\"0000000013\" type=\"traffic\" subtype=\"forward\" level=\"notice\" vd=\"root\" eventtime=1611620252 srcip=10.82.12.14 srcintf=\"rootprivate0\" srcintfrole=\"undefined\" dstip=99.84.203.154 dstintf=\"VLAN2596\" dstintfrole=\"lan\" poluuid=\"edd53f90-c83a-51ea-7fb9-4d2448507263\" sessionid=2819110384 proto=1 action=\"accept\" policyid=236 policytype=\"policy\" service=\"PING\" dstcountry=\"United States\" srccountry=\"Reserved\" trandisp=\"snat\" transip=74.115.158.236 transport=0 duration=60 sentbyte=84 rcvdbyte=84 sentpkt=1 rcvdpkt=1 appcat=\"unscanned\" dstdevtype=\"Router\/NAT Device\" masterdstmac=\"00:11:bc:5f:1c:1a\" dstmac=\"00:11:bc:5f:1c:1a\" dstserver=0", "unparsed-data": " subtype=\"forward\" level=\"notice\" vd=\"root\" eventtime=1611620252 srcip=10.82.12.14 srcintf=\"rootprivate0\" srcintfrole=\"undefined\" dstip=99.84.203
.154 dstintf=\"VLAN2596\" dstintfrole=\"lan\" poluuid=\"edd53f90-c83a-51ea-7fb9-4d2448507263\" sessionid=2819110384 proto=1 action=\"accept\" policyid=236 policytype=\"policy\" service=\"PING\" dstcountry=\"United States\" srccountry=\"Reserved\" trandisp=\"snat\" transip=74.115.158.236 transport=0 duration=60 sentbyte=84 rcvdbyte=84 sentpkt=1 rcvdpkt=1 appcat=\"unscanned\" dstdevtype=\"Router\/NAT Device\" masterdstmac=\"00:11:bc:5f:1c:1a\" dstmac=\"00:11:bc:5f:1c:1a\" dstserver=0" }




_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: rule assistance [ In reply to ]
Not sure how to address this in a rule file
the field for srcintf sometimes sent as srcintf=unknown-0 other times it is srcintf="rootprivate0" one has quotes the other does not.

Thank you
Jason Prouty

________________________________
From: rsyslog <rsyslog-bounces@lists.adiscon.com> on behalf of Jason Prouty via rsyslog <rsyslog@lists.adiscon.com>
Sent: Wednesday, January 27, 2021 6:20 PM
To: rsyslog@lists.adiscon.com <rsyslog@lists.adiscon.com>
Cc: Jason Prouty <jprouty@cctus.com>
Subject: [rsyslog] rule assistance

I have been working on a rule to parse my fortigate firewall
I have read this over and over couple you please review and see where I have made my error

Sample Log file
#2021-01-25T17:11:25.000190-07:00 cspcfw01_nas date=2021-01-25 time=16:28:31 devname="CSPCFW01-M" devid="FG3H0E5818903304" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" eventtime=1611617311 srcip=10.82.12.16 srcintf="rootprivate0" srcintfrole="undefined" dstip=13.226.194.172 dstintf="VLAN2596" dstintfrole="lan" poluuid="edd53f90-c83a-51ea-7fb9-4d2448507263" sessionid=2818513665 proto=1 action="accept" policyid=236 policytype="policy" service="PING" dstcountry="United States" srccountry="Reserved" trandisp="snat" transip=74.115.158.236 transport=0 duration=60 sentbyte=84 rcvdbyte=84 sentpkt=1 rcvdpkt=1 appcat="unscanned" dstdevtype="Router/NAT Device" masterdstmac="00:11:bc:5f:1c:1a" dstmac="00:11:bc:5f:1c:1a" dstserver=0


# Comment
rule=:%date:date-rfc5424% %host:word% date=%date1:date-iso% time=%fwtime:time-24hr% devname=%devname:word% devid=%devid:word% logid="%logid:number%" type="%type:word%" subtype="%subtype:word%" level="%level:word%" vd="%vd:word%" eventtime=%eventtime:number% srcip=%srcip:ipv4% srcintf="%srcintf:word%" srcintfrole="%srcintfrole:word%" dstip=%dstip:ipv4% dstport=%dstport:number% dstintf="%dstintf:word%" dstintfrole="%dstintfrole:word%" poluuid="%poluuid:word%" sessionid=%sessionid:number% proto=%proto:number% action="%action:word%" policyid=%policyid:number% policytype="%policytype:word%" service=%service:word% dstcountry=\"%dstcountry:char-to:\x22%" srccountry=\"%srccountry:char-to:\x22%" trandisp=%trandisp:word% transip=%transisp:ipv4% transport=%transport:number% duration=%duration:number% sentbyte=%sentbyte:number% rcvdbyte=%rcvdbyte:number% sentpkt=%sentpkt:number% rcvdpkt=%rcvdpkt:number% appcat="%appcat:word%" sentdelta=%sentdelta:number% rcvddelta=%rcvddelta:number% dstdevtype="
%dstdevtype:word%" masterdstmac="%masterdstmac:word%" dstmac="%dstmac:word%" dstserver=%dstserver:number%


output from lognormalizer
{ "originalmsg": "2021-01-25T18:00:25.901380-07:00 cspcfw01_nas date=2021-01-25 time=17:17:32 devname=\"CSPCFW01-M\" devid=\"FG3H0E5818903304\" logid=\"0000000013\" type=\"traffic\" subtype=\"forward\" level=\"notice\" vd=\"root\" eventtime=1611620252 srcip=10.82.12.14 srcintf=\"rootprivate0\" srcintfrole=\"undefined\" dstip=99.84.203.154 dstintf=\"VLAN2596\" dstintfrole=\"lan\" poluuid=\"edd53f90-c83a-51ea-7fb9-4d2448507263\" sessionid=2819110384 proto=1 action=\"accept\" policyid=236 policytype=\"policy\" service=\"PING\" dstcountry=\"United States\" srccountry=\"Reserved\" trandisp=\"snat\" transip=74.115.158.236 transport=0 duration=60 sentbyte=84 rcvdbyte=84 sentpkt=1 rcvdpkt=1 appcat=\"unscanned\" dstdevtype=\"Router\/NAT Device\" masterdstmac=\"00:11:bc:5f:1c:1a\" dstmac=\"00:11:bc:5f:1c:1a\" dstserver=0", "unparsed-data": " subtype=\"forward\" level=\"notice\" vd=\"root\" eventtime=1611620252 srcip=10.82.12.14 srcintf=\"rootprivate0\" srcintfrole=\"undefined\" dstip=99.84.203
.154 dstintf=\"VLAN2596\" dstintfrole=\"lan\" poluuid=\"edd53f90-c83a-51ea-7fb9-4d2448507263\" sessionid=2819110384 proto=1 action=\"accept\" policyid=236 policytype=\"policy\" service=\"PING\" dstcountry=\"United States\" srccountry=\"Reserved\" trandisp=\"snat\" transip=74.115.158.236 transport=0 duration=60 sentbyte=84 rcvdbyte=84 sentpkt=1 rcvdpkt=1 appcat=\"unscanned\" dstdevtype=\"Router\/NAT Device\" masterdstmac=\"00:11:bc:5f:1c:1a\" dstmac=\"00:11:bc:5f:1c:1a\" dstserver=0" }




_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: rule assistance [ In reply to ]
Hello!

I guess you may want to check `iptables` format in liblognorm:
https://github.com/rsyslog/liblognorm/blob/master/doc/configuration.rst#iptables

Naming is a bit confusing but (I guess) it should do the trick for your log
as it's a set of key=value pairs as well.

If you'd still prefer to define every pair manually then pls check
`alternative` field type:
https://github.com/rsyslog/liblognorm/blob/master/doc/configuration.rst#alternative

I hope this helps!


On Thu, 28 Jan 2021 at 07:20, Jason Prouty via rsyslog <
rsyslog@lists.adiscon.com> wrote:

> I have been working on a rule to parse my fortigate firewall
> I have read this over and over couple you please review and see where I
> have made my error
>
> Sample Log file
> #2021-01-25T17:11:25.000190-07:00 cspcfw01_nas date=2021-01-25
> time=16:28:31 devname="CSPCFW01-M" devid="FG3H0E5818903304"
> logid="0000000013" type="traffic" subtype="forward" level="notice"
> vd="root" eventtime=1611617311 srcip=10.82.12.16 srcintf="rootprivate0"
> srcintfrole="undefined" dstip=13.226.194.172 dstintf="VLAN2596"
> dstintfrole="lan" poluuid="edd53f90-c83a-51ea-7fb9-4d2448507263"
> sessionid=2818513665 proto=1 action="accept" policyid=236
> policytype="policy" service="PING" dstcountry="United States"
> srccountry="Reserved" trandisp="snat" transip=74.115.158.236 transport=0
> duration=60 sentbyte=84 rcvdbyte=84 sentpkt=1 rcvdpkt=1 appcat="unscanned"
> dstdevtype="Router/NAT Device" masterdstmac="00:11:bc:5f:1c:1a"
> dstmac="00:11:bc:5f:1c:1a" dstserver=0
>
>
> # Comment
> rule=:%date:date-rfc5424% %host:word% date=%date1:date-iso%
> time=%fwtime:time-24hr% devname=%devname:word% devid=%devid:word%
> logid="%logid:number%" type="%type:word%" subtype="%subtype:word%"
> level="%level:word%" vd="%vd:word%" eventtime=%eventtime:number%
> srcip=%srcip:ipv4% srcintf="%srcintf:word%"
> srcintfrole="%srcintfrole:word%" dstip=%dstip:ipv4%
> dstport=%dstport:number% dstintf="%dstintf:word%"
> dstintfrole="%dstintfrole:word%" poluuid="%poluuid:word%"
> sessionid=%sessionid:number% proto=%proto:number% action="%action:word%"
> policyid=%policyid:number% policytype="%policytype:word%"
> service=%service:word% dstcountry=\"%dstcountry:char-to:\x22%"
> srccountry=\"%srccountry:char-to:\x22%" trandisp=%trandisp:word%
> transip=%transisp:ipv4% transport=%transport:number%
> duration=%duration:number% sentbyte=%sentbyte:number%
> rcvdbyte=%rcvdbyte:number% sentpkt=%sentpkt:number%
> rcvdpkt=%rcvdpkt:number% appcat="%appcat:word%"
> sentdelta=%sentdelta:number% rcvddelta=%rcvddelta:number% dstdevtype="
> %dstdevtype:word%" masterdstmac="%masterdstmac:word%"
> dstmac="%dstmac:word%" dstserver=%dstserver:number%
>
>
> output from lognormalizer
> { "originalmsg": "2021-01-25T18:00:25.901380-07:00 cspcfw01_nas
> date=2021-01-25 time=17:17:32 devname=\"CSPCFW01-M\"
> devid=\"FG3H0E5818903304\" logid=\"0000000013\" type=\"traffic\"
> subtype=\"forward\" level=\"notice\" vd=\"root\" eventtime=1611620252
> srcip=10.82.12.14 srcintf=\"rootprivate0\" srcintfrole=\"undefined\"
> dstip=99.84.203.154 dstintf=\"VLAN2596\" dstintfrole=\"lan\"
> poluuid=\"edd53f90-c83a-51ea-7fb9-4d2448507263\" sessionid=2819110384
> proto=1 action=\"accept\" policyid=236 policytype=\"policy\"
> service=\"PING\" dstcountry=\"United States\" srccountry=\"Reserved\"
> trandisp=\"snat\" transip=74.115.158.236 transport=0 duration=60
> sentbyte=84 rcvdbyte=84 sentpkt=1 rcvdpkt=1 appcat=\"unscanned\"
> dstdevtype=\"Router\/NAT Device\" masterdstmac=\"00:11:bc:5f:1c:1a\"
> dstmac=\"00:11:bc:5f:1c:1a\" dstserver=0", "unparsed-data": "
> subtype=\"forward\" level=\"notice\" vd=\"root\" eventtime=1611620252
> srcip=10.82.12.14 srcintf=\"rootprivate0\" srcintfrole=\"undefined\"
> dstip=99.84.203
> .154 dstintf=\"VLAN2596\" dstintfrole=\"lan\"
> poluuid=\"edd53f90-c83a-51ea-7fb9-4d2448507263\" sessionid=2819110384
> proto=1 action=\"accept\" policyid=236 policytype=\"policy\"
> service=\"PING\" dstcountry=\"United States\" srccountry=\"Reserved\"
> trandisp=\"snat\" transip=74.115.158.236 transport=0 duration=60
> sentbyte=84 rcvdbyte=84 sentpkt=1 rcvdpkt=1 appcat=\"unscanned\"
> dstdevtype=\"Router\/NAT Device\" masterdstmac=\"00:11:bc:5f:1c:1a\"
> dstmac=\"00:11:bc:5f:1c:1a\" dstserver=0" }
>
>
>
>
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.
>


--
Yury Bushmelev
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: rule assistance [ In reply to ]
On Thu, 28 Jan 2021, Jason Prouty via rsyslog wrote:

> Not sure how to address this in a rule file
> the field for srcintf sometimes sent as srcintf=unknown-0 other times it is srcintf="rootprivate0" one has quotes the other does not.

three options

1. make two rules, one for each variation
2. I think there is a type for an optionally quoted string
3. you can create your own type with alturnatives

David Lang
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.