Skip to content

Commit

Permalink
fix the issue #137
Browse files Browse the repository at this point in the history 
We've adjusted the fortigate decoders so you can generate alerts when you receive events in a new format.
  • Loading branch information
@SitoRBJ
SitoRBJ committed Jun 22, 2018
1 parent 3c51f03 commit 9401842
Showing 1 changed file with 4 additions and 4 deletions.
8 changes: 4 additions & 4 deletions decoders/0100-fortigate_decoders.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -54,7 +54,7 @@ Feb 20 12:31:11 date=2011-02-20 time=12: 31:09 devname=Name_of_Device device_id=

<!-- FortiOS 5.0 via syslog -->
<decoder name="fortigate-firewall-v5">
<prematch>date=\S+ time=\.+ devname=\S+ devid=FG\w+ logid=\d+ </prematch>
<prematch>date=\S+ time=\.+ devname=\S+ devid=FG\w+ logid=\d+ |date=\S+ time=\.+ devname="\S+" devid="FG\w+" logid="\d+" </prematch>
<type>syslog</type>
</decoder>

Expand Down Expand Up @@ -108,8 +108,8 @@ date=2016-06-16 time=16:22:34 devname=Mobipay_Firewall devid=FGTXXXX9999999999 l
-->
<decoder name="fortigate-firewall-v5-event-system-information">
<parent>fortigate-firewall-v5</parent>
<prematch offset="after_parent">type=event subtype=system level=information</prematch>
<regex offset="after_parent">user="(\S+)" ui=\p*\w+\((\S+)\)\p* action=(\S+) </regex>
<prematch offset="after_parent">type=event subtype=system level=information|type="event" subtype="system" level="information"</prematch>
<regex offset="after_parent">user="(\S+)" ui=\p*\w+\((\S+)\)\p* action=(\S+) |user="(\S+)" ui=\p*\w+\((\S+)\)\p* \.*action="(\S+)" </regex>
<order>srcuser,srcip,action</order>
</decoder>

Expand All @@ -121,7 +121,7 @@ date=2016-06-16 time=16:22:34 devname=Mobipay_Firewall devid=FGTXXXX9999999999 l

<decoder name="fortigate-firewall-v5-event-system-information">
<parent>fortigate-firewall-v5</parent>
<regex offset="after_regex">status=(\S+) \.*msg=(\.*)</regex>
<regex offset="after_regex">status=(\S+) \.*msg=(\.*)|status="(\S+)" \.*msg=(\.*)</regex>
<order>status,extra_data</order>
</decoder>

Expand Down

1 comment on commit 9401842

@SitoRBJ
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

File: decoders\0100-fortigate_decoders.xml

<decoder name="fortigate-firewall-v5">
    <prematch>date=\S+ time=\.+ devname=\S+ devid=FG\w+ logid=\d+ |date=\S+ time=\.+ devname="\S+" devid="FG\w+" logid="\d+" </prematch>
    <type>syslog</type>
</decoder>

. . .

<decoder name="fortigate-firewall-v5-event-system-information">
    <parent>fortigate-firewall-v5</parent>
    <prematch offset="after_parent">type=event subtype=system level=information|type="event" subtype="system" level="information"</prematch>
    <regex offset="after_parent">user="(\S+)" ui=\p*\w+\((\S+)\)\p* action=(\S+) |user="(\S+)" ui=\p*\w+\((\S+)\)\p* \.*action="(\S+)" </regex>
    <order>srcuser,srcip,action</order>
</decoder>

. . .

<decoder name="fortigate-firewall-v5-event-system-information">
    <parent>fortigate-firewall-v5</parent>
    <regex offset="after_regex">status=(\S+) \.*msg=(\.*)|status="(\S+)" \.*msg=(\.*)</regex>
    <order>status,extra_data</order>
</decoder>

If we receive an event with the old format or an event with the new format, we will get the following results:

Old format:

date=2016-06-16 time=08:48:28 devname=Device_Name devid=FGTXXXX9999999999 logid=0100032003 type=event subtype=system level=information vd="root" logdesc="Admin logout successful" sn=1466062693 user="[email protected]" ui=https(4.3.5.253) action=logout status=success duration=615 state="Config-Changed" reason=exit msg="Administrator [email protected] logged out from https(2.3.8.1)"


**Phase 1: Completed pre-decoding.
       full event: 'date=2016-06-16 time=08:48:28 devname=Device_Name devid=FGTXXXX9999999999 logid=0100032003 type=event subtype=system level=information vd="root" logdesc="Admin logout successful" sn=1466062693 user="[email protected]" ui=https(4.3.5.253) action=logout status=success duration=615 state="Config-Changed" reason=exit msg="Administrator [email protected] logged out from https(2.3.8.1)"'
       timestamp: '(null)'
       hostname: 'manager'
       program_name: '(null)'
       log: 'date=2016-06-16 time=08:48:28 devname=Device_Name devid=FGTXXXX9999999999 logid=0100032003 type=event subtype=system level=information vd="root" logdesc="Admin logout successful" sn=1466062693 user="[email protected]" ui=https(4.3.5.253) action=logout status=success duration=615 state="Config-Changed" reason=exit msg="Administrator [email protected] logged out from https(2.3.8.1)"'

**Phase 2: Completed decoding.
       decoder: 'fortigate-firewall-v5'
       srcuser: '[email protected]'
       srcip: '4.3.5.253'
       action: 'logout'
       status: 'success'
       extra_data: '"Administrator [email protected] logged out from https(2.3.8.1)"'

**Phase 3: Completed filtering (rules).
       Rule id: '81616'
       Level: '4'
       Description: 'Fortigate: User logout successful'
**Alert to be generated.

New format:

date=2018-05-19 time=11:58:25 devname="xxxxxxxxx-A" devid="FGxxxxxxxxxxxxxx" logid="0100032003" type="event" subtype="system" level="information" vd="root" eventtime=1526723905 logdesc="Admin logout successful" sn="xxxxxxxxxx" user="admin" ui="ssh(xxx.xxx.xxx.xxx)" method="ssh" srcip=xxx.xxx.xxx.xxx dstip=xxx.xxx.xxx.xxx action="logout" status="success" duration=1 reason="exit" msg="Administrator admin logged out from ssh(xxx.xxx.xxx.xxx)"


**Phase 1: Completed pre-decoding.
       full event: 'date=2018-05-19 time=11:58:25 devname="xxxxxxxxx-A" devid="FGxxxxxxxxxxxxxx" logid="0100032003" type="event" subtype="system" level="information" vd="root" eventtime=1526723905 logdesc="Admin logout successful" sn="xxxxxxxxxx" user="admin" ui="ssh(xxx.xxx.xxx.xxx)" method="ssh" srcip=xxx.xxx.xxx.xxx dstip=xxx.xxx.xxx.xxx action="logout" status="success" duration=1 reason="exit" msg="Administrator admin logged out from ssh(xxx.xxx.xxx.xxx)"'
       timestamp: '(null)'
       hostname: 'manager'
       program_name: '(null)'
       log: 'date=2018-05-19 time=11:58:25 devname="xxxxxxxxx-A" devid="FGxxxxxxxxxxxxxx" logid="0100032003" type="event" subtype="system" level="information" vd="root" eventtime=1526723905 logdesc="Admin logout successful" sn="xxxxxxxxxx" user="admin" ui="ssh(xxx.xxx.xxx.xxx)" method="ssh" srcip=xxx.xxx.xxx.xxx dstip=xxx.xxx.xxx.xxx action="logout" status="success" duration=1 reason="exit" msg="Administrator admin logged out from ssh(xxx.xxx.xxx.xxx)"'

**Phase 2: Completed decoding.
       decoder: 'fortigate-firewall-v5'
       srcuser: 'admin'
       srcip: 'xxx.xxx.xxx.xxx'
       action: 'logout'
       status: '"success"'
       extra_data: '"Administrator admin logged out from ssh(xxx.xxx.xxx.xxx)"'

**Phase 3: Completed filtering (rules).
       Rule id: '81616'
       Level: '4'
       Description: 'Fortigate: User logout successful'
**Alert to be generated.

Please sign in to comment.