From 9401842eee40bef1f75289d0b605739d1f79b4ad Mon Sep 17 00:00:00 2001 From: AlfonsoRBJ Date: Fri, 22 Jun 2018 17:08:14 +0200 Subject: [PATCH] fix the issue #137 We've adjusted the fortigate decoders so you can generate alerts when you receive events in a new format. --- decoders/0100-fortigate_decoders.xml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/decoders/0100-fortigate_decoders.xml b/decoders/0100-fortigate_decoders.xml index 8d532e71f..627d42a43 100644 --- a/decoders/0100-fortigate_decoders.xml +++ b/decoders/0100-fortigate_decoders.xml @@ -54,7 +54,7 @@ Feb 20 12:31:11 date=2011-02-20 time=12: 31:09 devname=Name_of_Device device_id= - date=\S+ time=\.+ devname=\S+ devid=FG\w+ logid=\d+ + date=\S+ time=\.+ devname=\S+ devid=FG\w+ logid=\d+ |date=\S+ time=\.+ devname="\S+" devid="FG\w+" logid="\d+" syslog @@ -108,8 +108,8 @@ date=2016-06-16 time=16:22:34 devname=Mobipay_Firewall devid=FGTXXXX9999999999 l --> fortigate-firewall-v5 - type=event subtype=system level=information - user="(\S+)" ui=\p*\w+\((\S+)\)\p* action=(\S+) + type=event subtype=system level=information|type="event" subtype="system" level="information" + user="(\S+)" ui=\p*\w+\((\S+)\)\p* action=(\S+) |user="(\S+)" ui=\p*\w+\((\S+)\)\p* \.*action="(\S+)" srcuser,srcip,action @@ -121,7 +121,7 @@ date=2016-06-16 time=16:22:34 devname=Mobipay_Firewall devid=FGTXXXX9999999999 l fortigate-firewall-v5 - status=(\S+) \.*msg=(\.*) + status=(\S+) \.*msg=(\.*)|status="(\S+)" \.*msg=(\.*) status,extra_data