Fortigate Pack

This is a Fortigate pack that processes logs by parsing, categorizing, and transforming them for better monitoring and analysis

  14 minute read  

Edge Delta Pipeline Pack for Fortigate

Overview

The Edge Delta Fortigate pack processes logs by parsing, categorizing, and transforming them for better monitoring and analysis. It also ensures unnecessary logs are dropped from the pipeline.

Pack Description

1. Data Ingestion

The data flow starts with the Pack Source as the entry point into the pack where all logs start their processing journey.

2. Parse Key-Value Pairs

Logs are processed by the parse_key_values node, which is an ottl_transform node. This node uses OTTL (Observability Telemetry Transformation Language) statements to parse Fortigate logs formatted as key-value pairs.

- name: parse_key_values
  type: ottl_transform
  statements: |-
    // Parse key-value pairs
    set(attributes["fortigate"], EDXParseKeyValue(Decode(body, "utf-8"), "=", " ", true))
    // Change "proto" field to string (for lookup)
    set(attributes["fortigate"]["proto"], String(attributes["fortigate"]["proto"])) where attributes["fortigate"]["proto"] != nil
    // Timestamp generation
    set(timestamp, UnixMilli(Time(Concat([attributes["fortigate"]["date"], attributes["fortigate"]["time"]], " "), "%Y-%m-%d %H:%M:%S", "UTC"))) where attributes["fortigate"]["date"] != nil and attributes["fortigate"]["time"] != nil
    // Log level assignment
    set(severity_text, attributes["fortigate"]["level"]) where attributes["fortigate"]["level"] != nil

It transforms log data by decoding the message body as UTF-8 and parsing it into key-value pairs stored under attributes[“fortigate”]. It then converts proto and timestamp fields for better lookup and assigns log levels. Logs that can’t be parsed are routed to the Other Logs pack output.

3. Type Routing

The logs are then routed using the type_router node, a Route node. It directs log entries to different paths: DNS, UTM, traffic, and event, depending on the type attribute in the logs.

- name: type_router
  type: route
  paths:
  - path: dns
    condition: item["attributes"]["fortigate"]["type"] == "utm" && item["attributes"]["fortigate"]["subtype"] == "dns"
    exit_if_matched: true
  - path: utm
    condition: item["attributes"]["fortigate"]["type"] == "utm"
    exit_if_matched: true
  - path: traffic
    condition: item["attributes"]["fortigate"]["type"] == "traffic"
    exit_if_matched: true
  - path: event
    condition: item["attributes"]["fortigate"]["type"] == "event"
    exit_if_matched: true

The routing conditions use the Common Expression Language (CEL) to evaluate log types and route them accordingly. This modular approach allows for specialized processing further down the line. Logs that can’t be routed on one of the conditions are sent to the Other Logs pack output.

4.1 Drop DNS

On the dns path, logs go to the dns_drop node, a Route node.

  - name: dns_drop
    type: route
    paths:
      - path: dns_query
        condition: item["attributes"]["vendor_event_type"].indexOf("dns-query") != -1
        exit_if_matched: true

It inspects Fortigate DNS logs with the vendor_event_type attribute and checks if it contains dns-query. If the condition is satisfied, the log is routed to the dns_query path and dropped. Logs that can’t be routed on this condition are routed on the default unmatched path to the DNS Logs pack output.

4.2. DNS Logs

The DNS Logs output node routes dns_query logs out the pack for further processing.

5.1. UTM Lookup

On the utm path, logs go to utm_protocol_lookup, a lookup node. This node utilizes a lookup table (fortigate_protocol_info.csv) to add protocol name as an attribute.

5.2. UTM Transformation

On the utm path, logs go to utm_ottl_changes, an ottl_transform node. This node utilizes OTTL statements to transform and enrich UTM logs.

- name: utm_ottl_changes
    type: ottl_transform
    statements: |-
      // Remap attributes
      set(attributes["bytes_in"], attributes["fortigate"]["rcvdbyte"])
      set(attributes["bytes_out"], attributes["fortigate"]["sentbyte"])
      set(attributes["dest"], attributes["fortigate"]["dstip"])
      set(attributes["dest_interface"], attributes["fortigate"]["dstintf"])
      set(attributes["dest_port"], attributes["fortigate"]["dstport"])
      set(attributes["dest_mac"], attributes["fortigate"]["dstmac"])
      set(attributes["src"], attributes["fortigate"]["srcip"])
      set(attributes["src_interface"], attributes["fortigate"]["srcintf"])
      set(attributes["src_port"], attributes["fortigate"]["srcport"])
      set(attributes["src_mac"], attributes["fortigate"]["srcmac"])
      set(attributes["device"], attributes["fortigate"]["devname"])
      set(attributes["session_id"], attributes["fortigate"]["sessionid"])
      set(attributes["http_method"], attributes["fortigate"]["reqtype"])
      set(attributes["vendor_event_type"], attributes["fortigate"]["eventtype"])
      set(attributes["vendor_url"], attributes["fortigate"]["url"])
      set(attributes["vendor_action"], attributes["fortigate"]["action"])
      set(attributes["vendor_status"], attributes["fortigate"]["status"])
      // New attributes
      set(attributes["ids_type"], "network")
      set(attributes["product"], "Firewall")
      set(attributes["vendor"], "Fortinet")
      // Delete attributes
      delete_key(attributes["fortigate"], "proto")
  • Bytes Transfer: Maps incoming and outgoing byte counts from rcvdbyte and sentbyte, providing crucial metrics for analyzing data flow within UTM processes.
  • Destination and Source Detailing: Converts destination (dstip, dstport) and source (srcip, srcport) fields to standardized attributes, ensuring precise tracking of data routes.
  • Device and Session Tracking: Associates identifiers such as device and session_id with their source data, facilitating precise tracking and logging of sessions or devices.
  • Action and Status Mapping: Remaps critical event data, like vendor_event_type and vendor_action, contributing to a comprehensive view of firewall interactions and event management.
  • Product and Vendor Information: Introduces fields for product and vendor indicating Firewall and Fortinet, which are essential for security auditing and dashboard displays.

5.3. UTM CEL Changes

Logs on the UTM path flow from utm_ottl_changes to the utm_cel_changes node, a transformation node.

- name: utm_cel_changes
    type: generic_transform
    transformations:
      - field_path: item["attributes"]["bytes"]
        operation: upsert
        value: item["attributes"]["bytes_in"] + item["attributes"]["bytes_out"]
      - field_path: item["attributes"]["category"]
        operation: upsert
        value: 'has(item.attributes.fortigate.attack) && item.attributes.fortigate.attack != "" ? item["attributes"]["fortigate"]["attack"]: (has(item.attributes.fortigate.attackname) && item.attributes.fortigate.attackname != "" ? item["attributes"]["fortigate"]["attackname"]: (has(item.attributes.fortigate.virus) && item.attributes.fortigate.virus != "" ? item["attributes"]["fortigate"]["virus"]: (has(item.attributes.fortigate.catdesc) && item.attributes.fortigate.catdesc != "" ? item["attributes"]["fortigate"]["catdesc"]: item["attributes"]["fortigate"]["dtype"])))'
      - field_path: item["attributes"]["device_name"]
        operation: upsert
        value: 'has(item.attributes.fortigate.devname) && item.attributes.fortigate.devname != "" ? item["attributes"]["fortigate"]["devname"]: (has(item.attributes.fortigate.devid) && item.attributes.fortigate.devid != "" ? item["attributes"]["fortigate"]["devid"]: "unknown")'
      - field_path: item["attributes"]["fortinet_action"]
        operation: upsert
        value: 'has(item.attributes.vendor_action) && item.attributes.vendor_action != "" ? item["attributes"]["vendor_action"]: item["attributes"]["vendor_status"]'
      - field_path: item["attributes"]["product_version"]
        operation: upsert
        value: 'has(item.attributes.fortigate.logver) && item.attributes.fortigate.logver != "" ? item["attributes"]["fortigate"]["logver"]: "50"'
      - field_path: item["attributes"]["severity"]
        operation: upsert
        value: 'has(item.attributes.fortigate.severity) && item.attributes.fortigate.severity != "" ? item["attributes"]["fortigate"]["severity"]: (has(item.attributes.fortigate.crlevel) && item.attributes.fortigate.crlevel != "" ? item["attributes"]["fortigate"]["crlevel"]: (has(item.attributes.fortigate.apprisk) && item.attributes.fortigate.apprisk != "" ? item["attributes"]["fortigate"]["apprisk"]: "informational"))'
      - field_path: item["attributes"]["signature"]
        operation: upsert
        value: 'has(item.attributes.fortigate.attack) && item.attributes.fortigate.attack != "" ? item["attributes"]["fortigate"]["attack"]: (has(item.attributes.fortigate.attackname) && item.attributes.fortigate.attackname != "" ? item["attributes"]["fortigate"]["attackname"]: item["attributes"]["fortigate"]["virus"])'
      - field_path: item["attributes"]["url"]
        operation: upsert
        value: 'has(item.attributes.fortigate.hostname) && item.attributes.fortigate.hostname != "" ? string(item["attributes"]["fortigate"]["hostname"]) + string(item["attributes"]["vendor_url"]): item["attributes"]["vendor_url"]'
      - field_path: item["attributes"]["user"]
        operation: upsert
        value: 'has(item.attributes.fortigate.user) && item.attributes.fortigate.user != "" ? item["attributes"]["fortigate"]["user"]: "unknown"'

The utm_cel_changes node performs updates and enhancements to the log data through CEL functions, designed to extract meaningful information:

  • Bytes Calculation: Aggregates total bytes by adding bytes_in and bytes_out, giving a comprehensive view of data transfer within the logs.
  • Category Assignment: Utilizes a cascading has() function check to set the category, prioritizing attributes like attack, attackname, virus, and more.
  • Device Name Extraction: Applies conditional logic to assign a device_name, defaulting to unknown if neither devname nor devid are present.
  • Action and Status: Populates fortinet_action based on priority evaluation between vendor_action and vendor_status.
  • Product Version and Severity: Ensures logging includes product version defaults and severity levels, providing consistent tracking across environments.
  • Signature and URL Compilation: Constructs verified values for signature and url using available attributes, compiling critical event identifiers that aid in network threat detections.
  • User Identification: Determines the user field from available attributes or defaults to unknown, ensuring reliable user tracking critical for audit trails.

These defined transformations comprehensively upgrade log data, making it readily usable for security monitoring, anomaly detection, and compliance auditing, enhancing the organization’s overall capability in handling UTM logs.

5.4. Drop UTM

Next on the UTM path, certain logs are dropped by the utm_drop Route node.

  - name: utm_drop
    type: route
    paths:
      - path: empty_user
        condition: item["attributes"]["user"] == "unknown"
        exit_if_matched: true
      - path: ips_event
        condition: item["attributes"]["fortigate"]["subtype"].indexOf("ips") != -1
        exit_if_matched: true
      - path: private_ip_block
        condition: regex_match(item["attributes"]["dest_ip"], "^10\\.") || regex_match(item["attributes"]["dest_ip"], "^192\\.168\\.")
        exit_if_matched: true
      - path: empty_url
        condition: '!has(item.attributes.url) || item["attributes"]["url"] == ""'
        exit_if_matched: true

This node routes certain logs to paths that are not connected downstream, indicating the logs are dropped.

  • Empty User: Logs with an unknown user are routed to empty_user and subsequently dropped, minimizing noise from poorly attributed events.
  • IPS Events: Logs with subtypes indicating Intrusion Prevention System (IPS) events are categorized separately, enabling specialized threat tracking.
  • Private IP Block: Filters out logs with destination IPs in private address ranges, such as 10.* or 192.168.*, eliminating logs from internal system interactions that are often non-critical.
  • Empty URL: Logs lacking relevant URL data are identified and dropped, ensuring only entries with significant network data are processed.

The logs that don’t match a condition are routed on the default unmatched path and routed to the pack output named UTM Logs.

6.1. Traffic Lookup

On the traffic path, logs go to traffic_protocol_lookup, a lookup node. This node utilizes a lookup table (fortigate_protocol_info.csv) to add protocol name as an attribute.

6.2. Traffic Transformation

On the traffic path, logs undergo a detailed transformation through the traffic_ottl_changes node, which is an ottl_transform node. This node takes Fortigate traffic logs and remaps attributes for better consistency and analysis.

  - name: traffic_ottl_changes
    type: ottl_transform
    statements: |-
      // Remap attributes
      set(attributes["bytes_in"], attributes["fortigate"]["rcvdbyte"])
      set(attributes["bytes_out"], attributes["fortigate"]["sentbyte"])
      set(attributes["packets_in"], attributes["fortigate"]["rcvdpkt"])
      set(attributes["packets_out"], attributes["fortigate"]["sentpkt"])
      set(attributes["dest"], attributes["fortigate"]["dstip"])
      set(attributes["dest_interface"], attributes["fortigate"]["dstintf"])
      set(attributes["dest_port"], attributes["fortigate"]["dstport"])
      set(attributes["dest_mac"], attributes["fortigate"]["dstmac"])
      set(attributes["dest_translated_ip"], attributes["fortigate"]["tranip"])
      set(attributes["dest_translated_port"], attributes["fortigate"]["tranport"])
      set(attributes["src"], attributes["fortigate"]["srcip"])
      set(attributes["src_interface"], attributes["fortigate"]["srcintf"])
      set(attributes["src_port"], attributes["fortigate"]["srcport"])
      set(attributes["src_translated_ip"], attributes["fortigate"]["transip"])
      set(attributes["src_translated_port"], attributes["fortigate"]["srcport"])
      set(attributes["src_mac"], attributes["fortigate"]["srcmac"])
      set(attributes["device"], attributes["fortigate"]["devname"])
      set(attributes["session_id"], attributes["fortigate"]["sessionid"])
      set(attributes["rule"], attributes["fortigate"]["poluuid"])
      set(attributes["rule_id"], attributes["fortigate"]["policyid"])
      set(attributes["http_method"], attributes["fortigate"]["reqtype"])
      set(attributes["vendor_event_type"], attributes["fortigate"]["eventtype"])
      set(attributes["vendor_transport"], attributes["fortigate"]["transport"])
      set(attributes["vendor_action"], attributes["fortigate"]["action"])
      set(attributes["vendor_status"], attributes["fortigate"]["status"])
      // New attributes
      set(attributes["product"], "Firewall")
      set(attributes["vendor"], "Fortinet")
      // Delete attributes
      delete_key(attributes["fortigate"], "proto")
  • Bytes and Packets: Extracts incoming and outgoing byte and packet counts, which are critical for network performance analysis and troubleshooting.
  • Destination and Source Details: Standardizes fields for destination and source IPs, ports, MAC addresses, and translated IPs, enhancing the clarity and continuity in traffic traces.
  • Device and Session Information: Keeps device and session identifiers, such as device, session_id, rule, and rule_id, for precise tracking of network policies and activities.
  • Event Attributes: Furnishes event-specific details, such as http_method, vendor_event_type, and vendor_transport, adding context to network interactions for comprehensive analysis.
  • Vendor and Product Identification: Introduces attributes for identifying the vendor and product, reinforcing the log’s association with the Fortigate Firewall, an essential aspect for security tracking and operational oversight.

6.3. Traffic CEL Changes

Next on the traffic path, logs flow to the traffic_cel_changes node, a transformation node.

  - name: traffic_cel_changes
    type: generic_transform
    transformations:
      - field_path: item["attributes"]["bytes"]
        operation: upsert
        value: item["attributes"]["bytes_in"] + item["attributes"]["bytes_out"]
      - field_path: item["attributes"]["packets"]
        operation: upsert
        value: item["attributes"]["packets_in"] + item["attributes"]["packets_out"]
      - field_path: item["attributes"]["app"]
        operation: upsert
        value: 'has(item.attributes.fortigate.app) && item.attributes.fortigate.app != "" ? item["attributes"]["fortigate"]["app"]: (has(item.attributes.fortigate.service) && item.attributes.fortigate.service != "" ? item["attributes"]["fortigate"]["service"]: (has(item.attributes.fortigate.transport) && item.attributes.fortigate.transport != "" ? item["attributes"]["fortigate"]["transport"]: "unknown"))'
      - field_path: item["attributes"]["device_name"]
        operation: upsert
        value: 'has(item.attributes.fortigate.devname) && item.attributes.fortigate.devname != "" ? item["attributes"]["fortigate"]["devname"]: (has(item.attributes.fortigate.devid) && item.attributes.fortigate.devid != "" ? item["attributes"]["fortigate"]["devid"]: "unknown")'
      - field_path: item["attributes"]["fortinet_action"]
        operation: upsert
        value: 'has(item.attributes.vendor_action) && item.attributes.vendor_action != "" ? item["attributes"]["vendor_action"]: item["attributes"]["vendor_status"]'
      - field_path: item["attributes"]["product_version"]
        operation: upsert
        value: 'has(item.attributes.fortigate.logver) && item.attributes.fortigate.logver != "" ? item["attributes"]["fortigate"]["logver"]: "50"'
      - field_path: item["attributes"]["user"]
        operation: upsert
        value: 'has(item.attributes.fortigate.user) && item.attributes.fortigate.user != "" ? item["attributes"]["fortigate"]["user"]: (has(item.attributes.fortigate.unauthuser) && item.attributes.fortigate.unauthuser != "" ? item["attributes"]["fortigate"]["unauthuser"]: "unknown")'

The traffic_cel_changes node executes the following enhancements:

  • Bytes and Packets Calculation: Aggregates total bytes and packet counts by adding bytes_in and bytes_out, and packets_in and packets_out respectively, providing a holistic snapshot of network throughput in the logs.
  • Application Identification: Employs cascading has() logic to extract the most relevant app descriptor available, either from app, service, or transport, ensuring accurate application tracking.
  • Device Name Assignment: Uses conditional evaluations to determine device_name, defaulting to unknown when neither devname nor devid are populated, ensuring consistent device tracking.
  • Action Extraction: Sets fortinet_action by evaluating both vendor_action and vendor_status, capturing decisive operational actions pertinent to network activities.
  • Product Version Assurance: Ensures that product_version is logged, defaulting when necessary, which is crucial for compatibility assessments and detailed logging.
  • User Resolution: Identifies user information from available attributes, ensuring authentication traceability or defaults to “unknown” for unauthenticated events.

6.4. Drop Traffic

Next on the traffic path, logs flow to traffic_drop, a Route node.

  - name: traffic_drop
    type: route
    paths:
      - path: empty_user
        condition: item["attributes"]["fortigate"]["dstcountry"].indexOf("Reserved") != -1 && item["attributes"]["fortigate"]["srccountry"].indexOf("Reserved") != -1
        exit_if_matched: true
      - path: private_ip_block
        condition: regex_match(item["attributes"]["dest_ip"], "^fe80:") || regex_match(item["attributes"]["dest_ip"], "^fc00:")
        exit_if_matched: true

This node filters out specific logs by routing them to non-connected paths, effectively dropping them:

  • Empty User: Identifies logs where both destination and source countries are Reserved, routing these to empty_user to be dropped, removing unimportant geographical data.
  • Private IP Block: Filters logs with destination IPs starting with fe80: or fc00:, which are part of private networks, thereby reducing noise from internal, non-essential traffic logs.

The logs that don’t match a condition are routed on the default unmatched path and routed to the pack output named Traffic Logs.

7.1. Event Transformation

On the event path, logs are routed to the event_ottl_changes ottl_transform node.

  - name: event_ottl_changes
    type: ottl_transform
    statements: |-
      // Remap attributes
      set(attributes["src_user"], attributes["fortigate"]["user"])
      set(attributes["src_interface"], attributes["fortigate"]["vap"])
      set(attributes["src_mac"], attributes["fortigate"]["stamac"])
      set(attributes["device"], attributes["fortigate"]["devname"])
      set(attributes["app"], attributes["fortigate"]["authproto"])
      set(attributes["user_category"], attributes["fortigate"]["group"])
      set(attributes["command"], attributes["fortigate"]["msg"])
      set(attributes["object"], attributes["fortigate"]["cfgobj"])
      set(attributes["object_attrs"], attributes["fortigate"]["cfgattr"])
      set(attributes["object_id"], attributes["fortigate"]["cfgtid"])
      set(attributes["object_path"], attributes["fortigate"]["cfgpath"])
      set(attributes["cpu_load_percent"], attributes["fortigate"]["cpu"])
      set(attributes["wifi"], attributes["fortigate"]["radioband"])
      set(attributes["vendor_event_type"], attributes["fortigate"]["eventtype"])
      set(attributes["vendor_url"], attributes["fortigate"]["url"])
      set(attributes["vendor_action"], attributes["fortigate"]["action"])
      // New attributes
      set(attributes["product"], "Firewall")
      set(attributes["vendor"], "Fortinet")
      set(attributes["object_category"], "object")
  • Source Identification: Remaps attributes related to the source user, interface, and MAC address. This ensures detailed tracking of user activities and device interactions within event logs.
  • Device and Application Details: Maps attributes to capture device and application details, enriching logs with context about the system environment.
  • Command and Object Information: Standardizes fields for commands executed and objects affected, which are essential for change audits and activity tracking.
  • Network Attributes: Enriches logs with Wi-Fi band information and CPU load percentage, adding system performance context critical for diagnostics.
  • Action Mapping: Assigns attributes for vendor_action and vendor_event_type, providing clarity on event specifics and facilitating deeper analysis.
  • Vendor and Product Information: Appends attributes for product and vendor, signifying the Fortigate Firewall, essential for maintaining logging consistency and security auditing.

7.2. Event CEL Changes

Next on the event path, logs flow to event_cel_changes, a transformation node.

  - name: event_cel_changes
    type: generic_transform
    transformations:
      - field_path: item["attributes"]["dest"]
        operation: upsert
        value: 'has(item.attributes.fortigate.dstip) && item.attributes.fortigate.dstip != "" ? item["attributes"]["fortigate"]["dstip"]: (has(item.attributes.fortigate.locip) && item.attributes.fortigate.locip != "" ? item["attributes"]["fortigate"]["locip"]: (has(item.attributes.fortigate.ssid) && item.attributes.fortigate.ssid != "" ? item["attributes"]["fortigate"]["ssid"]: "unknown"))'
      - field_path: item["attributes"]["device_name"]
        operation: upsert
        value: 'has(item.attributes.fortigate.devname) && item.attributes.fortigate.devname != "" ? item["attributes"]["fortigate"]["devname"]: (has(item.attributes.fortigate.devid) && item.attributes.fortigate.devid != "" ? item["attributes"]["fortigate"]["devid"]: "unknown")'
      - field_path: item["attributes"]["product_version"]
        operation: upsert
        value: 'has(item.attributes.fortigate.logver) && item.attributes.fortigate.logver != "" ? item["attributes"]["fortigate"]["logver"]: "50"'
      - field_path: item["attributes"]["src"]
        operation: upsert
        value: 'has(item.attributes.fortigate.srcip) && item.attributes.fortigate.srcip != "" ? item["attributes"]["fortigate"]["srcip"]: (has(item.attributes.fortigate.remip) && item.attributes.fortigate.remip != "" ? item["attributes"]["fortigate"]["remip"]: (has(item.attributes.fortigate.ui) && item.attributes.fortigate.ui != "" ? item["attributes"]["fortigate"]["ui"]: "unknown"))'
      - field_path: item["attributes"]["tunnel_name"]
        operation: upsert
        value: 'has(item.attributes.fortigate.vpntunnel) && item.attributes.fortigate.vpntunnel != "" ? item["attributes"]["fortigate"]["vpntunnel"]: item["attributes"]["fortigate"]["tunnelid"]'
      - field_path: item["attributes"]["user"]
        operation: upsert
        value: 'has(item.attributes.fortigate.user) && item.attributes.fortigate.user != "" ? item["attributes"]["fortigate"]["user"]: (has(item.attributes.fortigate.xauthuser) && item.attributes.fortigate.xauthuser != "" ? item["attributes"]["fortigate"]["xauthuser"]: "unknown")'
      - field_path: item["attributes"]["vendor_status"]
        operation: upsert
        value: 'has(item.attributes.fortigate.status) && item["attributes"]["fortigate"]["status"] != "" ? item["attributes"]["fortigate"]["user"]: "unknown"'
  • Destination Address: Configures the dest field by prioritizing dstip, locip, and ssid, ensuring that the most relevant address is available for network tracing.
  • Device Name Resolution: Determines the device_name using devname or devid, defaulting to unknown to maintain consistent device identification across logs.
  • Product Version Defaulting: Ensures the presence of a product_version, falling back to a default value if none is specified, which is crucial for accurate environment tracking.
  • Source Address Compilation: Constructs the src using srcip, remip, or ui, providing a fallback structure to guarantee source tracking.
  • Tunnel Name Assignment: Evaluates available data to populate the tunnel_name, offering a layer name from vpntunnel or utilizing tunnelid as an alternative.
  • User Identification: Utilizes user or xauthuser attributes for the user field, defaulting to unknown to maintain comprehensive auditability in user tracking.
  • Vendor Status Clarity: Ensures proper assignment to vendor_status, supporting log completeness by maintaining user status details when applicable.

Logs on the event path then flow to the Event Logs pack output.

Sample Input

date=2019-05-10 time=11:37:47 logid="0000000013" type="traffic" subtype="forward" level="notice" vd="vdom1" eventtime=1557513467369913239 srcip=10.1.100.11 srcport=58012 srcintf="port12" srcintfrole="undefined" dstip=23.59.154.35 dstport=80 dstintf="port11" dstintfrole="undefined" srcuuid="ae28f494-5735-51e9-f247-d1d2ce663f4b" dstuuid="ae28f494-5735-51e9-f247-d1d2ce663f4b" poluuid="ccb269e0-5735-51e9-a218-a397dd08b7eb" sessionid=105048 proto=6 action="close" policyid=1 policytype="policy" service="HTTP" dstcountry="Canada" srccountry="Reserved" trandisp="snat" transip=172.16.200.2 transport=58012 appid=34050 app="HTTP.BROWSER_Firefox" appcat="Web.Client" apprisk="elevated" applist="g-default" duration=116 sentbyte=1188 rcvdbyte=1224 sentpkt=17 rcvdpkt=16 utmaction="allow" countapp=1 osname="Ubuntu" mastersrcmac="a2:e9:00:ec:40:01" srcmac="a2:e9:00:ec:40:01" srcserver=0 utmref=65500-742

date=2019-05-10 time=11:50:48 logid="0001000014" type="traffic" subtype="local" level="notice" vd="vdom1" eventtime=1557514248379911176 srcip=172.16.200.254 srcport=62024 srcintf="port11" srcintfrole="undefined" dstip=172.16.200.2 dstport=443 dstintf="vdom1" dstintfrole="undefined" sessionid=107478 proto=6 action="server-rst" policyid=0 policytype="local-in-policy" service="HTTPS" dstcountry="Reserved" srccountry="Reserved" trandisp="noop" app="Web Management(HTTPS)" duration=5 sentbyte=1247 rcvdbyte=1719 sentpkt=5 rcvdpkt=6 appcat="unscanned"

date=2019-03-31 time=06:42:54 logid="0002000012" type="traffic" subtype="multicast" level="notice" vd="vdom1" eventtime=1554039772 srcip=172.16.200.55 srcport=60660 srcintf="port25" srcintfrole="undefined" dstip=230.1.1.2 dstport=7878 dstintf="port3" dstintfrole="undefined" sessionid=1162 proto=17 action="accept" policyid=1 policytype="multicast-policy" service="udp/7878" dstcountry="Reserved" srccountry="Reserved" trandisp="noop" duration=22 sentbyte=5940 rcvdbyte=0 sentpkt=11 rcvdpkt=0 appcat="unscanned"

date=2019-05-13 time=11:45:03 logid="0211008192" type="utm" subtype="virus" eventtype="infected" level="warning" vd="vdom1" eventtime=1557773103767393505 msg="File is infected." action="blocked" service="HTTP" sessionid=359260 srcip=10.1.100.11 dstip=172.16.200.55 srcport=60446 dstport=80 srcintf="port12" srcintfrole="undefined" dstintf="port11" dstintfrole="undefined" policyid=4 proto=6 direction="incoming" filename="eicar.com" quarskip="File-was-not-quarantined." virus="EICAR_TEST_FILE" dtype="Virus" ref="http://www.fortinet.com/ve?vn=EICAR_TEST_FILE" virusid=2172 url="http://172.16.200.55/virus/eicar.com" profile="g-default" agent="curl/7.47.0" analyticscksum="275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f" analyticssubmit="false" crscore=50 craction=2 crlevel="critical"

date=2019-05-13 time=16:29:45 logid="0316013056" type="utm" subtype="webfilter" eventtype="ftgd_blk" level="warning" vd="vdom1" eventtime=1557790184975119738 policyid=1 sessionid=381780 srcip=10.1.100.11 srcport=44258 srcintf="port12" srcintfrole="undefined" dstip=185.244.31.158 dstport=80 dstintf="port11" dstintfrole="undefined" proto=6 service="HTTP" hostname="morrishittu.ddns.net" profile="test-webfilter" action="blocked" reqtype="direct" url="/" sentbyte=84 rcvdbyte=0 direction="outgoing" msg="URL belongs to a denied category in policy" method="domain" cat=26 catdesc="Malicious Websites" crscore=30 craction=4194304 crlevel="high"

date=2019-05-15 time=15:05:49 logid="1501054802" type="utm" subtype="dns" eventtype="dns-response" level="notice" vd="vdom1" eventtime=1557957949740931155 policyid=1 sessionid=6887 srcip=10.1.100.22 srcport=50002 srcintf="port12" srcintfrole="undefined" dstip=172.16.100.100 dstport=53 dstintf="port11" dstintfrole="undefined" proto=17 profile="dnsfilter_fgd" srcmac="a2:e9:00:ec:40:41" xid=57945 qname="changelogs.ubuntu.com" qtype="AAAA" qtypeval=28 qclass="IN" ipaddr="2001:67c:1560:8008::11" msg="Domain is monitored" action="pass" cat=52 catdesc="Information Technology"

date=2019-05-15 time=15:05:49 logid="1500054000" type="utm" subtype="dns" eventtype="dns-query" level="information" vd="vdom1" eventtime=1557957949653103543 policyid=1 sessionid=6887 srcip=10.1.100.22 srcport=50002 srcintf="port12" srcintfrole="undefined" dstip=172.16.100.100 dstport=53 dstintf="port11" dstintfrole="undefined" proto=17 profile="dnsfilter_fgd" srcmac="a2:e9:00:ec:40:41" xid=57945 qname="changelogs.ubuntu.com" qtype="AAAA" qtypeval=28 qclass="IN"

date=2019-05-15 time=18:03:36 logid="1059028704" type="utm" subtype="app-ctrl" eventtype="app-ctrl-all" level="information" vd="root" eventtime=1557968615 appid=40568 srcip=10.1.100.22 dstip=195.8.215.136 srcport=50798 dstport=443 srcintf="port10" srcintfrole="lan" dstintf="port9" dstintfrole="wan" proto=6 service="HTTPS" direction="outgoing" policyid=1 sessionid=4414 applist="block-social.media" appcat="Web.Client" app="HTTPS.BROWSER" action="pass" hostname="www.dailymotion.com" incidentserialno=1962906680 url="/" msg="Web.Client: HTTPS.BROWSER," apprisk="medium" scertcname="*.dailymotion.com" scertissuer="DigiCert SHA2 High Assurance Server CA"

date=2019-05-15 time=18:03:35 logid="1059028705" type="utm" subtype="app-ctrl" eventtype="app-ctrl-all" level="warning" vd="root" eventtime=1557968615 appid=16072 srcip=10.1.100.22 dstip=195.8.215.136 srcport=50798 dstport=443 srcintf="port10" srcintfrole="lan" dstintf="port9" dstintfrole="wan" proto=6 service="HTTPS" direction="incoming" policyid=1 sessionid=4414 applist="block-social.media" appcat="Video/Audio" app="Dailymotion" action="block" hostname="www.dailymotion.com" incidentserialno=1962906682 url="/" msg="Video/Audio: Dailymotion," apprisk="elevated"

date=2019-05-13 time=11:20:54 logid="0100032001" type="event" subtype="system" level="information" vd="vdom1" eventtime=1557771654587081441 logdesc="Admin login successful" sn="1557771654" user="admin" ui="ssh(172.16.200.254)" method="ssh" srcip=172.16.200.254 dstip=172.16.200.2 action="login" status="success" reason="none" profile="super_admin" msg="Administrator admin logged in successfully from ssh(172.16.200.254)"

date=2019-05-13 time=14:21:42 logid="0101037127" type="event" subtype="vpn" level="notice" vd="root" eventtime=1557782502722231889 logdesc="Progress IPsec phase 1" msg="progress IPsec phase 1" action="negotiate" remip=50.1.1.101 locip=50.1.1.100 remport=500 locport=500 outintf="port14" cookies="9091f4d4837ea71c/0000000000000000" user="N/A" group="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="test" status="success" init="local" mode="main" dir="outbound" stage=1 role="initiator" result="OK"