forked from elastic/integrations
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add pipeline test for Fortinet Firewall (elastic#437)
* Add pipeline test for Fortinet Firewall
These are the original failures after enabling the test.
FAILURE DETAILS:
fortinet/firewall test-fortinet.log:
[0] field "_temp.time" is undefined
[1] field "fortinet.firewall.devid" is undefined
[2] field "fortinet.firewall.devname" is undefined
[3] field "fortinet.firewall.dir" is undefined
[4] field "fortinet.firewall.group" is undefined
[5] field "fortinet.firewall.level" is undefined
[6] field "fortinet.firewall.locip" is undefined
[7] field "fortinet.firewall.locport" is undefined
[8] field "fortinet.firewall.logdesc" is undefined
[9] field "fortinet.firewall.logid" is undefined
[10] field "fortinet.firewall.msg" is undefined
[11] field "fortinet.firewall.remip" is undefined
[12] field "fortinet.firewall.remport" is undefined
[13] field "fortinet.firewall.user" is undefined
[14] field "syslog5424_pri" is undefined
[15] field "syslog5424_sd" is undefined
[16] parsing field value failed: field "fortinet.firewall.disklograte"''s Go type, string, does not match the expected field type: long
[17] parsing field value failed: field "fortinet.firewall.fazlograte"''s Go type, string, does not match the expected field type: long
[18] parsing field value failed: field "fortinet.firewall.lanin"''s Go type, string, does not match the expected field type: long
[19] parsing field value failed: field "fortinet.firewall.lanout"''s Go type, string, does not match the expected field type: long
[20] parsing field value failed: field "fortinet.firewall.setuprate"''s Go type, string, does not match the expected field type: long
[21] parsing field value failed: field "fortinet.firewall.wanin"''s Go type, string, does not match the expected field type: long
[22] parsing field value failed: field "fortinet.firewall.wanout"''s Go type, string, does not match the expected field type: long
--- Test results for package: fortinet - END ---
* fix errors in pipeline
Co-authored-by: Lee E. Hinman <lee.e.hinman@elastic.co>- Loading branch information
1 parent
7eea499
commit 1a59046
Showing
6 changed files
with
2,983 additions
and
17 deletions.
There are no files selected for viewing
32 changes: 32 additions & 0 deletions
32
packages/fortinet/data_stream/firewall/_dev/test/pipeline/test-fortinet.log
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,32 @@ | ||
| <188>date=2020-04-23 time=12:17:48 devname="testswitch1" devid="somerouterid" logid="0316013056" type="utm" subtype="webfilter" eventtype="ftgd_blk" level="warning" vd="root" eventtime=1587230269052907555 tz="-0500" policyid=100602 sessionid=1234 user="elasticuser" group="elasticgroup" authserver="elasticauth" srcip=192.168.2.1 srcport=61930 srcintf="port1" srcintfrole="lan" dstip=8.8.8.8 dstport=443 dstintf="wan1" dstintfrole="wan" proto=6 service="HTTPS" hostname="elastic.co" profile="elasticruleset" action="blocked" reqtype="direct" url="/config/" sentbyte=1152 rcvdbyte=1130 direction="outgoing" msg="URL belongs to a denied category in policy" method="domain" cat=76 catdesc="Internet Telephony" | ||
| <189>date=2020-04-23 time=01:16:08 devname="testswitch1" devid="somerouterid" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="OPERATIONAL" eventtime=1592961368 srcip=10.10.10.10 srcport=60899 srcintf="srcintfname" srcintfrole="lan" dstip=8.8.8.8 dstport=161 dstintf="dstintfname" dstintfrole="lan" sessionid=155313 proto=17 action="deny" policyid=0 policytype="policy" service="SNMP" dstcountry="Reserved" srccountry="Reserved" trandisp="noop" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 appcat="unscanned" crscore=30 craction=131072 crlevel="high" | ||
| <189>date=2020-04-23 time=12:17:45 devname="testswitch1" devid="somerouterid" logid="0317013312" type="utm" subtype="webfilter" eventtype="ftgd_allow" level="notice" vd="root" eventtime=1587230266314799756 tz="-0500" policyid=38 sessionid=543234 user="elasticuser" group="elasticgroup" authserver="elasticauth" srcip=192.168.2.1 srcport=65236 srcintf="port1" srcintfrole="lan" dstip=8.8.8.8 dstport=443 dstintf="wan1" dstintfrole="wan" proto=6 service="HTTPS" hostname="elastic.co" profile="elasticruleset" action="passthrough" reqtype="direct" url="/" sentbyte=3545 rcvdbyte=6812 direction="outgoing" msg="URL belongs to an allowed category in policy" method="domain" cat=23 catdesc="Web-based Email" | ||
| <190>date=2020-04-23 time=13:17:35 devname="testswitch1" devid="somerouterid" logid="1059028704" type="utm" subtype="app-ctrl" eventtype="signature" level="information" vd="root" eventtime=1587230255061492894 tz="-0400" appid=40568 user="elasticuser" group="elasticgroup" authserver="elasticauth" srcip=192.168.2.1 dstip=8.8.8.8 srcport=59790 dstport=443 srcintf="LAN" srcintfrole="lan" dstintf="wan1" dstintfrole="wan" proto=6 service="SSL" direction="outgoing" policyid=12 sessionid=453234 applist="elasticruleset" action="pass" appcat="Web.Client" app="HTTPS.BROWSER" hostname="elastic.co" incidentserialno=23465 url="/" msg="Web.Client: HTTPS.BROWSER," apprisk="medium" scertcname="test.elastic.co" | ||
| <190>date=2020-04-23 time=13:17:35 devname="testswitch1" devid="somerouterid" logid="1059028704" type="utm" subtype="app-ctrl" eventtype="signature" level="information" vd="root" eventtime=1591788391 tz="-0400" appid=40568 user="elasticuser" group="elasticgroup" authserver="elasticauth" srcip=192.168.2.1 dstip=8.8.8.8 srcport=59790 dstport=443 srcintf="LAN" srcintfrole="lan" dstintf="wan1" dstintfrole="wan" proto=6 service="SSL" direction="outgoing" policyid=12 sessionid=453234 applist="elasticruleset" action="pass" appcat="Web.Client" app="HTTPS.BROWSER" hostname="elastic.co" incidentserialno=23465 url="/" msg="Web.Client: HTTPS.BROWSER," apprisk="medium" scertcname="test.elastic.co" | ||
| <189>date=2020-04-23 time=12:17:29 devname="testswitch1" devid="somerouterid" logid="1501054802" type="utm" subtype="dns" eventtype="dns-response" level="notice" vd="root" eventtime=1587230249360109339 tz="-0500" policyid=26 sessionid=543234 srcip=192.168.2.1 srcport=53430 srcintf="port1" srcintfrole="lan" dstip=8.8.8.8 dstport=53 dstintf="wan1" dstintfrole="wan" proto=17 profile="test" xid=2234 qname="elastic.example.com" qtype="A" qtypeval=1 qclass="IN" ipaddr="8.8.8.8" msg="Domain is monitored" action="pass" cat=23 catdesc="Web-based Email" | ||
| <189>date=2020-04-23 time=12:17:29 devname="testswitch1" devid="somerouterid" logid="1501054802" type="utm" subtype="dns" eventtype="dns-response" level="notice" vd="root" eventtime=1587230249360109339 tz="-0500" policyid=26 sessionid=543234 srcip=192.168.2.1 srcport=53430 srcintf="port1" srcintfrole="lan" dstip=8.8.8.8 dstport=53 dstintf="wan1" dstintfrole="wan" proto=17 profile="test" xid=2234 qname="elastic.example.com" qtype="A" qtypeval=1 qclass="IN" ipaddr="8.8.8.8, 8.8.4.4" msg="Domain is monitored" action="pass" cat=23 catdesc="Web-based Email" | ||
| <190>date=2020-04-23 time=12:17:11 devname="testswitch1" devid="somerouterid" logid="1059028704" type="utm" subtype="app-ctrl" eventtype="signature" level="information" vd="root" eventtime=1587230232148674303 tz="-0500" appid=40568 user="elasticuser" group="elasticgroup" authserver="elasticauth" srcip=192.168.2.1 dstip=8.8.8.8 srcport=63012 dstport=443 srcintf="port1" srcintfrole="lan" dstintf="wan1" dstintfrole="wan" proto=6 service="SSL" direction="outgoing" policyid=100602 sessionid=543234 applist="elasticruleset" action="pass" appcat="Web.Client" app="HTTPS.BROWSER" hostname="elastic.no" incidentserialno=54323 url="/" msg="Web.Client: HTTPS.BROWSER," apprisk="medium" | ||
| <189>date=2020-04-23 time=12:17:04 devname="testswitch1" devid="somerouterid" logid="1501054802" type="utm" subtype="dns" eventtype="dns-response" level="notice" vd="root" eventtime=1587230224712900694 tz="-0500" policyid=26 sessionid=5432 srcip=192.168.2.1 srcport=54438 srcintf="port1" srcintfrole="lan" dstip=8.8.8.8 dstport=53 dstintf="wan1" dstintfrole="wan" proto=17 profile="elastictest" xid=2352 qname="elastic.co" qtype="A" qtypeval=1 qclass="IN" ipaddr="8.8.8.8" msg="Domain is monitored" action="pass" cat=93 catdesc="Remote Access" | ||
| <190>date=2020-04-23 time=12:17:12 devname="testswitch1" devid="somerouterid" logid="1500054000" type="utm" subtype="dns" eventtype="dns-query" level="information" vd="root" eventtime=1587230232658642672 tz="-0500" policyid=26 sessionid=543234 srcip=192.168.2.1 srcport=54788 srcintf="port1" srcintfrole="lan" dstip=8.8.8.8 dstport=53 dstintf="wan1" dstintfrole="wan" proto=17 profile="elastictest" xid=235 qname="elastic.co" qtype="A" qtypeval=1 qclass="IN" | ||
| <189>date=2020-04-23 time=13:15:18 devname="testswitch2" devid="someotherid" logid="1700062001" type="utm" subtype="ssl" eventtype="ssl-anomalies" level="notice" vd="root" eventtime=1587230118838592454 tz="-0400" policyid=12 sessionid=42346234 service="HTTPS" user="elasticuser2" group="elasticgroup2" profile="somecerts" srcip=192.168.2.1 srcport=59726 dstip=8.8.4.4 dstport=443 srcintf="LAN" srcintfrole="lan" dstintf="wan1" dstintfrole="wan" proto=6 action="passthrough" msg="Server certificate passed" reason="untrusted-cert" | ||
| <189>date=2020-04-23 time=12:32:48 devname="testswitch3" devid="someotherrouteridagain" logid="0102043014" type="event" subtype="user" level="notice" vd="root" eventtime=1587231168439640874 tz="-0500" logdesc="FSSO logon authentication status" srcip=10.10.10.10 user="elasticouser" server="elasticserver" action="FSSO-logon" msg="FSSO-logon event from FSSO_elasticserver: user elasticouser logged on 10.10.10.10" | ||
| <187>date=2020-04-23 time=12:32:47 devname="testswitch3" devid="someotherrouteridagain" logid="0101037124" type="event" subtype="vpn" level="error" vd="root" eventtime=1587231168339114138 tz="-0500" logdesc="IPsec phase 1 error" msg="IPsec phase 1 error" action="negotiate" remip=8.8.4.4 locip=8.8.8.8 remport=500 locport=500 outintf="wan2" cookies="345hkjhdrs87/0000000000000000" user="N/A" group="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="N/A" status="negotiate_error" reason="peer SA proposal not match local policy" peer_notif="NOT-APPLICABLE" | ||
| <189>date=2020-04-23 time=12:32:31 devname="testswitch3" devid="someotherrouteridagain" logid="0101037127" type="event" subtype="vpn" level="notice" vd="root" eventtime=1587231151628960857 tz="-0500" logdesc="Progress IPsec phase 1" msg="progress IPsec phase 1" action="negotiate" remip=8.4.5.4 locip=9.9.9.9 remport=500 locport=500 outintf="wan1" cookies="df868dsg876d/0000000000000000" user="N/A" group="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="elasticvpn" status="success" init="local" mode="main" dir="outbound" stage=1 role="initiator" result="OK" | ||
| <189>date=2020-04-23 time=14:32:09 devname="testswitch3" devid="someotherrouteridagain" logid="0100040704" type="event" subtype="system" level="notice" vd="root" eventtime=1587231129938795255 tz="-0300" logdesc="System performance statistics" action="perf-stats" cpu=0 mem=10 totalsession=23 disk=0 bandwidth="23/4" setuprate=0 disklograte=0 fazlograte=0 freediskstorage=331 sysuptime=25170 msg="Performance statistics: average CPU: 0, memory: 23, concurrent sessions: 20, setup-rate: 0" | ||
| <189>date=2020-04-23 time=12:32:09 devname="testswitch3" devid="someotherrouteridagain" logid="0102043039" type="event" subtype="user" level="notice" vd="root" eventtime=1587231130109462858 tz="-0500" logdesc="Authentication logon" srcip=10.10.10.10 user="elastiiiuser" authserver="FSSO_elastiauth" action="auth-logon" status="logon" msg="User elastiiiuser added to auth logon" | ||
| <189>date=2020-04-23 time=12:32:00 devname="testswitch3" devid="someotherrouteridagain" logid="0101037127" type="event" subtype="vpn" level="notice" vd="root" eventtime=1587231120608961118 tz="-0500" logdesc="Progress IPsec phase 1" msg="progress IPsec phase 1" action="negotiate" remip=8.8.5.4 locip=7.6.3.4 remport=500 locport=500 outintf="wan1" cookies="345khj34566/0000000000000000" user="N/A" group="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="testvpn" status="success" init="local" mode="main" dir="outbound" stage=1 role="initiator" result="OK" | ||
| <189>date=2020-04-23 time=14:24:13 devname="testswitch3" devid="someotherrouteridagain" logid="0100041006" type="event" subtype="system" level="notice" vd="root" eventtime=1587230655301863513 tz="-0300" logdesc="FortiSandbox AV database updated" version="1.522479" msg="FortiSandbox AV database updated" | ||
| <190>date=2020-04-23 time=12:23:47 devname="testswitch3" devid="someotherrouteridagain" logid="0107045057" type="event" subtype="endpoint" level="information" vd="root" eventtime=1587230627558979735 tz="-0500" logdesc="FortiClient connection added" action="add" status="success" license_limit="unlimited" used_for_type=3 connection_type="sslvpn" count=2 user="elastico" ip=172.16.0.2 name="somerouter" fctuid="645234fdd01F885824F764" msg="Add a FortiClient Connection." | ||
| <190>date=2020-04-23 time=12:23:47 devname="testswitch3" devid="someotherrouteridagain" logid="0101039943" type="event" subtype="vpn" level="information" vd="root" eventtime=1587230627334405765 tz="-0500" logdesc="SSL VPN new connection" action="ssl-new-con" tunneltype="ssl" tunnelid=2 remip=8.8.8.6 user="N/A" group="N/A" dst_host="N/A" reason="N/A" msg="SSL new connection" | ||
| <190>date=2020-04-23 time=12:23:47 devname="testswitch3" devid="someotherrouteridagain" logid="0101039947" type="event" subtype="vpn" level="information" vd="root" eventtime=1587230627698970007 tz="-0500" logdesc="SSL VPN tunnel up" action="tunnel-up" tunneltype="ssl-tunnel" tunnelid=2345 remip=8.8.5.4 tunnelip=10.10.10.10 user="someuser" group="somegroup" dst_host="N/A" reason="tunnel established" msg="SSL tunnel established" | ||
| <189>date=2020-04-23 time=14:16:42 devname="testswitch3" devid="someotherrouteridagain" logid="0102043015" type="event" subtype="user" level="notice" vd="root" eventtime=1587230204674924332 tz="-0300" logdesc="FSSO log off authentication status" srcip=192.168.1.1 user="elasticadmin" server="FSSO_somefssoserver" action="FSSO-logoff" msg="FSSO-logoff event from FSSO_somefssoserver: user elasticuser logged off 1192.168.1.1" | ||
| <189>date=2020-04-23 time=12:16:02 devname="testswitch3" devid="someotherrouteridagain" logid="0100022915" type="event" subtype="system" level="notice" vd="root" eventtime=1587230163121116383 tz="-0500" logdesc="FortiCloud server connected" server="9.9.9.9" action="connect" msg="FortiCloud 9.9.9.9 server is connected" | ||
| <189>date=2020-04-23 time=12:16:02 devname="testswitch3" devid="someotherrouteridagain" logid="0100022913" type="event" subtype="system" level="notice" vd="root" eventtime=1587230163375149856 tz="-0500" logdesc="FortiCloud server disconnected" server="4.4.4.4" action="disconnect" reason="connection reset" msg="FortiCloud 4.4.4.4 server is disconnected" | ||
| <188>date=2020-04-23 time=12:14:09 devname="newfirewall" devid="newrouterid" logid="0000000011" type="traffic" subtype="forward" level="warning" vd="root" eventtime=1587230049761513222 tz="-0500" srcip=192.168.1.6 srcport=53438 srcintf="port1" srcintfrole="lan" dstip=8.8.8.8 dstport=53 dstintf="wan1" dstintfrole="wan" sessionid=435234 proto=17 action="dns" policyid=26 policytype="policy" poluuid="2345de-b143-52134d8-6654f-4654sdfg16f431" policyname="elasticnewruleset" service="DNS" dstcountry="Netherlands" srccountry="Reserved" appcat="unscanned" crscore=5 craction=54144 crlevel="low" | ||
| <189>date=2020-04-23 time=12:11:51 devname="newfirewall" devid="newrouterid" logid="0000000020" type="traffic" subtype="forward" level="notice" vd="root" eventtime=1587229911390385486 tz="-0500" srcip=192.168.10.10 srcport=6000 srcintf="port1" srcintfrole="lan" dstip=8.6.4.7 dstport=6000 dstintf="wan1" dstintfrole="wan" sessionid=4352 proto=17 action="accept" policyid=3426 policytype="policy" poluuid="1765de8-5a13-765da73fdsfa1c" policyname="newruleelastic" service="portname" dstcountry="Netherlands" srccountry="Reserved" trandisp="snat" transip=123.123.123.123 transport=60964 appcat="unknown" applist="policylist" duration=5462 sentbyte=438650 rcvdbyte=65446 sentpkt=723417 rcvdpkt=1045601 vwlid=0 sentdelta=576 rcvddelta=728 | ||
| <189>date=2020-04-23 time=12:11:48 devname="newfirewall" devid="newrouterid" logid="0001000014" type="traffic" subtype="local" level="notice" vd="root" eventtime=1587229908751434997 tz="-0500" srcip=2001:4860:4860::8888 identifier=0 srcintf="port1" srcintfrole="lan" dstip=2001:4860:4860::8888 dstintf="unknown0" dstintfrole="undefined" sessionid=6542345 proto=58 action="accept" policyid=0 policytype="someotherpolicy" service="icmp6/1/0" trandisp="noop" app="icmp6/25/0" duration=42 sentbyte=3014 rcvdbyte=20 sentpkt=4 rcvdpkt=0 appcat="unscanned" | ||
| <189>date=2020-04-23 time=13:10:57 devname="newfirewall" devid="newrouterid" logid="0001000014" type="traffic" subtype="local" level="notice" vd="root" eventtime=1587229857509058693 tz="-0400" srcip=9.7.7.7 identifier=61 srcintf="wan1" srcintfrole="wan" dstip=8.8.8.8 dstintf="unknown0" dstintfrole="undefined" sessionid=123 proto=1 action="accept" policyid=0 policytype="rulepolicy" service="PING" dstcountry="Norway" srccountry="Netherlands" trandisp="noop" app="PING" duration=20 sentbyte=0 rcvdbyte=10 sentpkt=0 rcvdpkt=40 appcat="unscanned" | ||
| <188>date=2020-04-23 time=12:14:39 devname="firewall3" devid="oldfwid" logid="0000000011" type="traffic" subtype="forward" level="warning" vd="root" eventtime=1587230079841464445 tz="-0500" srcip=192.168.1.1 srcport=62493 srcintf="port1" srcintfrole="lan" dstip=192.168.100.100 dstport=1235 dstintf="newinterface" dstintfrole="undefined" sessionid=54234 proto=17 action="ip-conn" policyid=49 policytype="policy" poluuid="654cc-b6542-53467u8-e45234-1566casd35f7836" policyname="oldpolicyname" user="elasticsuper" authserver="FSSO_newfsso" service="udp/12302" dstcountry="Reserved" srccountry="Reserved" appcat="unscanned" crscore=5 craction=63332144 crlevel="low" | ||
| <189>date=2020-04-23 time=12:14:28 devname="firewall3" devid="oldfwid" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" eventtime=1587230069291463928 tz="-0500" srcip=192.168.50.50 srcport=56603 srcintf="port1" srcintfrole="lan" dstip=8.8.8.8 dstport=442 dstintf="wan1" dstintfrole="wan" sessionid=2345 proto=6 action="close" policyid=2365 policytype="policy" poluuid="654644c-b064-fdgdf3425-f003-1234ghdf682e05f" policyname="someoldpolicyname" user="elasticuser" group="testgroup" authserver="FSSO_something" service="HTTPS" dstcountry="Netherlands" srccountry="Reserved" trandisp="snat" transip=23.23.23.23 transport=603 appid=43540 app="Skype.Portals" appcat="Collaboration" apprisk="elevated" applist="someapplist" appact="detected" duration=126 sentbyte=923 rcvdbyte=77654 sentpkt=113 rcvdpkt=70 vwlid=4 vwlquality="Seq_num(3), alive, selected" wanin=1130 wanout=6671 lanin=1406 lanout=146506 utmaction="block" countweb=1 countapp=1 crscore=5 craction=6144 crlevel="low" | ||
| <190>date=2019-05-15 time=18:03:36 logid="1059028704" type="utm" subtype="app-ctrl" eventtype="app-ctrl-all" level="information" vd="root" eventtime=1557968615 appid=40568 srcip=10.1.100.22 dstip=195.8.215.136 srcport=50798 dstport=443 srcintf="port10" srcintfrole="lan" dstintf="port9" dstintfrole="wan" proto=6 service="HTTPS" direction="outgoing" policyid=1 sessionid=4414 applist="block-social.media" appcat="Web.Client" app="HTTPS.BROWSER" action="pass" hostname="www.dailymotion.com" incidentserialno=1962906680 url="/" msg="Web.Client: HTTPS.BROWSER," apprisk="medium" scertcname="*.dailymotion.com" scertissuer="DigiCert SHA2 High Assurance Server CA" | ||
| <190>date=2020-11-02 time=08:11:38 devname=testfirewall devid=newrouterid logid=0101037127 type="event" subtype=vpn level=notice vd=root logdesc="Progress IPsec phase 1" msg="progress IPsec phase 1" action=negotiate remip=8.8.8.8 locip=10.10.10.10 remport=500 locport=500 outintf="port1" cookies="125cbf9ee8349965/0000000000000000" user="N/A" group="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="P1_Test" status=success init=local mode=aggressive dir=outbound stage=1 role=initiator result=OK |
5 changes: 5 additions & 0 deletions
5
packages/fortinet/data_stream/firewall/_dev/test/pipeline/test-fortinet.log-config.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,5 @@ | ||
| { | ||
| "dynamic_fields": { | ||
| "event.ingested": ".*" | ||
| } | ||
| } |
Oops, something went wrong.