Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fortinet Filebeat Module #17890

Merged
merged 20 commits into from
May 5, 2020
Merged

Fortinet Filebeat Module #17890

merged 20 commits into from
May 5, 2020

Conversation

P1llus
Copy link
Member

@P1llus P1llus commented Apr 22, 2020
edited
Loading

What does this PR do?

This PR Introduces the Fortinet filebeat module. Focusing currently on Fortigate Firewall, but should include other Fortinet products as separate PR's later on.

Many thanks to the continuous support from @enotspe and the project https://github.com/enotspe/fortinet-2-elasticsearch helping out with feedback, comments, documentation and much more!

Why is it important?

Adding more supported products to the filebeat portfolio.

Checklist

  • My code follows the style guidelines of this project
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • I have made corresponding change to the default configuration files
  • I have added tests that prove my fix is effective or that my feature works
  • I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

Nosetest passes with:
INTEGRATION_TESTS=1 BEAT_STRICT_PERMS=false TESTING_FILEBEAT_MODULES=fortinet nosetests -v -s tests/system/test_xpack_modules.py

Related issues

@P1llus P1llus added enhancement in progress Pull request is currently in progress. Team:SIEM labels Apr 22, 2020
@elasticmachine
Copy link
Collaborator

Pinging @elastic/siem (Team:SIEM)

@P1llus P1llus changed the title MVP initial commit for fortigate module Fortinet Filebeat Module Apr 22, 2020
@P1llus P1llus added review and removed in progress Pull request is currently in progress. labels Apr 26, 2020
@P1llus P1llus requested a review from adriansr April 26, 2020 12:58
andrewkroh
andrewkroh reviewed Apr 27, 2020
View reviewed changes
Copy link
Member

@andrewkroh andrewkroh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for another module!

The structure looks good. The field mappings to ECS could use some more eyes.

x-pack/filebeat/module/fortinet/_meta/docs.asciidoc Outdated Show resolved Hide resolved
x-pack/filebeat/module/fortinet/_meta/docs.asciidoc Show resolved Hide resolved
x-pack/filebeat/module/fortinet/firewall/test/fortinet.log Outdated Show resolved Hide resolved
x-pack/filebeat/module/fortinet/firewall/_meta/fields.yml Show resolved Hide resolved
@P1llus
added support for packet and byte calculation, fixed duration from se…
505231a 
…conds to nano, added geo for nat IP's, updated utm pipeline condition to be backwards compatible, updated session_id description. Updated documentation with references
@P1llus
updated nosetests
d146626
@P1llus
Merge branch 'fortigate-module' of github.com:P1llus/beats into forti…
abf6f9a 
…gate-module
@elasticmachine
Copy link
Collaborator

elasticmachine commented Apr 29, 2020
edited
Loading

💚 Build Succeeded

Pipeline View Test View Changes Artifacts preview stats

Expand to view the summary

Build stats

Test stats 🧪

Test Results
Failed 0
Passed 2769
Skipped 404
Total 3173

leehinman
leehinman requested changes Apr 29, 2020
View reviewed changes
Copy link
Contributor

@leehinman leehinman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wow, this is great.

a few suggestions on mappings, and overall it would be good to add all the users to "related.user", also I see in the docs some hashes and those should probably be copied to "related.hash" as well.

And one completely optional questions. Would it be easier to do the some of the mappings if we had a large switch statement based on the logid? This would look a lot like the Winlogbeat security fileset.

x-pack/filebeat/module/fortinet/firewall/ingest/traffic.json Outdated Show resolved Hide resolved
x-pack/filebeat/module/fortinet/firewall/ingest/traffic.json Outdated Show resolved Hide resolved
x-pack/filebeat/module/fortinet/firewall/ingest/traffic.json Outdated Show resolved Hide resolved
x-pack/filebeat/module/fortinet/firewall/ingest/event.json Outdated Show resolved Hide resolved
x-pack/filebeat/module/fortinet/firewall/ingest/event.json Outdated Show resolved Hide resolved
x-pack/filebeat/module/fortinet/firewall/ingest/event.json Outdated Show resolved Hide resolved
x-pack/filebeat/module/fortinet/firewall/test/fortinet.log-expected.json Outdated Show resolved Hide resolved
@P1llus
updated some typos, moved certain conditions from each pipeline into …
d63f989 
…the starting pipeline, added some new ECS mapping, added requested changes from PR comments
@P1llus
Copy link
Member Author

P1llus commented Apr 29, 2020
edited
Loading

Okay phew, going to try to summarise the latest changes.

Could someone help me add a custom ECS field for "file.hash.crc32" ? I have tried changing the fields.yml to several different versions but it always breaks my nosetests no matter what.

Added the documentation changes from @andrewkroh
Added lots of small tweaks to ECS to get even better mapping, should cover almost all types of events now, including outcome, kind, category and type.
Added changes from @leehinman , comments where appropriate.
Converted pipelines to yaml.
Reran nosetests and generated new expected output.
Tested the filebeat against a private dataset working just fine.

@P1llus
Copy link
Member Author

P1llus commented Apr 30, 2020

jenkins, test this please

adriansr
adriansr suggested changes May 4, 2020
View reviewed changes
CHANGELOG.next.asciidoc Outdated
@@ -281,6 +281,8 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
- Enhance `elasticsearch/slowlog` fileset to handle ECS-compatible logs emitted by Elasticsearch. {issue}17715[17715] {pull}17729[17729]
- Improve ECS categorization field mappings in misp module. {issue}16026[16026] {pull}17344[17344]
- Added Unix stream socket support as an input source and a syslog input source. {pull}17492[17492]
- Added new Fortigate Syslog filebeat module. {pull}17890[17890]
- Improve ECS categorization field mappings for nginx module. {issue}16174[16174] {pull}17844[17844]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this non-related entry on purpose?

x-pack/filebeat/module/fortinet/firewall/manifest.yml Outdated
- name: tags
default: [fortinet-firewall]
- name: syslog_port
default: 9001
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This default already collides with other 4 filesets. Can you change it to 9004 which is unused?

x-pack/filebeat/module/fortinet/firewall/manifest.yml Outdated
default: 9001
- name: input
default: syslog
- name: log_level
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems to me that this variable is not used, just carried over from using Cisco's module as a base.

x-pack/filebeat/modules.d/fortinet.yml.disabled Outdated
# Set the log level from 1 (alerts only) to 7 (include all messages).
# Messages with a log level higher than the specified will be dropped.
# See https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs-sev-level.html
#var.log_level: 7
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also this is unused and references Cisco ASA docs.

@P1llus
Copy link
Member Author

P1llus commented May 4, 2020
edited
Loading

@adriansr I have added your changes, if you could take a look if they match? For some reason nosetests does not work anymore after pulling in the new master, I did test them also without any modifications and they still fail for some reason. Did work on all earlier commits as I always run it before a commit.

There is alao the thing withthe changelog, this seems to have been included after a merge, i removed the entry but that might ve the wrong approach here?

@P1llus P1llus requested a review from adriansr May 4, 2020 16:38
@adriansr
Copy link
Contributor

adriansr commented May 4, 2020

The tests are working for me 👍

@elasticmachine
Copy link
Collaborator

elasticmachine commented May 4, 2020
edited
Loading

💔 Build Failed

Pipeline View Test View Changes Artifacts preview stats

Expand to view the summary

Build stats

Test stats 🧪

Test Results
Failed 0
Passed 2465
Skipped 402
Total 2867

Steps errors

Expand to view the steps failures

  • Name: Make -C filebeat testsuite

    • Description: make -C filebeat testsuite

    • Result: FAILURE

    • Duration: 1 min 46 sec<

    • Start Time: 2020-05-05T14:49:27.347+0000

Log output

Expand to view the last 100 lines of log output 

[2020-05-05T15:21:45.981Z] [success] 0.28% test_crawler.Test.test_include_exclude_lines: 0.4891s
[2020-05-05T15:21:45.981Z] [success] 0.28% test_input.Test.test_exclude_files: 0.4890s
[2020-05-05T15:21:45.981Z] [success] 0.28% test_harvester.Test.test_decode_error: 0.4864s
[2020-05-05T15:21:45.981Z] [success] 0.28% test_crawler.Test.test_default_include_exclude_lines: 0.4863s
[2020-05-05T15:21:45.981Z] [success] 0.28% test_container.Test.test_container_input_cri: 0.4859s
[2020-05-05T15:21:45.981Z] [success] 0.28% test_harvester.Test.test_close_eof: 0.4856s
[2020-05-05T15:21:45.981Z] [success] 0.28% test_container.Test.test_container_input: 0.4840s
[2020-05-05T15:21:45.981Z] [success] 0.28% test_harvester.Test.test_boms_2_utf_16le_bom: 0.4823s
[2020-05-05T15:21:45.981Z] [success] 0.27% test_harvester.Test.test_close_removed: 0.4803s
[2020-05-05T15:21:45.981Z] [success] 0.27% test_harvester.Test.test_exceed_buffer: 0.4769s
[2020-05-05T15:21:45.981Z] [success] 0.27% test_cmd.TestCommands.test_modules_enable: 0.4711s
[2020-05-05T15:21:45.981Z] [success] 0.26% test_stdin.Test.test_stdin_eof: 0.4631s
[2020-05-05T15:21:45.981Z] [success] 0.26% test_cmd.TestCommands.test_modules_list: 0.4560s
[2020-05-05T15:21:45.981Z] [success] 0.26% test_cmd.TestCommands.test_modules_disable: 0.4556s
[2020-05-05T15:21:45.981Z] [success] 0.24% test_index_pattern.Test.test_export_index_pattern_migration: 0.4119s
[2020-05-05T15:21:45.981Z] [success] 0.23% test_generate.Test.test_generate_fileset: 0.4038s
[2020-05-05T15:21:45.981Z] [success] 0.23% test_index_pattern.Test.test_export_index_pattern: 0.4009s
[2020-05-05T15:21:45.981Z] [success] 0.23% test_harvester.Test.test_boms_0_utf_8: 0.4007s
[2020-05-05T15:21:45.982Z] [success] 0.22% test_crawler.Test.test_fetched_lines: 0.3924s
[2020-05-05T15:21:45.982Z] [success] 0.22% test_harvester.Test.test_boms_1_utf_16be_bom: 0.3923s
[2020-05-05T15:21:45.982Z] [success] 0.22% test_crawler.Test.test_include_lines: 0.3897s
[2020-05-05T15:21:45.982Z] [success] 0.22% test_tcp_tls.Test.test_tcp_tls_with_a_plain_text_socket: 0.3875s
[2020-05-05T15:21:45.982Z] [success] 0.22% test_crawler.Test.test_exclude_lines: 0.3861s
[2020-05-05T15:21:45.982Z] [success] 0.22% test_harvester.Test.test_symlink_and_file: 0.3855s
[2020-05-05T15:21:45.982Z] [success] 0.22% test_harvester.Test.test_symlinks_enabled: 0.3845s
[2020-05-05T15:21:45.982Z] [success] 0.22% test_input.Test.test_disable_recursive_glob: 0.3831s
[2020-05-05T15:21:45.982Z] [success] 0.20% test_shutdown.Test.test_once: 0.3516s
[2020-05-05T15:21:45.982Z] [success] 0.17% test_harvester.Test.test_debug_reader: 0.2898s
[2020-05-05T15:21:45.982Z] [success] 0.16% test_harvester.Test.test_ignore_symlink: 0.2853s
[2020-05-05T15:21:45.982Z] [success] 0.15% test_registrar.Test.test_symlink_failure: 0.2622s
[2020-05-05T15:21:45.982Z] [success] 0.15% test_input.Test.test_no_paths_defined: 0.2620s
[2020-05-05T15:21:45.982Z] [success] 0.15% test_tcp_tls.Test.test_tcp_over_tls_and_verify_invalid_server_without_mutual_auth: 0.2582s
[2020-05-05T15:21:45.982Z] [success] 0.15% test_registrar.Test.test_invalid_state: 0.2569s
[2020-05-05T15:21:45.982Z] [success] 0.15% test_input.Test.test_shutdown_no_inputs: 0.2547s
[2020-05-05T15:21:45.982Z] [success] 0.14% test_tcp_tls.Test.test_tcp_over_tls_mutual_auth_fails: 0.2532s
[2020-05-05T15:21:45.982Z] [success] 0.14% test_multiline.Test.test_invalid_config: 0.2515s
[2020-05-05T15:21:45.982Z] [success] 0.12% test_generate.Test.test_generate_module: 0.2029s
[2020-05-05T15:21:45.982Z] [success] 0.10% test_json.Test.test_config_no_msg_key_multiline: 0.1746s
[2020-05-05T15:21:45.982Z] [success] 0.10% test_json.Test.test_config_no_msg_key_filtering: 0.1712s
[2020-05-05T15:21:45.982Z] [success] 0.09% test_reload_modules.Test.test_wrong_module_no_reload: 0.1655s
[2020-05-05T15:21:45.982Z] [success] 0.09% test_keystore.TestKeystore.test_keystore_with_key_not_present: 0.1596s
[2020-05-05T15:21:45.982Z] [success] 0.09% test_deprecated.Test.test_invalid_config_with_removed_settings: 0.1516s
[2020-05-05T15:21:45.982Z] [success] 0.08% test_stdin.Test.test_stdin_is_exclusive: 0.1429s
[2020-05-05T15:21:45.982Z] [success] 0.01% test_modules.load_fileset_test_cases: 0.0128s
[2020-05-05T15:21:45.982Z] ----------------------------------------------------------------------
[2020-05-05T15:21:45.982Z] Ran 309 tests in 175.259s
[2020-05-05T15:21:45.982Z] 
[2020-05-05T15:21:45.982Z] OK (SKIP=148)
[2020-05-05T15:21:46.245Z] >> python test: Unit Testing Complete
[2020-05-05T15:21:46.343Z] Recording test results
[2020-05-05T15:21:53.176Z] Stashed 2 file(s)
[2020-05-05T15:21:53.192Z] Archiving artifacts
[2020-05-05T15:21:55.720Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-17890/src/github.com/elastic/beats
[2020-05-05T15:21:56.033Z] + find . -type f -name TEST*.xml -path */build/* -delete
[2020-05-05T15:21:56.045Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-17890/src/github.com/elastic/beats/Lint
[2020-05-05T15:21:56.127Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-17890/src/github.com/elastic/beats/Filebeat-oss
[2020-05-05T15:21:56.224Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-17890/src/github.com/elastic/beats/Filebeat-Mac-OS-X
[2020-05-05T15:21:56.302Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-17890/src/github.com/elastic/beats/Filebeat-x-pack
[2020-05-05T15:21:56.373Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-17890/src/github.com/elastic/beats/Filebeat-Windows
[2020-05-05T15:21:56.723Z] + cat
[2020-05-05T15:21:56.724Z] + /usr/local/bin/runbld ./runbld-script
[2020-05-05T15:21:56.724Z] Picked up JAVA_TOOL_OPTIONS: -Dfile.encoding=UTF8
[2020-05-05T15:22:03.321Z] runbld>>> runbld started
[2020-05-05T15:22:03.321Z] runbld>>> 1.6.11/a66728ff8f4356963772e6e6d2069392fa06acbe
[2020-05-05T15:22:04.707Z] runbld>>> The following profiles matched the job 'Beats/beats-beats-mbp/PR-17890' in order of occurrence in the config (last value wins).
[2020-05-05T15:22:06.096Z] runbld>>> Debug logging enabled.
[2020-05-05T15:22:06.096Z] runbld>>> Storing result
[2020-05-05T15:22:06.096Z] runbld>>> Store result: created {:total 2, :successful 2, :failed 0} 1
[2020-05-05T15:22:06.096Z] runbld>>> BUILD: https://c150076387b5421f9154dfbf536e5c60.us-west1.gcp.cloud.es.io:9243/build-1587637540455/t/20200505152205-1A1EC960
[2020-05-05T15:22:06.096Z] runbld>>> Adding system facts.
[2020-05-05T15:22:07.041Z] runbld>>> Adding vcs info for the latest commit:  29ed9eb928d3fe2cb7226e50657b453098240e71
[2020-05-05T15:22:07.041Z] runbld>>> >>>>>>>>>>>> SCRIPT EXECUTION BEGIN >>>>>>>>>>>>
[2020-05-05T15:22:07.041Z] runbld>>> Adding /usr/lib/jvm/java-8-openjdk-amd64/bin to the path.
[2020-05-05T15:22:07.301Z] Processing JUnit reports with runbld...
[2020-05-05T15:22:07.302Z] + echo 'Processing JUnit reports with runbld...'
[2020-05-05T15:22:07.563Z] runbld>>> <<<<<<<<<<<< SCRIPT EXECUTION END <<<<<<<<<<<<
[2020-05-05T15:22:07.563Z] runbld>>> DURATION: 12ms
[2020-05-05T15:22:07.563Z] runbld>>> STDOUT: 40 bytes
[2020-05-05T15:22:07.563Z] runbld>>> STDERR: 49 bytes
[2020-05-05T15:22:07.563Z] runbld>>> WRAPPED PROCESS: SUCCESS (0)
[2020-05-05T15:22:07.563Z] runbld>>> Searching for build metadata in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-17890/src/github.com/elastic/beats
[2020-05-05T15:22:08.949Z] runbld>>> Storing build metadata: 
[2020-05-05T15:22:08.949Z] runbld>>> Adding test report.
[2020-05-05T15:22:08.949Z] runbld>>> Searching for junit test output files with the pattern: TEST-.*\.xml$ in: /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-17890/src/github.com/elastic/beats
[2020-05-05T15:22:09.891Z] runbld>>> Found 8 test output files
[2020-05-05T15:22:10.839Z] runbld>>> Test output logs contained: Errors: 0 Failures: 0 Tests: 2867 Skipped: 392
[2020-05-05T15:22:10.839Z] runbld>>> Storing result
[2020-05-05T15:22:10.839Z] runbld>>> FAILURES: 0
[2020-05-05T15:22:11.099Z] runbld>>> Store result: updated {:total 2, :successful 2, :failed 0} 2
[2020-05-05T15:22:11.099Z] runbld>>> BUILD: https://c150076387b5421f9154dfbf536e5c60.us-west1.gcp.cloud.es.io:9243/build-1587637540455/t/20200505152205-1A1EC960
[2020-05-05T15:22:11.099Z] runbld>>> Email notification disabled by environment variable.
[2020-05-05T15:22:11.099Z] runbld>>> Slack notification disabled by environment variable.
[2020-05-05T15:22:17.269Z] Running on Jenkins in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-17890
[2020-05-05T15:22:17.662Z] [INFO] getVaultSecret: Getting secrets
[2020-05-05T15:22:17.766Z] Masking supported pattern matches of $VAULT_ADDR or $VAULT_ROLE_ID or $VAULT_SECRET_ID
[2020-05-05T15:22:18.686Z] + chmod 755 generate-build-data.sh
[2020-05-05T15:22:18.686Z] + ./generate-build-data.sh https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats-beats-mbp/PR-17890/ https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats-beats-mbp/PR-17890/runs/16 FAILURE 4026499
[2020-05-05T15:22:19.236Z] INFO: curl https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats-beats-mbp/PR-17890/runs/16/steps/?limit=10000 -o steps-info.json
[2020-05-05T15:22:20.147Z] INFO: curl https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats-beats-mbp/PR-17890/runs/16/tests/?status=FAILED -o tests-errors.json
[2020-05-05T15:22:20.698Z] INFO: curl https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats-beats-mbp/PR-17890/runs/16/log/ -o pipeline-log.txt

@P1llus
Copy link
Member Author

P1llus commented May 4, 2020

The tests are working for me

Got them to run now, forgot to add MODULE_PATH env. Everything else looks okay @adriansr ?

If you look at the changes to CHANGELOG.next.asciidoc, I do believe that it is the wrong approach correct?

leehinman
leehinman requested changes May 5, 2020
View reviewed changes
Copy link
Contributor

@leehinman leehinman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

questions on url mappings

x-pack/filebeat/module/fortinet/firewall/test/fortinet.log-expected.json Outdated
"fortinet-firewall"
],
"url.domain": "elastic.co",
"url.path": "https://example.com/"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What is currently in url.path I would expect to be in url.full or url.original since it looks like a full url. For url.path I would expect "/" with a url.full of "https://example.com/". Also it still looks like the url.domain and what is the full url don't match. For a url.full of "https://example.com/" I would expect url.domain to be "example.com"

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This was a typo in my dataset and not the mapping, fixing it now

leehinman
leehinman approved these changes May 5, 2020
View reviewed changes
Copy link
Contributor

@leehinman leehinman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@adriansr adriansr merged commit bc39eb8 into elastic:master May 5, 2020
@P1llus P1llus deleted the fortigate-module branch May 5, 2020 15:49
@adriansr adriansr mentioned this pull request May 5, 2020
Merged
6 tasks
@adriansr adriansr added the v7.8.0 label May 5, 2020
adriansr pushed a commit to adriansr/beats that referenced this pull request May 5, 2020
@P1llus @adriansr
Fortinet Filebeat Module (elastic#17890)
6360429 
This PR Introduces the Fortinet filebeat module. Focusing currently on Fortigate Firewall, but should include other Fortinet products as separate PR's later on.

Many thanks to the continuous support from @enotspe and the project https://github.com/enotspe/fortinet-2-elasticsearch helping out with feedback, comments, documentation and much more!

(cherry picked from commit bc39eb8)
adriansr added a commit that referenced this pull request May 5, 2020
@adriansr
Cherry-pick #17890 to 7.x: Fortinet Filebeat Module (#18254)
e5a511c 
This PR Introduces the Fortinet filebeat module. Focusing currently on Fortigate Firewall, but should include other Fortinet products as separate PR's later on.

Many thanks to the continuous support from @enotspe and the project https://github.com/enotspe/fortinet-2-elasticsearch helping out with feedback, comments, documentation and much more!

(cherry picked from commit bc39eb8)
@enotspe enotspe mentioned this pull request May 6, 2020
Closed
@nicpenning
Copy link
Contributor

I will piggy back on @enotspe comment above.

Please add the logic to get url.full when the log type is utm and sub type is virus, instead of using url.path.

Let us know if we need to clarify.

@whataboutpereira
Copy link
Contributor

Hello! DNS requests can include multiple IP addresses in the form of

ipaddr="192.168.200.11, 192.168.200.12"

Fabricated log line for testing:

<189>date=2020-04-23 time=12:17:04 devname="testswitch1" devid="somerouterid" logid="1501054802" type="utm" subtype="dns" eventtype="dns-response" level="notice" vd="root" eventtime=1587230224712900694 tz="-0500" policyid=26 sessionid=5432 srcip=192.168.2.1 srcport=54438 srcintf="port1" srcintfrole="lan" dstip=8.8.8.8 dstport=53 dstintf="wan1" dstintfrole="wan" proto=17 profile="elastictest" xid=2352 qname="elastic.co" qtype="A" qtypeval=1 qclass="IN" ipaddr="8.8.8.8, 8.8.4.4" msg="Domain is monitored" action="pass" cat=93 catdesc="Remote Access"

@sidahmed-malaoui
Copy link

@P1llus You said other products from fortinet will be available later on. Any idea when they will be available please ? I would really appreciate to get this information, even if it's an approximate date.

Thank you in advance for your response Sir.

@P1llus
Copy link
Member Author

P1llus commented Jun 25, 2020

@sidahmed-malaoui Unfortunately there is no current way to say this. Though I have created issues for some of them, and you are always free to follow those issues to get any information on updates. If there is a specific product missing, you can create your own issue and request it and we can see if there is any possibilities to add it in.

As always there is no real promise or timeline on this, it was rather an explanation that if we are to support multiple fortinet products then it would be in a separate fileset.

Examples:
#19314
#19315

There is also quite some documentation around fortisandbox and fortiweb, but i'm still researching if those will be possible

@enotspe
Copy link

enotspe commented Jun 26, 2020

@P1llus You said other products from fortinet will be available later on. Any idea when they will be available please ? I would really appreciate to get this information, even if it's an approximate date.

Thank you in advance for your response Sir.

There are some logstash pipelines for fortimail and fortiweb if that helps

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@webmat webmat webmat left review comments

@leehinman leehinman leehinman approved these changes

@andrewkroh andrewkroh andrewkroh approved these changes

@adriansr adriansr Awaiting requested review from adriansr

Assignees
No one assigned
Labels
enhancement review v7.8.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Filebeat Fortinet Fortigate Module Translating FortiOS log fields to ECS
10 participants
@P1llus @elasticmachine @adriansr @nicpenning @whataboutpereira @sidahmed-malaoui @enotspe @webmat @andrewkroh @leehinman