From 3a8589d9c8634cfc275ec28b1b79873a02f70e89 Mon Sep 17 00:00:00 2001 From: Andrew Kroh Date: Wed, 9 Dec 2020 09:54:52 -0500 Subject: [PATCH] Add pipeline test for Fortinet Firewall (#437) * Add pipeline test for Fortinet Firewall These are the original failures after enabling the test. FAILURE DETAILS: fortinet/firewall test-fortinet.log: [0] field "_temp.time" is undefined [1] field "fortinet.firewall.devid" is undefined [2] field "fortinet.firewall.devname" is undefined [3] field "fortinet.firewall.dir" is undefined [4] field "fortinet.firewall.group" is undefined [5] field "fortinet.firewall.level" is undefined [6] field "fortinet.firewall.locip" is undefined [7] field "fortinet.firewall.locport" is undefined [8] field "fortinet.firewall.logdesc" is undefined [9] field "fortinet.firewall.logid" is undefined [10] field "fortinet.firewall.msg" is undefined [11] field "fortinet.firewall.remip" is undefined [12] field "fortinet.firewall.remport" is undefined [13] field "fortinet.firewall.user" is undefined [14] field "syslog5424_pri" is undefined [15] field "syslog5424_sd" is undefined [16] parsing field value failed: field "fortinet.firewall.disklograte"''s Go type, string, does not match the expected field type: long [17] parsing field value failed: field "fortinet.firewall.fazlograte"''s Go type, string, does not match the expected field type: long [18] parsing field value failed: field "fortinet.firewall.lanin"''s Go type, string, does not match the expected field type: long [19] parsing field value failed: field "fortinet.firewall.lanout"''s Go type, string, does not match the expected field type: long [20] parsing field value failed: field "fortinet.firewall.setuprate"''s Go type, string, does not match the expected field type: long [21] parsing field value failed: field "fortinet.firewall.wanin"''s Go type, string, does not match the expected field type: long [22] parsing field value failed: field "fortinet.firewall.wanout"''s Go type, string, does not match the expected field type: long --- Test results for package: fortinet - END --- * fix errors in pipeline Co-authored-by: Lee E. Hinman --- .../_dev/test/pipeline/test-fortinet.log | 32 + .../pipeline/test-fortinet.log-config.json | 5 + .../pipeline/test-fortinet.log-expected.json | 2871 +++++++++++++++++ .../elasticsearch/ingest_pipeline/default.yml | 44 +- .../elasticsearch/ingest_pipeline/event.yml | 30 +- .../elasticsearch/ingest_pipeline/traffic.yml | 18 +- 6 files changed, 2983 insertions(+), 17 deletions(-) create mode 100644 packages/fortinet/data_stream/firewall/_dev/test/pipeline/test-fortinet.log create mode 100644 packages/fortinet/data_stream/firewall/_dev/test/pipeline/test-fortinet.log-config.json create mode 100644 packages/fortinet/data_stream/firewall/_dev/test/pipeline/test-fortinet.log-expected.json diff --git a/packages/fortinet/data_stream/firewall/_dev/test/pipeline/test-fortinet.log b/packages/fortinet/data_stream/firewall/_dev/test/pipeline/test-fortinet.log new file mode 100644 index 00000000000..e3c4ddd0d9f --- /dev/null +++ b/packages/fortinet/data_stream/firewall/_dev/test/pipeline/test-fortinet.log @@ -0,0 +1,32 @@ +<188>date=2020-04-23 time=12:17:48 devname="testswitch1" devid="somerouterid" logid="0316013056" type="utm" subtype="webfilter" eventtype="ftgd_blk" level="warning" vd="root" eventtime=1587230269052907555 tz="-0500" policyid=100602 sessionid=1234 user="elasticuser" group="elasticgroup" authserver="elasticauth" srcip=192.168.2.1 srcport=61930 srcintf="port1" srcintfrole="lan" dstip=8.8.8.8 dstport=443 dstintf="wan1" dstintfrole="wan" proto=6 service="HTTPS" hostname="elastic.co" profile="elasticruleset" action="blocked" reqtype="direct" url="/config/" sentbyte=1152 rcvdbyte=1130 direction="outgoing" msg="URL belongs to a denied category in policy" method="domain" cat=76 catdesc="Internet Telephony" +<189>date=2020-04-23 time=01:16:08 devname="testswitch1" devid="somerouterid" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="OPERATIONAL" eventtime=1592961368 srcip=10.10.10.10 srcport=60899 srcintf="srcintfname" srcintfrole="lan" dstip=8.8.8.8 dstport=161 dstintf="dstintfname" dstintfrole="lan" sessionid=155313 proto=17 action="deny" policyid=0 policytype="policy" service="SNMP" dstcountry="Reserved" srccountry="Reserved" trandisp="noop" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 appcat="unscanned" crscore=30 craction=131072 crlevel="high" +<189>date=2020-04-23 time=12:17:45 devname="testswitch1" devid="somerouterid" logid="0317013312" type="utm" subtype="webfilter" eventtype="ftgd_allow" level="notice" vd="root" eventtime=1587230266314799756 tz="-0500" policyid=38 sessionid=543234 user="elasticuser" group="elasticgroup" authserver="elasticauth" srcip=192.168.2.1 srcport=65236 srcintf="port1" srcintfrole="lan" dstip=8.8.8.8 dstport=443 dstintf="wan1" dstintfrole="wan" proto=6 service="HTTPS" hostname="elastic.co" profile="elasticruleset" action="passthrough" reqtype="direct" url="/" sentbyte=3545 rcvdbyte=6812 direction="outgoing" msg="URL belongs to an allowed category in policy" method="domain" cat=23 catdesc="Web-based Email" +<190>date=2020-04-23 time=13:17:35 devname="testswitch1" devid="somerouterid" logid="1059028704" type="utm" subtype="app-ctrl" eventtype="signature" level="information" vd="root" eventtime=1587230255061492894 tz="-0400" appid=40568 user="elasticuser" group="elasticgroup" authserver="elasticauth" srcip=192.168.2.1 dstip=8.8.8.8 srcport=59790 dstport=443 srcintf="LAN" srcintfrole="lan" dstintf="wan1" dstintfrole="wan" proto=6 service="SSL" direction="outgoing" policyid=12 sessionid=453234 applist="elasticruleset" action="pass" appcat="Web.Client" app="HTTPS.BROWSER" hostname="elastic.co" incidentserialno=23465 url="/" msg="Web.Client: HTTPS.BROWSER," apprisk="medium" scertcname="test.elastic.co" +<190>date=2020-04-23 time=13:17:35 devname="testswitch1" devid="somerouterid" logid="1059028704" type="utm" subtype="app-ctrl" eventtype="signature" level="information" vd="root" eventtime=1591788391 tz="-0400" appid=40568 user="elasticuser" group="elasticgroup" authserver="elasticauth" srcip=192.168.2.1 dstip=8.8.8.8 srcport=59790 dstport=443 srcintf="LAN" srcintfrole="lan" dstintf="wan1" dstintfrole="wan" proto=6 service="SSL" direction="outgoing" policyid=12 sessionid=453234 applist="elasticruleset" action="pass" appcat="Web.Client" app="HTTPS.BROWSER" hostname="elastic.co" incidentserialno=23465 url="/" msg="Web.Client: HTTPS.BROWSER," apprisk="medium" scertcname="test.elastic.co" +<189>date=2020-04-23 time=12:17:29 devname="testswitch1" devid="somerouterid" logid="1501054802" type="utm" subtype="dns" eventtype="dns-response" level="notice" vd="root" eventtime=1587230249360109339 tz="-0500" policyid=26 sessionid=543234 srcip=192.168.2.1 srcport=53430 srcintf="port1" srcintfrole="lan" dstip=8.8.8.8 dstport=53 dstintf="wan1" dstintfrole="wan" proto=17 profile="test" xid=2234 qname="elastic.example.com" qtype="A" qtypeval=1 qclass="IN" ipaddr="8.8.8.8" msg="Domain is monitored" action="pass" cat=23 catdesc="Web-based Email" +<189>date=2020-04-23 time=12:17:29 devname="testswitch1" devid="somerouterid" logid="1501054802" type="utm" subtype="dns" eventtype="dns-response" level="notice" vd="root" eventtime=1587230249360109339 tz="-0500" policyid=26 sessionid=543234 srcip=192.168.2.1 srcport=53430 srcintf="port1" srcintfrole="lan" dstip=8.8.8.8 dstport=53 dstintf="wan1" dstintfrole="wan" proto=17 profile="test" xid=2234 qname="elastic.example.com" qtype="A" qtypeval=1 qclass="IN" ipaddr="8.8.8.8, 8.8.4.4" msg="Domain is monitored" action="pass" cat=23 catdesc="Web-based Email" +<190>date=2020-04-23 time=12:17:11 devname="testswitch1" devid="somerouterid" logid="1059028704" type="utm" subtype="app-ctrl" eventtype="signature" level="information" vd="root" eventtime=1587230232148674303 tz="-0500" appid=40568 user="elasticuser" group="elasticgroup" authserver="elasticauth" srcip=192.168.2.1 dstip=8.8.8.8 srcport=63012 dstport=443 srcintf="port1" srcintfrole="lan" dstintf="wan1" dstintfrole="wan" proto=6 service="SSL" direction="outgoing" policyid=100602 sessionid=543234 applist="elasticruleset" action="pass" appcat="Web.Client" app="HTTPS.BROWSER" hostname="elastic.no" incidentserialno=54323 url="/" msg="Web.Client: HTTPS.BROWSER," apprisk="medium" +<189>date=2020-04-23 time=12:17:04 devname="testswitch1" devid="somerouterid" logid="1501054802" type="utm" subtype="dns" eventtype="dns-response" level="notice" vd="root" eventtime=1587230224712900694 tz="-0500" policyid=26 sessionid=5432 srcip=192.168.2.1 srcport=54438 srcintf="port1" srcintfrole="lan" dstip=8.8.8.8 dstport=53 dstintf="wan1" dstintfrole="wan" proto=17 profile="elastictest" xid=2352 qname="elastic.co" qtype="A" qtypeval=1 qclass="IN" ipaddr="8.8.8.8" msg="Domain is monitored" action="pass" cat=93 catdesc="Remote Access" +<190>date=2020-04-23 time=12:17:12 devname="testswitch1" devid="somerouterid" logid="1500054000" type="utm" subtype="dns" eventtype="dns-query" level="information" vd="root" eventtime=1587230232658642672 tz="-0500" policyid=26 sessionid=543234 srcip=192.168.2.1 srcport=54788 srcintf="port1" srcintfrole="lan" dstip=8.8.8.8 dstport=53 dstintf="wan1" dstintfrole="wan" proto=17 profile="elastictest" xid=235 qname="elastic.co" qtype="A" qtypeval=1 qclass="IN" +<189>date=2020-04-23 time=13:15:18 devname="testswitch2" devid="someotherid" logid="1700062001" type="utm" subtype="ssl" eventtype="ssl-anomalies" level="notice" vd="root" eventtime=1587230118838592454 tz="-0400" policyid=12 sessionid=42346234 service="HTTPS" user="elasticuser2" group="elasticgroup2" profile="somecerts" srcip=192.168.2.1 srcport=59726 dstip=8.8.4.4 dstport=443 srcintf="LAN" srcintfrole="lan" dstintf="wan1" dstintfrole="wan" proto=6 action="passthrough" msg="Server certificate passed" reason="untrusted-cert" +<189>date=2020-04-23 time=12:32:48 devname="testswitch3" devid="someotherrouteridagain" logid="0102043014" type="event" subtype="user" level="notice" vd="root" eventtime=1587231168439640874 tz="-0500" logdesc="FSSO logon authentication status" srcip=10.10.10.10 user="elasticouser" server="elasticserver" action="FSSO-logon" msg="FSSO-logon event from FSSO_elasticserver: user elasticouser logged on 10.10.10.10" +<187>date=2020-04-23 time=12:32:47 devname="testswitch3" devid="someotherrouteridagain" logid="0101037124" type="event" subtype="vpn" level="error" vd="root" eventtime=1587231168339114138 tz="-0500" logdesc="IPsec phase 1 error" msg="IPsec phase 1 error" action="negotiate" remip=8.8.4.4 locip=8.8.8.8 remport=500 locport=500 outintf="wan2" cookies="345hkjhdrs87/0000000000000000" user="N/A" group="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="N/A" status="negotiate_error" reason="peer SA proposal not match local policy" peer_notif="NOT-APPLICABLE" +<189>date=2020-04-23 time=12:32:31 devname="testswitch3" devid="someotherrouteridagain" logid="0101037127" type="event" subtype="vpn" level="notice" vd="root" eventtime=1587231151628960857 tz="-0500" logdesc="Progress IPsec phase 1" msg="progress IPsec phase 1" action="negotiate" remip=8.4.5.4 locip=9.9.9.9 remport=500 locport=500 outintf="wan1" cookies="df868dsg876d/0000000000000000" user="N/A" group="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="elasticvpn" status="success" init="local" mode="main" dir="outbound" stage=1 role="initiator" result="OK" +<189>date=2020-04-23 time=14:32:09 devname="testswitch3" devid="someotherrouteridagain" logid="0100040704" type="event" subtype="system" level="notice" vd="root" eventtime=1587231129938795255 tz="-0300" logdesc="System performance statistics" action="perf-stats" cpu=0 mem=10 totalsession=23 disk=0 bandwidth="23/4" setuprate=0 disklograte=0 fazlograte=0 freediskstorage=331 sysuptime=25170 msg="Performance statistics: average CPU: 0, memory: 23, concurrent sessions: 20, setup-rate: 0" +<189>date=2020-04-23 time=12:32:09 devname="testswitch3" devid="someotherrouteridagain" logid="0102043039" type="event" subtype="user" level="notice" vd="root" eventtime=1587231130109462858 tz="-0500" logdesc="Authentication logon" srcip=10.10.10.10 user="elastiiiuser" authserver="FSSO_elastiauth" action="auth-logon" status="logon" msg="User elastiiiuser added to auth logon" +<189>date=2020-04-23 time=12:32:00 devname="testswitch3" devid="someotherrouteridagain" logid="0101037127" type="event" subtype="vpn" level="notice" vd="root" eventtime=1587231120608961118 tz="-0500" logdesc="Progress IPsec phase 1" msg="progress IPsec phase 1" action="negotiate" remip=8.8.5.4 locip=7.6.3.4 remport=500 locport=500 outintf="wan1" cookies="345khj34566/0000000000000000" user="N/A" group="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="testvpn" status="success" init="local" mode="main" dir="outbound" stage=1 role="initiator" result="OK" +<189>date=2020-04-23 time=14:24:13 devname="testswitch3" devid="someotherrouteridagain" logid="0100041006" type="event" subtype="system" level="notice" vd="root" eventtime=1587230655301863513 tz="-0300" logdesc="FortiSandbox AV database updated" version="1.522479" msg="FortiSandbox AV database updated" +<190>date=2020-04-23 time=12:23:47 devname="testswitch3" devid="someotherrouteridagain" logid="0107045057" type="event" subtype="endpoint" level="information" vd="root" eventtime=1587230627558979735 tz="-0500" logdesc="FortiClient connection added" action="add" status="success" license_limit="unlimited" used_for_type=3 connection_type="sslvpn" count=2 user="elastico" ip=172.16.0.2 name="somerouter" fctuid="645234fdd01F885824F764" msg="Add a FortiClient Connection." +<190>date=2020-04-23 time=12:23:47 devname="testswitch3" devid="someotherrouteridagain" logid="0101039943" type="event" subtype="vpn" level="information" vd="root" eventtime=1587230627334405765 tz="-0500" logdesc="SSL VPN new connection" action="ssl-new-con" tunneltype="ssl" tunnelid=2 remip=8.8.8.6 user="N/A" group="N/A" dst_host="N/A" reason="N/A" msg="SSL new connection" +<190>date=2020-04-23 time=12:23:47 devname="testswitch3" devid="someotherrouteridagain" logid="0101039947" type="event" subtype="vpn" level="information" vd="root" eventtime=1587230627698970007 tz="-0500" logdesc="SSL VPN tunnel up" action="tunnel-up" tunneltype="ssl-tunnel" tunnelid=2345 remip=8.8.5.4 tunnelip=10.10.10.10 user="someuser" group="somegroup" dst_host="N/A" reason="tunnel established" msg="SSL tunnel established" +<189>date=2020-04-23 time=14:16:42 devname="testswitch3" devid="someotherrouteridagain" logid="0102043015" type="event" subtype="user" level="notice" vd="root" eventtime=1587230204674924332 tz="-0300" logdesc="FSSO log off authentication status" srcip=192.168.1.1 user="elasticadmin" server="FSSO_somefssoserver" action="FSSO-logoff" msg="FSSO-logoff event from FSSO_somefssoserver: user elasticuser logged off 1192.168.1.1" +<189>date=2020-04-23 time=12:16:02 devname="testswitch3" devid="someotherrouteridagain" logid="0100022915" type="event" subtype="system" level="notice" vd="root" eventtime=1587230163121116383 tz="-0500" logdesc="FortiCloud server connected" server="9.9.9.9" action="connect" msg="FortiCloud 9.9.9.9 server is connected" +<189>date=2020-04-23 time=12:16:02 devname="testswitch3" devid="someotherrouteridagain" logid="0100022913" type="event" subtype="system" level="notice" vd="root" eventtime=1587230163375149856 tz="-0500" logdesc="FortiCloud server disconnected" server="4.4.4.4" action="disconnect" reason="connection reset" msg="FortiCloud 4.4.4.4 server is disconnected" +<188>date=2020-04-23 time=12:14:09 devname="newfirewall" devid="newrouterid" logid="0000000011" type="traffic" subtype="forward" level="warning" vd="root" eventtime=1587230049761513222 tz="-0500" srcip=192.168.1.6 srcport=53438 srcintf="port1" srcintfrole="lan" dstip=8.8.8.8 dstport=53 dstintf="wan1" dstintfrole="wan" sessionid=435234 proto=17 action="dns" policyid=26 policytype="policy" poluuid="2345de-b143-52134d8-6654f-4654sdfg16f431" policyname="elasticnewruleset" service="DNS" dstcountry="Netherlands" srccountry="Reserved" appcat="unscanned" crscore=5 craction=54144 crlevel="low" +<189>date=2020-04-23 time=12:11:51 devname="newfirewall" devid="newrouterid" logid="0000000020" type="traffic" subtype="forward" level="notice" vd="root" eventtime=1587229911390385486 tz="-0500" srcip=192.168.10.10 srcport=6000 srcintf="port1" srcintfrole="lan" dstip=8.6.4.7 dstport=6000 dstintf="wan1" dstintfrole="wan" sessionid=4352 proto=17 action="accept" policyid=3426 policytype="policy" poluuid="1765de8-5a13-765da73fdsfa1c" policyname="newruleelastic" service="portname" dstcountry="Netherlands" srccountry="Reserved" trandisp="snat" transip=123.123.123.123 transport=60964 appcat="unknown" applist="policylist" duration=5462 sentbyte=438650 rcvdbyte=65446 sentpkt=723417 rcvdpkt=1045601 vwlid=0 sentdelta=576 rcvddelta=728 +<189>date=2020-04-23 time=12:11:48 devname="newfirewall" devid="newrouterid" logid="0001000014" type="traffic" subtype="local" level="notice" vd="root" eventtime=1587229908751434997 tz="-0500" srcip=2001:4860:4860::8888 identifier=0 srcintf="port1" srcintfrole="lan" dstip=2001:4860:4860::8888 dstintf="unknown0" dstintfrole="undefined" sessionid=6542345 proto=58 action="accept" policyid=0 policytype="someotherpolicy" service="icmp6/1/0" trandisp="noop" app="icmp6/25/0" duration=42 sentbyte=3014 rcvdbyte=20 sentpkt=4 rcvdpkt=0 appcat="unscanned" +<189>date=2020-04-23 time=13:10:57 devname="newfirewall" devid="newrouterid" logid="0001000014" type="traffic" subtype="local" level="notice" vd="root" eventtime=1587229857509058693 tz="-0400" srcip=9.7.7.7 identifier=61 srcintf="wan1" srcintfrole="wan" dstip=8.8.8.8 dstintf="unknown0" dstintfrole="undefined" sessionid=123 proto=1 action="accept" policyid=0 policytype="rulepolicy" service="PING" dstcountry="Norway" srccountry="Netherlands" trandisp="noop" app="PING" duration=20 sentbyte=0 rcvdbyte=10 sentpkt=0 rcvdpkt=40 appcat="unscanned" +<188>date=2020-04-23 time=12:14:39 devname="firewall3" devid="oldfwid" logid="0000000011" type="traffic" subtype="forward" level="warning" vd="root" eventtime=1587230079841464445 tz="-0500" srcip=192.168.1.1 srcport=62493 srcintf="port1" srcintfrole="lan" dstip=192.168.100.100 dstport=1235 dstintf="newinterface" dstintfrole="undefined" sessionid=54234 proto=17 action="ip-conn" policyid=49 policytype="policy" poluuid="654cc-b6542-53467u8-e45234-1566casd35f7836" policyname="oldpolicyname" user="elasticsuper" authserver="FSSO_newfsso" service="udp/12302" dstcountry="Reserved" srccountry="Reserved" appcat="unscanned" crscore=5 craction=63332144 crlevel="low" +<189>date=2020-04-23 time=12:14:28 devname="firewall3" devid="oldfwid" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" eventtime=1587230069291463928 tz="-0500" srcip=192.168.50.50 srcport=56603 srcintf="port1" srcintfrole="lan" dstip=8.8.8.8 dstport=442 dstintf="wan1" dstintfrole="wan" sessionid=2345 proto=6 action="close" policyid=2365 policytype="policy" poluuid="654644c-b064-fdgdf3425-f003-1234ghdf682e05f" policyname="someoldpolicyname" user="elasticuser" group="testgroup" authserver="FSSO_something" service="HTTPS" dstcountry="Netherlands" srccountry="Reserved" trandisp="snat" transip=23.23.23.23 transport=603 appid=43540 app="Skype.Portals" appcat="Collaboration" apprisk="elevated" applist="someapplist" appact="detected" duration=126 sentbyte=923 rcvdbyte=77654 sentpkt=113 rcvdpkt=70 vwlid=4 vwlquality="Seq_num(3), alive, selected" wanin=1130 wanout=6671 lanin=1406 lanout=146506 utmaction="block" countweb=1 countapp=1 crscore=5 craction=6144 crlevel="low" +<190>date=2019-05-15 time=18:03:36 logid="1059028704" type="utm" subtype="app-ctrl" eventtype="app-ctrl-all" level="information" vd="root" eventtime=1557968615 appid=40568 srcip=10.1.100.22 dstip=195.8.215.136 srcport=50798 dstport=443 srcintf="port10" srcintfrole="lan" dstintf="port9" dstintfrole="wan" proto=6 service="HTTPS" direction="outgoing" policyid=1 sessionid=4414 applist="block-social.media" appcat="Web.Client" app="HTTPS.BROWSER" action="pass" hostname="www.dailymotion.com" incidentserialno=1962906680 url="/" msg="Web.Client: HTTPS.BROWSER," apprisk="medium" scertcname="*.dailymotion.com" scertissuer="DigiCert SHA2 High Assurance Server CA" +<190>date=2020-11-02 time=08:11:38 devname=testfirewall devid=newrouterid logid=0101037127 type="event" subtype=vpn level=notice vd=root logdesc="Progress IPsec phase 1" msg="progress IPsec phase 1" action=negotiate remip=8.8.8.8 locip=10.10.10.10 remport=500 locport=500 outintf="port1" cookies="125cbf9ee8349965/0000000000000000" user="N/A" group="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="P1_Test" status=success init=local mode=aggressive dir=outbound stage=1 role=initiator result=OK diff --git a/packages/fortinet/data_stream/firewall/_dev/test/pipeline/test-fortinet.log-config.json b/packages/fortinet/data_stream/firewall/_dev/test/pipeline/test-fortinet.log-config.json new file mode 100644 index 00000000000..f71947c2f04 --- /dev/null +++ b/packages/fortinet/data_stream/firewall/_dev/test/pipeline/test-fortinet.log-config.json @@ -0,0 +1,5 @@ +{ + "dynamic_fields": { + "event.ingested": ".*" + } +} \ No newline at end of file diff --git a/packages/fortinet/data_stream/firewall/_dev/test/pipeline/test-fortinet.log-expected.json b/packages/fortinet/data_stream/firewall/_dev/test/pipeline/test-fortinet.log-expected.json new file mode 100644 index 00000000000..b1069c3cfd1 --- /dev/null +++ b/packages/fortinet/data_stream/firewall/_dev/test/pipeline/test-fortinet.log-expected.json @@ -0,0 +1,2871 @@ +{ + "expected": [ + { + "log": { + "level": "warning" + }, + "destination": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "as": { + "number": 15169, + "organization": { + "name": "Google LLC" + } + }, + "port": 443, + "bytes": 1130, + "ip": "8.8.8.8" + }, + "rule": { + "ruleset": "elasticruleset", + "category": "Internet Telephony", + "id": "100602" + }, + "source": { + "port": 61930, + "user": { + "name": "elasticuser", + "group": { + "name": "elasticgroup" + } + }, + "bytes": 1152, + "ip": "192.168.2.1" + }, + "message": "URL belongs to a denied category in policy", + "url": { + "path": "/config/", + "domain": "elastic.co" + }, + "network": { + "protocol": "https", + "bytes": 2282, + "iana_number": "6", + "direction": "outgoing" + }, + "observer": { + "ingress": { + "interface": { + "name": "port1" + } + }, + "product": "Fortigate", + "vendor": "Fortinet", + "name": "testswitch1", + "serial_number": "somerouterid", + "type": "firewall", + "egress": { + "interface": { + "name": "wan1" + } + } + }, + "@timestamp": "2020-04-23T12:17:48.000-05:00", + "related": { + "user": [ + "elasticuser" + ], + "ip": [ + "192.168.2.1", + "8.8.8.8" + ] + }, + "fortinet": { + "firewall": { + "dstintfrole": "wan", + "srcintfrole": "lan", + "method": "domain", + "subtype": "webfilter", + "authserver": "elasticauth", + "reqtype": "direct", + "cat": "76", + "action": "blocked", + "sessionid": "1234", + "type": "utm", + "vd": "root" + } + }, + "event": { + "ingested": "2020-12-03T04:21:52.391149Z", + "code": "0316013056", + "timezone": "-0500", + "kind": "event", + "module": "fortinet", + "start": "2020-04-18T12:17:49.052-05:00", + "action": "ftgd_blk", + "type": [ + "denied" + ], + "category": [ + "network" + ], + "dataset": "fortinet.firewall", + "outcome": "success" + } + }, + { + "log": { + "level": "notice" + }, + "destination": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "as": { + "number": 15169, + "organization": { + "name": "Google LLC" + } + }, + "port": 161, + "bytes": 0, + "ip": "8.8.8.8" + }, + "rule": { + "ruleset": "policy", + "category": "unscanned", + "id": "0" + }, + "source": { + "port": 60899, + "bytes": 0, + "packets": 0, + "ip": "10.10.10.10" + }, + "network": { + "protocol": "snmp", + "bytes": 0, + "iana_number": "17" + }, + "observer": { + "ingress": { + "interface": { + "name": "srcintfname" + } + }, + "product": "Fortigate", + "vendor": "Fortinet", + "name": "testswitch1", + "serial_number": "somerouterid", + "type": "firewall", + "egress": { + "interface": { + "name": "dstintfname" + } + } + }, + "@timestamp": "2020-04-23T01:16:08.000Z", + "related": { + "ip": [ + "10.10.10.10", + "8.8.8.8" + ] + }, + "fortinet": { + "firewall": { + "srcintfrole": "lan", + "crlevel": "high", + "sessionid": "155313", + "type": "traffic", + "vd": "OPERATIONAL", + "craction": "131072", + "srccountry": "Reserved", + "dstintfrole": "lan", + "subtype": "forward", + "crscore": "30", + "action": "deny", + "trandisp": "noop", + "dstcountry": "Reserved" + } + }, + "event": { + "duration": 0, + "ingested": "2020-12-03T04:21:52.391189500Z", + "code": "0000000013", + "kind": "event", + "module": "fortinet", + "start": "2020-06-24T01:16:08.000Z", + "action": "deny", + "category": [ + "network" + ], + "type": [ + "connection", + "end" + ], + "dataset": "fortinet.firewall", + "outcome": "success" + } + }, + { + "log": { + "level": "notice" + }, + "destination": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "as": { + "number": 15169, + "organization": { + "name": "Google LLC" + } + }, + "port": 443, + "bytes": 6812, + "ip": "8.8.8.8" + }, + "rule": { + "ruleset": "elasticruleset", + "category": "Web-based Email", + "id": "38" + }, + "source": { + "port": 65236, + "user": { + "name": "elasticuser", + "group": { + "name": "elasticgroup" + } + }, + "bytes": 3545, + "ip": "192.168.2.1" + }, + "message": "URL belongs to an allowed category in policy", + "url": { + "path": "/", + "domain": "elastic.co" + }, + "network": { + "protocol": "https", + "bytes": 10357, + "iana_number": "6", + "direction": "outgoing" + }, + "observer": { + "ingress": { + "interface": { + "name": "port1" + } + }, + "product": "Fortigate", + "vendor": "Fortinet", + "name": "testswitch1", + "serial_number": "somerouterid", + "type": "firewall", + "egress": { + "interface": { + "name": "wan1" + } + } + }, + "@timestamp": "2020-04-23T12:17:45.000-05:00", + "related": { + "user": [ + "elasticuser" + ], + "ip": [ + "192.168.2.1", + "8.8.8.8" + ] + }, + "fortinet": { + "firewall": { + "dstintfrole": "wan", + "srcintfrole": "lan", + "method": "domain", + "subtype": "webfilter", + "authserver": "elasticauth", + "reqtype": "direct", + "cat": "23", + "action": "passthrough", + "sessionid": "543234", + "type": "utm", + "vd": "root" + } + }, + "event": { + "ingested": "2020-12-03T04:21:52.391220100Z", + "code": "0317013312", + "timezone": "-0500", + "kind": "event", + "module": "fortinet", + "start": "2020-04-18T12:17:46.314-05:00", + "action": "ftgd_allow", + "type": [ + "allowed" + ], + "category": [ + "network" + ], + "dataset": "fortinet.firewall", + "outcome": "success" + } + }, + { + "log": { + "level": "information" + }, + "destination": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "as": { + "number": 15169, + "organization": { + "name": "Google LLC" + } + }, + "port": 443, + "ip": "8.8.8.8" + }, + "rule": { + "ruleset": "elasticruleset", + "category": "Web-Client", + "id": "12" + }, + "source": { + "port": 59790, + "user": { + "name": "elasticuser", + "group": { + "name": "elasticgroup" + } + }, + "ip": "192.168.2.1" + }, + "message": "Web.Client: HTTPS.BROWSER,", + "url": { + "path": "/", + "domain": "elastic.co" + }, + "network": { + "protocol": "ssl", + "application": "HTTPS.BROWSER", + "iana_number": "6", + "direction": "outgoing" + }, + "observer": { + "ingress": { + "interface": { + "name": "LAN" + } + }, + "product": "Fortigate", + "vendor": "Fortinet", + "name": "testswitch1", + "serial_number": "somerouterid", + "type": "firewall", + "egress": { + "interface": { + "name": "wan1" + } + } + }, + "@timestamp": "2020-04-23T13:17:35.000-04:00", + "related": { + "user": [ + "elasticuser" + ], + "ip": [ + "192.168.2.1", + "8.8.8.8" + ] + }, + "fortinet": { + "firewall": { + "dstintfrole": "wan", + "srcintfrole": "lan", + "subtype": "app-ctrl", + "authserver": "elasticauth", + "appid": "40568", + "action": "pass", + "apprisk": "medium", + "sessionid": "453234", + "type": "utm", + "vd": "root", + "incidentserialno": "23465" + } + }, + "tls": { + "server": { + "x509": { + "subject": { + "common_name": "test.elastic.co" + } + } + } + }, + "event": { + "ingested": "2020-12-03T04:21:52.391279200Z", + "code": "1059028704", + "timezone": "-0400", + "kind": "event", + "module": "fortinet", + "start": "2020-04-18T13:17:35.061-04:00", + "action": "signature", + "type": [ + "allowed" + ], + "category": [ + "network" + ], + "dataset": "fortinet.firewall", + "outcome": "success" + } + }, + { + "log": { + "level": "information" + }, + "destination": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "as": { + "number": 15169, + "organization": { + "name": "Google LLC" + } + }, + "port": 443, + "ip": "8.8.8.8" + }, + "rule": { + "ruleset": "elasticruleset", + "category": "Web-Client", + "id": "12" + }, + "source": { + "port": 59790, + "user": { + "name": "elasticuser", + "group": { + "name": "elasticgroup" + } + }, + "ip": "192.168.2.1" + }, + "message": "Web.Client: HTTPS.BROWSER,", + "url": { + "path": "/", + "domain": "elastic.co" + }, + "network": { + "protocol": "ssl", + "application": "HTTPS.BROWSER", + "iana_number": "6", + "direction": "outgoing" + }, + "observer": { + "ingress": { + "interface": { + "name": "LAN" + } + }, + "product": "Fortigate", + "vendor": "Fortinet", + "name": "testswitch1", + "serial_number": "somerouterid", + "type": "firewall", + "egress": { + "interface": { + "name": "wan1" + } + } + }, + "@timestamp": "2020-04-23T13:17:35.000-04:00", + "related": { + "user": [ + "elasticuser" + ], + "ip": [ + "192.168.2.1", + "8.8.8.8" + ] + }, + "fortinet": { + "firewall": { + "dstintfrole": "wan", + "srcintfrole": "lan", + "subtype": "app-ctrl", + "authserver": "elasticauth", + "appid": "40568", + "action": "pass", + "apprisk": "medium", + "sessionid": "453234", + "type": "utm", + "vd": "root", + "incidentserialno": "23465" + } + }, + "tls": { + "server": { + "x509": { + "subject": { + "common_name": "test.elastic.co" + } + } + } + }, + "event": { + "ingested": "2020-12-03T04:21:52.391293100Z", + "code": "1059028704", + "timezone": "-0400", + "kind": "event", + "module": "fortinet", + "start": "2020-06-10T07:26:31.000-04:00", + "action": "signature", + "type": [ + "allowed" + ], + "category": [ + "network" + ], + "dataset": "fortinet.firewall", + "outcome": "success" + } + }, + { + "log": { + "level": "notice" + }, + "destination": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "as": { + "number": 15169, + "organization": { + "name": "Google LLC" + } + }, + "port": 53, + "ip": "8.8.8.8" + }, + "dns": { + "question": { + "name": "elastic.example.com", + "type": "A", + "class": "IN" + }, + "resolved_ip": [ + "8.8.8.8" + ], + "id": "2234" + }, + "rule": { + "ruleset": "test", + "category": "Web-based Email", + "id": "26" + }, + "source": { + "port": 53430, + "ip": "192.168.2.1" + }, + "message": "Domain is monitored", + "network": { + "iana_number": "17" + }, + "observer": { + "ingress": { + "interface": { + "name": "port1" + } + }, + "product": "Fortigate", + "vendor": "Fortinet", + "name": "testswitch1", + "serial_number": "somerouterid", + "type": "firewall", + "egress": { + "interface": { + "name": "wan1" + } + } + }, + "@timestamp": "2020-04-23T12:17:29.000-05:00", + "related": { + "ip": [ + "192.168.2.1", + "8.8.8.8" + ] + }, + "fortinet": { + "firewall": { + "dstintfrole": "wan", + "srcintfrole": "lan", + "subtype": "dns", + "cat": "23", + "action": "pass", + "qtypeval": "1", + "sessionid": "543234", + "type": "utm", + "vd": "root" + } + }, + "event": { + "ingested": "2020-12-03T04:21:52.391303500Z", + "code": "1501054802", + "timezone": "-0500", + "kind": "event", + "module": "fortinet", + "start": "2020-04-18T12:17:29.360-05:00", + "action": "dns-response", + "type": [ + "info", + "allowed" + ], + "category": [ + "network" + ], + "dataset": "fortinet.firewall", + "outcome": "success" + } + }, + { + "log": { + "level": "notice" + }, + "destination": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "as": { + "number": 15169, + "organization": { + "name": "Google LLC" + } + }, + "port": 53, + "ip": "8.8.8.8" + }, + "dns": { + "question": { + "name": "elastic.example.com", + "type": "A", + "class": "IN" + }, + "resolved_ip": [ + "8.8.8.8", + "8.8.4.4" + ], + "id": "2234" + }, + "rule": { + "ruleset": "test", + "category": "Web-based Email", + "id": "26" + }, + "source": { + "port": 53430, + "ip": "192.168.2.1" + }, + "message": "Domain is monitored", + "network": { + "iana_number": "17" + }, + "observer": { + "ingress": { + "interface": { + "name": "port1" + } + }, + "product": "Fortigate", + "vendor": "Fortinet", + "name": "testswitch1", + "serial_number": "somerouterid", + "type": "firewall", + "egress": { + "interface": { + "name": "wan1" + } + } + }, + "@timestamp": "2020-04-23T12:17:29.000-05:00", + "related": { + "ip": [ + "192.168.2.1", + "8.8.8.8" + ] + }, + "fortinet": { + "firewall": { + "dstintfrole": "wan", + "srcintfrole": "lan", + "subtype": "dns", + "cat": "23", + "action": "pass", + "qtypeval": "1", + "sessionid": "543234", + "type": "utm", + "vd": "root" + } + }, + "event": { + "ingested": "2020-12-03T04:21:52.391317500Z", + "code": "1501054802", + "timezone": "-0500", + "kind": "event", + "module": "fortinet", + "start": "2020-04-18T12:17:29.360-05:00", + "action": "dns-response", + "type": [ + "info", + "allowed" + ], + "category": [ + "network" + ], + "dataset": "fortinet.firewall", + "outcome": "success" + } + }, + { + "log": { + "level": "information" + }, + "destination": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "as": { + "number": 15169, + "organization": { + "name": "Google LLC" + } + }, + "port": 443, + "ip": "8.8.8.8" + }, + "rule": { + "ruleset": "elasticruleset", + "category": "Web-Client", + "id": "100602" + }, + "source": { + "port": 63012, + "user": { + "name": "elasticuser", + "group": { + "name": "elasticgroup" + } + }, + "ip": "192.168.2.1" + }, + "message": "Web.Client: HTTPS.BROWSER,", + "url": { + "path": "/", + "domain": "elastic.no" + }, + "network": { + "protocol": "ssl", + "application": "HTTPS.BROWSER", + "iana_number": "6", + "direction": "outgoing" + }, + "observer": { + "ingress": { + "interface": { + "name": "port1" + } + }, + "product": "Fortigate", + "vendor": "Fortinet", + "name": "testswitch1", + "serial_number": "somerouterid", + "type": "firewall", + "egress": { + "interface": { + "name": "wan1" + } + } + }, + "@timestamp": "2020-04-23T12:17:11.000-05:00", + "related": { + "user": [ + "elasticuser" + ], + "ip": [ + "192.168.2.1", + "8.8.8.8" + ] + }, + "fortinet": { + "firewall": { + "dstintfrole": "wan", + "srcintfrole": "lan", + "subtype": "app-ctrl", + "authserver": "elasticauth", + "appid": "40568", + "action": "pass", + "apprisk": "medium", + "sessionid": "543234", + "type": "utm", + "vd": "root", + "incidentserialno": "54323" + } + }, + "event": { + "ingested": "2020-12-03T04:21:52.391326Z", + "code": "1059028704", + "timezone": "-0500", + "kind": "event", + "module": "fortinet", + "start": "2020-04-18T12:17:12.148-05:00", + "action": "signature", + "type": [ + "allowed" + ], + "category": [ + "network" + ], + "dataset": "fortinet.firewall", + "outcome": "success" + } + }, + { + "log": { + "level": "notice" + }, + "destination": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "as": { + "number": 15169, + "organization": { + "name": "Google LLC" + } + }, + "port": 53, + "ip": "8.8.8.8" + }, + "dns": { + "question": { + "name": "elastic.co", + "type": "A", + "class": "IN" + }, + "resolved_ip": [ + "8.8.8.8" + ], + "id": "2352" + }, + "rule": { + "ruleset": "elastictest", + "category": "Remote Access", + "id": "26" + }, + "source": { + "port": 54438, + "ip": "192.168.2.1" + }, + "message": "Domain is monitored", + "network": { + "iana_number": "17" + }, + "observer": { + "ingress": { + "interface": { + "name": "port1" + } + }, + "product": "Fortigate", + "vendor": "Fortinet", + "name": "testswitch1", + "serial_number": "somerouterid", + "type": "firewall", + "egress": { + "interface": { + "name": "wan1" + } + } + }, + "@timestamp": "2020-04-23T12:17:04.000-05:00", + "related": { + "ip": [ + "192.168.2.1", + "8.8.8.8" + ] + }, + "fortinet": { + "firewall": { + "dstintfrole": "wan", + "srcintfrole": "lan", + "subtype": "dns", + "cat": "93", + "action": "pass", + "qtypeval": "1", + "sessionid": "5432", + "type": "utm", + "vd": "root" + } + }, + "event": { + "ingested": "2020-12-03T04:21:52.391332600Z", + "code": "1501054802", + "timezone": "-0500", + "kind": "event", + "module": "fortinet", + "start": "2020-04-18T12:17:04.712-05:00", + "action": "dns-response", + "type": [ + "info", + "allowed" + ], + "category": [ + "network" + ], + "dataset": "fortinet.firewall", + "outcome": "success" + } + }, + { + "log": { + "level": "information" + }, + "destination": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "as": { + "number": 15169, + "organization": { + "name": "Google LLC" + } + }, + "port": 53, + "ip": "8.8.8.8" + }, + "dns": { + "question": { + "name": "elastic.co", + "type": "A", + "class": "IN" + }, + "id": "235" + }, + "rule": { + "ruleset": "elastictest", + "id": "26" + }, + "source": { + "port": 54788, + "ip": "192.168.2.1" + }, + "network": { + "iana_number": "17" + }, + "observer": { + "ingress": { + "interface": { + "name": "port1" + } + }, + "product": "Fortigate", + "vendor": "Fortinet", + "name": "testswitch1", + "serial_number": "somerouterid", + "type": "firewall", + "egress": { + "interface": { + "name": "wan1" + } + } + }, + "@timestamp": "2020-04-23T12:17:12.000-05:00", + "related": { + "ip": [ + "192.168.2.1", + "8.8.8.8" + ] + }, + "fortinet": { + "firewall": { + "dstintfrole": "wan", + "srcintfrole": "lan", + "subtype": "dns", + "qtypeval": "1", + "sessionid": "543234", + "type": "utm", + "vd": "root" + } + }, + "event": { + "ingested": "2020-12-03T04:21:52.391368900Z", + "code": "1500054000", + "timezone": "-0500", + "kind": "event", + "module": "fortinet", + "start": "2020-04-18T12:17:12.658-05:00", + "action": "dns-query", + "type": [ + "info" + ], + "category": [ + "network" + ], + "dataset": "fortinet.firewall" + } + }, + { + "log": { + "level": "notice" + }, + "destination": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "as": { + "number": 15169, + "organization": { + "name": "Google LLC" + } + }, + "port": 443, + "ip": "8.8.4.4" + }, + "rule": { + "ruleset": "somecerts", + "id": "12" + }, + "source": { + "port": 59726, + "user": { + "name": "elasticuser2", + "group": { + "name": "elasticgroup2" + } + }, + "ip": "192.168.2.1" + }, + "message": "Server certificate passed", + "network": { + "protocol": "https", + "iana_number": "6" + }, + "observer": { + "ingress": { + "interface": { + "name": "LAN" + } + }, + "product": "Fortigate", + "vendor": "Fortinet", + "name": "testswitch2", + "serial_number": "someotherid", + "type": "firewall", + "egress": { + "interface": { + "name": "wan1" + } + } + }, + "@timestamp": "2020-04-23T13:15:18.000-04:00", + "related": { + "user": [ + "elasticuser2" + ], + "ip": [ + "192.168.2.1", + "8.8.4.4" + ] + }, + "fortinet": { + "firewall": { + "reason": "untrusted-cert", + "dstintfrole": "wan", + "srcintfrole": "lan", + "subtype": "ssl", + "action": "passthrough", + "sessionid": "42346234", + "type": "utm", + "vd": "root" + } + }, + "event": { + "ingested": "2020-12-03T04:21:52.391385300Z", + "code": "1700062001", + "timezone": "-0400", + "kind": "event", + "module": "fortinet", + "start": "2020-04-18T13:15:18.838-04:00", + "action": "ssl-anomalies", + "type": [ + "allowed" + ], + "category": [ + "network" + ], + "dataset": "fortinet.firewall", + "outcome": "success" + } + }, + { + "observer": { + "name": "testswitch3", + "product": "Fortigate", + "serial_number": "someotherrouteridagain", + "type": "firewall", + "vendor": "Fortinet" + }, + "@timestamp": "2020-04-23T12:32:48.000-05:00", + "related": { + "user": [ + "elasticouser" + ], + "ip": [ + "10.10.10.10" + ] + }, + "log": { + "level": "notice" + }, + "fortinet": { + "firewall": { + "server": "elasticserver", + "action": "FSSO-logon", + "type": "event", + "subtype": "user", + "vd": "root" + } + }, + "rule": { + "description": "FSSO logon authentication status" + }, + "source": { + "user": { + "name": "elasticouser" + }, + "ip": "10.10.10.10" + }, + "event": { + "ingested": "2020-12-03T04:21:52.391396100Z", + "code": "0102043014", + "timezone": "-0500", + "kind": "event", + "module": "fortinet", + "start": "2020-04-18T12:32:48.439-05:00", + "type": [ + "user", + "start" + ], + "category": [ + "authentication" + ], + "dataset": "fortinet.firewall", + "outcome": "success" + }, + "message": "FSSO-logon event from FSSO_elasticserver: user elasticouser logged on 10.10.10.10" + }, + { + "log": { + "level": "error" + }, + "destination": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "as": { + "number": 15169, + "organization": { + "name": "Google LLC" + } + }, + "port": 500, + "ip": "8.8.4.4" + }, + "rule": { + "description": "IPsec phase 1 error" + }, + "source": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "as": { + "number": 15169, + "organization": { + "name": "Google LLC" + } + }, + "port": 500, + "ip": "8.8.8.8" + }, + "message": "IPsec phase 1 error", + "observer": { + "name": "testswitch3", + "product": "Fortigate", + "serial_number": "someotherrouteridagain", + "type": "firewall", + "vendor": "Fortinet" + }, + "@timestamp": "2020-04-23T12:32:47.000-05:00", + "related": { + "ip": [ + "8.8.8.8", + "8.8.4.4" + ] + }, + "fortinet": { + "firewall": { + "reason": "peer SA proposal not match local policy", + "subtype": "vpn", + "action": "negotiate", + "xauthuser": "N/A", + "outintf": "wan2", + "type": "event", + "cookies": "345hkjhdrs87/0000000000000000", + "vpntunnel": "N/A", + "peer_notif": "NOT-APPLICABLE", + "vd": "root", + "xauthgroup": "N/A", + "status": "negotiate_error" + } + }, + "event": { + "ingested": "2020-12-03T04:21:52.391405700Z", + "code": "0101037124", + "timezone": "-0500", + "kind": "event", + "module": "fortinet", + "start": "2020-04-18T12:32:48.339-05:00", + "type": [ + "connection" + ], + "category": [ + "network" + ], + "dataset": "fortinet.firewall", + "outcome": "failure" + } + }, + { + "log": { + "level": "notice" + }, + "destination": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "as": { + "number": 3356, + "organization": { + "name": "Level 3 Parent, LLC" + } + }, + "port": 500, + "ip": "8.4.5.4" + }, + "rule": { + "description": "Progress IPsec phase 1" + }, + "source": { + "geo": { + "continent_name": "Europe", + "country_name": "France", + "location": { + "lon": 2.3387, + "lat": 48.8582 + }, + "country_iso_code": "FR" + }, + "as": { + "number": 19281, + "organization": { + "name": "Quad9" + } + }, + "port": 500, + "ip": "9.9.9.9" + }, + "message": "progress IPsec phase 1", + "network": { + "direction": "outbound" + }, + "observer": { + "name": "testswitch3", + "product": "Fortigate", + "serial_number": "someotherrouteridagain", + "type": "firewall", + "vendor": "Fortinet" + }, + "@timestamp": "2020-04-23T12:32:31.000-05:00", + "related": { + "ip": [ + "9.9.9.9", + "8.4.5.4" + ] + }, + "fortinet": { + "firewall": { + "init": "local", + "role": "initiator", + "xauthuser": "N/A", + "outintf": "wan1", + "type": "event", + "cookies": "df868dsg876d/0000000000000000", + "vpntunnel": "elasticvpn", + "vd": "root", + "xauthgroup": "N/A", + "mode": "main", + "result": "OK", + "stage": "1", + "subtype": "vpn", + "action": "negotiate", + "status": "success" + } + }, + "event": { + "ingested": "2020-12-03T04:21:52.391415500Z", + "code": "0101037127", + "timezone": "-0500", + "kind": "event", + "module": "fortinet", + "start": "2020-04-18T12:32:31.628-05:00", + "type": [ + "connection" + ], + "category": [ + "network" + ], + "dataset": "fortinet.firewall", + "outcome": "success" + } + }, + { + "observer": { + "name": "testswitch3", + "product": "Fortigate", + "serial_number": "someotherrouteridagain", + "type": "firewall", + "vendor": "Fortinet" + }, + "@timestamp": "2020-04-23T14:32:09.000-03:00", + "log": { + "level": "notice" + }, + "fortinet": { + "firewall": { + "bandwidth": "23/4", + "cpu": "0", + "fazlograte": 0, + "freediskstorage": "331", + "type": "event", + "vd": "root", + "disk": "0", + "setuprate": 0, + "mem": 10, + "subtype": "system", + "sysuptime": "25170", + "action": "perf-stats", + "disklograte": 0, + "totalsession": "23" + } + }, + "rule": { + "description": "System performance statistics" + }, + "event": { + "ingested": "2020-12-03T04:21:52.391426800Z", + "code": "0100040704", + "timezone": "-0300", + "kind": "event", + "module": "fortinet", + "start": "2020-04-18T14:32:09.938-03:00", + "type": [ + "info" + ], + "category": [ + "host" + ], + "dataset": "fortinet.firewall" + }, + "message": "Performance statistics: average CPU: 0, memory: 23, concurrent sessions: 20, setup-rate: 0" + }, + { + "observer": { + "name": "testswitch3", + "product": "Fortigate", + "serial_number": "someotherrouteridagain", + "type": "firewall", + "vendor": "Fortinet" + }, + "@timestamp": "2020-04-23T12:32:09.000-05:00", + "related": { + "user": [ + "elastiiiuser" + ], + "ip": [ + "10.10.10.10" + ] + }, + "log": { + "level": "notice" + }, + "fortinet": { + "firewall": { + "action": "auth-logon", + "type": "event", + "subtype": "user", + "authserver": "FSSO_elastiauth", + "vd": "root", + "status": "logon" + } + }, + "rule": { + "description": "Authentication logon" + }, + "source": { + "user": { + "name": "elastiiiuser" + }, + "ip": "10.10.10.10" + }, + "event": { + "ingested": "2020-12-03T04:21:52.391454900Z", + "code": "0102043039", + "timezone": "-0500", + "kind": "event", + "module": "fortinet", + "start": "2020-04-18T12:32:10.109-05:00", + "type": [ + "user", + "start" + ], + "category": [ + "authentication" + ], + "dataset": "fortinet.firewall", + "outcome": "success" + }, + "message": "User elastiiiuser added to auth logon" + }, + { + "log": { + "level": "notice" + }, + "destination": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "as": { + "number": 3356, + "organization": { + "name": "Level 3 Parent, LLC" + } + }, + "port": 500, + "ip": "8.8.5.4" + }, + "rule": { + "description": "Progress IPsec phase 1" + }, + "source": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "port": 500, + "ip": "7.6.3.4" + }, + "message": "progress IPsec phase 1", + "network": { + "direction": "outbound" + }, + "observer": { + "name": "testswitch3", + "product": "Fortigate", + "serial_number": "someotherrouteridagain", + "type": "firewall", + "vendor": "Fortinet" + }, + "@timestamp": "2020-04-23T12:32:00.000-05:00", + "related": { + "ip": [ + "7.6.3.4", + "8.8.5.4" + ] + }, + "fortinet": { + "firewall": { + "init": "local", + "role": "initiator", + "xauthuser": "N/A", + "outintf": "wan1", + "type": "event", + "cookies": "345khj34566/0000000000000000", + "vpntunnel": "testvpn", + "vd": "root", + "xauthgroup": "N/A", + "mode": "main", + "result": "OK", + "stage": "1", + "subtype": "vpn", + "action": "negotiate", + "status": "success" + } + }, + "event": { + "ingested": "2020-12-03T04:21:52.391465Z", + "code": "0101037127", + "timezone": "-0500", + "kind": "event", + "module": "fortinet", + "start": "2020-04-18T12:32:00.608-05:00", + "type": [ + "connection" + ], + "category": [ + "network" + ], + "dataset": "fortinet.firewall", + "outcome": "success" + } + }, + { + "observer": { + "name": "testswitch3", + "product": "Fortigate", + "serial_number": "someotherrouteridagain", + "type": "firewall", + "vendor": "Fortinet" + }, + "@timestamp": "2020-04-23T14:24:13.000-03:00", + "log": { + "level": "notice" + }, + "fortinet": { + "firewall": { + "type": "event", + "version": "1.522479", + "subtype": "system", + "vd": "root" + } + }, + "rule": { + "description": "FortiSandbox AV database updated" + }, + "event": { + "ingested": "2020-12-03T04:21:52.391474800Z", + "code": "0100041006", + "timezone": "-0300", + "kind": "event", + "module": "fortinet", + "start": "2020-04-18T14:24:15.301-03:00", + "dataset": "fortinet.firewall" + }, + "message": "FortiSandbox AV database updated" + }, + { + "observer": { + "name": "testswitch3", + "product": "Fortigate", + "serial_number": "someotherrouteridagain", + "type": "firewall", + "vendor": "Fortinet" + }, + "@timestamp": "2020-04-23T12:23:47.000-05:00", + "related": { + "user": [ + "elastico" + ] + }, + "log": { + "level": "information" + }, + "fortinet": { + "firewall": { + "connection_type": "sslvpn", + "subtype": "endpoint", + "used_for_type": "3", + "ip": "172.16.0.2", + "count": "2", + "name": "somerouter", + "action": "add", + "type": "event", + "vd": "root", + "fctuid": "645234fdd01F885824F764", + "license_limit": "unlimited", + "status": "success" + } + }, + "rule": { + "description": "FortiClient connection added" + }, + "source": { + "user": { + "name": "elastico" + } + }, + "event": { + "ingested": "2020-12-03T04:21:52.391485600Z", + "code": "0107045057", + "timezone": "-0500", + "kind": "event", + "module": "fortinet", + "start": "2020-04-18T12:23:47.558-05:00", + "dataset": "fortinet.firewall" + }, + "message": "Add a FortiClient Connection." + }, + { + "observer": { + "name": "testswitch3", + "product": "Fortigate", + "serial_number": "someotherrouteridagain", + "type": "firewall", + "vendor": "Fortinet" + }, + "@timestamp": "2020-04-23T12:23:47.000-05:00", + "related": { + "ip": [ + "8.8.8.6" + ] + }, + "log": { + "level": "information" + }, + "fortinet": { + "firewall": { + "reason": "N/A", + "subtype": "vpn", + "tunnelid": "2", + "action": "ssl-new-con", + "type": "event", + "tunneltype": "ssl", + "vd": "root" + } + }, + "destination": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "as": { + "number": 15169, + "organization": { + "name": "Google LLC" + } + }, + "address": "N/A", + "ip": "8.8.8.6" + }, + "rule": { + "description": "SSL VPN new connection" + }, + "event": { + "ingested": "2020-12-03T04:21:52.391514800Z", + "code": "0101039943", + "timezone": "-0500", + "kind": "event", + "module": "fortinet", + "start": "2020-04-18T12:23:47.334-05:00", + "type": [ + "connection" + ], + "category": [ + "network" + ], + "dataset": "fortinet.firewall" + }, + "message": "SSL new connection" + }, + { + "log": { + "level": "information" + }, + "destination": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "as": { + "number": 3356, + "organization": { + "name": "Level 3 Parent, LLC" + } + }, + "address": "N/A", + "ip": "8.8.5.4" + }, + "rule": { + "description": "SSL VPN tunnel up" + }, + "source": { + "user": { + "name": "someuser", + "group": { + "name": "somegroup" + } + } + }, + "message": "SSL tunnel established", + "observer": { + "name": "testswitch3", + "product": "Fortigate", + "serial_number": "someotherrouteridagain", + "type": "firewall", + "vendor": "Fortinet" + }, + "@timestamp": "2020-04-23T12:23:47.000-05:00", + "related": { + "user": [ + "someuser" + ], + "ip": [ + "8.8.5.4" + ] + }, + "fortinet": { + "firewall": { + "reason": "tunnel established", + "subtype": "vpn", + "tunnelid": "2345", + "action": "tunnel-up", + "tunnelip": "10.10.10.10", + "type": "event", + "tunneltype": "ssl-tunnel", + "vd": "root" + } + }, + "event": { + "ingested": "2020-12-03T04:21:52.391529100Z", + "code": "0101039947", + "timezone": "-0500", + "kind": "event", + "module": "fortinet", + "start": "2020-04-18T12:23:47.698-05:00", + "type": [ + "connection" + ], + "category": [ + "network" + ], + "dataset": "fortinet.firewall" + } + }, + { + "observer": { + "name": "testswitch3", + "product": "Fortigate", + "serial_number": "someotherrouteridagain", + "type": "firewall", + "vendor": "Fortinet" + }, + "@timestamp": "2020-04-23T14:16:42.000-03:00", + "related": { + "user": [ + "elasticadmin" + ], + "ip": [ + "192.168.1.1" + ] + }, + "log": { + "level": "notice" + }, + "fortinet": { + "firewall": { + "server": "FSSO_somefssoserver", + "action": "FSSO-logoff", + "type": "event", + "subtype": "user", + "vd": "root" + } + }, + "rule": { + "description": "FSSO log off authentication status" + }, + "source": { + "user": { + "name": "elasticadmin" + }, + "ip": "192.168.1.1" + }, + "event": { + "ingested": "2020-12-03T04:21:52.391560500Z", + "code": "0102043015", + "timezone": "-0300", + "kind": "event", + "module": "fortinet", + "start": "2020-04-18T14:16:44.674-03:00", + "type": [ + "user", + "end" + ], + "category": [ + "authentication" + ], + "dataset": "fortinet.firewall", + "outcome": "success" + }, + "message": "FSSO-logoff event from FSSO_somefssoserver: user elasticuser logged off 1192.168.1.1" + }, + { + "observer": { + "name": "testswitch3", + "product": "Fortigate", + "serial_number": "someotherrouteridagain", + "type": "firewall", + "vendor": "Fortinet" + }, + "@timestamp": "2020-04-23T12:16:02.000-05:00", + "log": { + "level": "notice" + }, + "fortinet": { + "firewall": { + "server": "9.9.9.9", + "action": "connect", + "type": "event", + "subtype": "system", + "vd": "root" + } + }, + "rule": { + "description": "FortiCloud server connected" + }, + "event": { + "ingested": "2020-12-03T04:21:52.391571600Z", + "code": "0100022915", + "timezone": "-0500", + "kind": "event", + "module": "fortinet", + "start": "2020-04-18T12:16:03.121-05:00", + "dataset": "fortinet.firewall" + }, + "message": "FortiCloud 9.9.9.9 server is connected" + }, + { + "observer": { + "name": "testswitch3", + "product": "Fortigate", + "serial_number": "someotherrouteridagain", + "type": "firewall", + "vendor": "Fortinet" + }, + "@timestamp": "2020-04-23T12:16:02.000-05:00", + "log": { + "level": "notice" + }, + "fortinet": { + "firewall": { + "server": "4.4.4.4", + "reason": "connection reset", + "action": "disconnect", + "type": "event", + "subtype": "system", + "vd": "root" + } + }, + "rule": { + "description": "FortiCloud server disconnected" + }, + "event": { + "ingested": "2020-12-03T04:21:52.391633400Z", + "code": "0100022913", + "timezone": "-0500", + "kind": "event", + "module": "fortinet", + "start": "2020-04-18T12:16:03.375-05:00", + "dataset": "fortinet.firewall" + }, + "message": "FortiCloud 4.4.4.4 server is disconnected" + }, + { + "log": { + "level": "warning" + }, + "destination": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "as": { + "number": 15169, + "organization": { + "name": "Google LLC" + } + }, + "port": 53, + "ip": "8.8.8.8" + }, + "rule": { + "ruleset": "policy", + "name": "elasticnewruleset", + "id": "26", + "category": "unscanned", + "uuid": "2345de-b143-52134d8-6654f-4654sdfg16f431" + }, + "source": { + "port": 53438, + "ip": "192.168.1.6" + }, + "network": { + "protocol": "dns", + "iana_number": "17" + }, + "observer": { + "ingress": { + "interface": { + "name": "port1" + } + }, + "product": "Fortigate", + "vendor": "Fortinet", + "name": "newfirewall", + "serial_number": "newrouterid", + "type": "firewall", + "egress": { + "interface": { + "name": "wan1" + } + } + }, + "@timestamp": "2020-04-23T12:14:09.000-05:00", + "related": { + "ip": [ + "192.168.1.6", + "8.8.8.8" + ] + }, + "fortinet": { + "firewall": { + "srccountry": "Reserved", + "dstintfrole": "wan", + "srcintfrole": "lan", + "subtype": "forward", + "crlevel": "low", + "crscore": "5", + "action": "dns", + "sessionid": "435234", + "type": "traffic", + "dstcountry": "Netherlands", + "vd": "root", + "craction": "54144" + } + }, + "event": { + "ingested": "2020-12-03T04:21:52.391644600Z", + "code": "0000000011", + "timezone": "-0500", + "kind": "event", + "module": "fortinet", + "start": "2020-04-18T12:14:09.761-05:00", + "action": "dns", + "category": [ + "network" + ], + "type": [ + "connection", + "end", + "allowed" + ], + "dataset": "fortinet.firewall", + "outcome": "success" + } + }, + { + "log": { + "level": "notice" + }, + "destination": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "as": { + "number": 40386, + "organization": { + "name": "Bloomip Inc." + } + }, + "port": 6000, + "bytes": 65446, + "packets": 1045601, + "ip": "8.6.4.7" + }, + "rule": { + "ruleset": "policy", + "name": "newruleelastic", + "id": "3426", + "category": "unknown", + "uuid": "1765de8-5a13-765da73fdsfa1c" + }, + "source": { + "nat": { + "port": 60964, + "ip": "123.123.123.123" + }, + "geo": { + "continent_name": "Asia", + "region_iso_code": "CN-BJ", + "city_name": "Beijing", + "country_iso_code": "CN", + "country_name": "China", + "region_name": "Beijing", + "location": { + "lon": 116.3889, + "lat": 39.9288 + } + }, + "as": { + "number": 4808, + "organization": { + "name": "China Unicom Beijing Province Network" + } + }, + "port": 6000, + "bytes": 438650, + "ip": "192.168.10.10", + "packets": 723417 + }, + "network": { + "protocol": "portname", + "bytes": 504096, + "iana_number": "17", + "packets": 1769018 + }, + "observer": { + "ingress": { + "interface": { + "name": "port1" + } + }, + "product": "Fortigate", + "vendor": "Fortinet", + "name": "newfirewall", + "serial_number": "newrouterid", + "type": "firewall", + "egress": { + "interface": { + "name": "wan1" + } + } + }, + "@timestamp": "2020-04-23T12:11:51.000-05:00", + "related": { + "ip": [ + "192.168.10.10", + "8.6.4.7" + ] + }, + "fortinet": { + "firewall": { + "srcintfrole": "lan", + "sentdelta": "576", + "applist": "policylist", + "sessionid": "4352", + "type": "traffic", + "vd": "root", + "srccountry": "Reserved", + "vwlid": "0", + "dstintfrole": "wan", + "subtype": "forward", + "action": "accept", + "rcvddelta": "728", + "trandisp": "snat", + "dstcountry": "Netherlands" + } + }, + "event": { + "duration": 5462000000000, + "ingested": "2020-12-03T04:21:52.391654600Z", + "code": "0000000020", + "timezone": "-0500", + "kind": "event", + "module": "fortinet", + "start": "2020-04-18T12:11:51.390-05:00", + "action": "accept", + "category": [ + "network" + ], + "type": [ + "connection", + "end", + "allowed" + ], + "dataset": "fortinet.firewall", + "outcome": "success" + } + }, + { + "log": { + "level": "notice" + }, + "destination": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "as": { + "number": 15169, + "organization": { + "name": "Google LLC" + } + }, + "bytes": 20, + "packets": 0, + "ip": "2001:4860:4860::8888" + }, + "rule": { + "ruleset": "someotherpolicy", + "category": "unscanned", + "id": "0" + }, + "source": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "as": { + "number": 15169, + "organization": { + "name": "Google LLC" + } + }, + "bytes": 3014, + "packets": 4, + "ip": "2001:4860:4860::8888" + }, + "network": { + "protocol": "icmp6/1/0", + "application": "icmp6/25/0", + "bytes": 3034, + "iana_number": "58", + "packets": 4 + }, + "observer": { + "ingress": { + "interface": { + "name": "port1" + } + }, + "product": "Fortigate", + "vendor": "Fortinet", + "name": "newfirewall", + "serial_number": "newrouterid", + "type": "firewall", + "egress": { + "interface": { + "name": "unknown0" + } + } + }, + "@timestamp": "2020-04-23T12:11:48.000-05:00", + "related": { + "ip": [ + "2001:4860:4860::8888", + "2001:4860:4860::8888" + ] + }, + "fortinet": { + "firewall": { + "identifier": "0", + "dstintfrole": "undefined", + "srcintfrole": "lan", + "subtype": "local", + "action": "accept", + "sessionid": "6542345", + "type": "traffic", + "trandisp": "noop", + "vd": "root" + } + }, + "event": { + "duration": 42000000000, + "ingested": "2020-12-03T04:21:52.391665500Z", + "code": "0001000014", + "timezone": "-0500", + "kind": "event", + "module": "fortinet", + "start": "2020-04-18T12:11:48.751-05:00", + "action": "accept", + "category": [ + "network" + ], + "type": [ + "connection", + "end", + "protocol", + "allowed" + ], + "dataset": "fortinet.firewall", + "outcome": "success" + } + }, + { + "log": { + "level": "notice" + }, + "destination": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "as": { + "number": 15169, + "organization": { + "name": "Google LLC" + } + }, + "bytes": 10, + "packets": 40, + "ip": "8.8.8.8" + }, + "rule": { + "ruleset": "rulepolicy", + "category": "unscanned", + "id": "0" + }, + "source": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "bytes": 0, + "packets": 0, + "ip": "9.7.7.7" + }, + "network": { + "protocol": "ping", + "application": "PING", + "bytes": 10, + "iana_number": "1", + "packets": 40 + }, + "observer": { + "ingress": { + "interface": { + "name": "wan1" + } + }, + "product": "Fortigate", + "vendor": "Fortinet", + "name": "newfirewall", + "serial_number": "newrouterid", + "type": "firewall", + "egress": { + "interface": { + "name": "unknown0" + } + } + }, + "@timestamp": "2020-04-23T13:10:57.000-04:00", + "related": { + "ip": [ + "9.7.7.7", + "8.8.8.8" + ] + }, + "fortinet": { + "firewall": { + "srccountry": "Netherlands", + "identifier": "61", + "dstintfrole": "undefined", + "srcintfrole": "wan", + "subtype": "local", + "action": "accept", + "sessionid": "123", + "type": "traffic", + "trandisp": "noop", + "dstcountry": "Norway", + "vd": "root" + } + }, + "event": { + "duration": 20000000000, + "ingested": "2020-12-03T04:21:52.391695800Z", + "code": "0001000014", + "timezone": "-0400", + "kind": "event", + "module": "fortinet", + "start": "2020-04-18T13:10:57.509-04:00", + "action": "accept", + "category": [ + "network" + ], + "type": [ + "connection", + "end", + "protocol", + "allowed" + ], + "dataset": "fortinet.firewall", + "outcome": "success" + } + }, + { + "log": { + "level": "warning" + }, + "destination": { + "port": 1235, + "ip": "192.168.100.100" + }, + "rule": { + "ruleset": "policy", + "name": "oldpolicyname", + "id": "49", + "category": "unscanned", + "uuid": "654cc-b6542-53467u8-e45234-1566casd35f7836" + }, + "source": { + "port": 62493, + "user": { + "name": "elasticsuper" + }, + "ip": "192.168.1.1" + }, + "network": { + "protocol": "udp/12302", + "iana_number": "17" + }, + "observer": { + "ingress": { + "interface": { + "name": "port1" + } + }, + "product": "Fortigate", + "vendor": "Fortinet", + "name": "firewall3", + "serial_number": "oldfwid", + "type": "firewall", + "egress": { + "interface": { + "name": "newinterface" + } + } + }, + "@timestamp": "2020-04-23T12:14:39.000-05:00", + "related": { + "user": [ + "elasticsuper" + ], + "ip": [ + "192.168.1.1", + "192.168.100.100" + ] + }, + "fortinet": { + "firewall": { + "srcintfrole": "lan", + "authserver": "FSSO_newfsso", + "crlevel": "low", + "sessionid": "54234", + "type": "traffic", + "vd": "root", + "craction": "63332144", + "srccountry": "Reserved", + "dstintfrole": "undefined", + "subtype": "forward", + "crscore": "5", + "action": "ip-conn", + "dstcountry": "Reserved" + } + }, + "event": { + "ingested": "2020-12-03T04:21:52.391699100Z", + "code": "0000000011", + "timezone": "-0500", + "kind": "event", + "module": "fortinet", + "start": "2020-04-18T12:14:39.841-05:00", + "action": "ip-conn", + "category": [ + "network" + ], + "type": [ + "connection", + "end", + "allowed" + ], + "dataset": "fortinet.firewall", + "outcome": "success" + } + }, + { + "log": { + "level": "notice" + }, + "destination": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "as": { + "number": 15169, + "organization": { + "name": "Google LLC" + } + }, + "port": 442, + "bytes": 77654, + "packets": 70, + "ip": "8.8.8.8" + }, + "rule": { + "ruleset": "policy", + "name": "someoldpolicyname", + "id": "2365", + "category": "Collaboration", + "uuid": "654644c-b064-fdgdf3425-f003-1234ghdf682e05f" + }, + "source": { + "nat": { + "port": 603, + "ip": "23.23.23.23" + }, + "geo": { + "continent_name": "North America", + "region_iso_code": "US-VA", + "city_name": "Ashburn", + "country_iso_code": "US", + "country_name": "United States", + "region_name": "Virginia", + "location": { + "lon": -77.4728, + "lat": 39.0481 + } + }, + "as": { + "number": 14618, + "organization": { + "name": "Amazon.com, Inc." + } + }, + "port": 56603, + "bytes": 923, + "ip": "192.168.50.50", + "user": { + "name": "elasticuser", + "group": { + "name": "testgroup" + } + }, + "packets": 113 + }, + "network": { + "protocol": "https", + "application": "Skype.Portals", + "bytes": 78577, + "iana_number": "6", + "packets": 183 + }, + "observer": { + "ingress": { + "interface": { + "name": "port1" + } + }, + "product": "Fortigate", + "vendor": "Fortinet", + "name": "firewall3", + "serial_number": "oldfwid", + "type": "firewall", + "egress": { + "interface": { + "name": "wan1" + } + } + }, + "@timestamp": "2020-04-23T12:14:28.000-05:00", + "related": { + "user": [ + "elasticuser" + ], + "ip": [ + "192.168.50.50", + "8.8.8.8" + ] + }, + "fortinet": { + "firewall": { + "lanout": 146506, + "srcintfrole": "lan", + "authserver": "FSSO_something", + "applist": "someapplist", + "crlevel": "low", + "apprisk": "elevated", + "sessionid": "2345", + "type": "traffic", + "srccountry": "Reserved", + "vwlid": "4", + "subtype": "forward", + "crscore": "5", + "action": "close", + "trandisp": "snat", + "lanin": 1406, + "utmaction": "block", + "countapp": "1", + "vwlquality": "Seq_num(3), alive, selected", + "vd": "root", + "craction": "6144", + "dstintfrole": "wan", + "wanout": 6671, + "wanin": 1130, + "appact": "detected", + "countweb": "1", + "appid": "43540", + "dstcountry": "Netherlands" + } + }, + "event": { + "duration": 126000000000, + "ingested": "2020-12-03T04:21:52.391705600Z", + "code": "0000000013", + "timezone": "-0500", + "kind": "event", + "module": "fortinet", + "start": "2020-04-18T12:14:29.291-05:00", + "action": "close", + "category": [ + "network" + ], + "type": [ + "connection", + "end", + "protocol", + "denied" + ], + "dataset": "fortinet.firewall", + "outcome": "success" + } + }, + { + "log": { + "level": "information" + }, + "destination": { + "geo": { + "continent_name": "Europe", + "country_name": "France", + "location": { + "lon": 2.3387, + "lat": 48.8582 + }, + "country_iso_code": "FR" + }, + "as": { + "number": 41690, + "organization": { + "name": "Dailymotion S.A." + } + }, + "port": 443, + "ip": "195.8.215.136" + }, + "rule": { + "ruleset": "block-social.media", + "category": "Web-Client", + "id": "1" + }, + "source": { + "port": 50798, + "ip": "10.1.100.22" + }, + "message": "Web.Client: HTTPS.BROWSER,", + "url": { + "path": "/", + "domain": "www.dailymotion.com" + }, + "network": { + "protocol": "https", + "application": "HTTPS.BROWSER", + "iana_number": "6", + "direction": "outgoing" + }, + "observer": { + "ingress": { + "interface": { + "name": "port10" + } + }, + "product": "Fortigate", + "type": "firewall", + "vendor": "Fortinet", + "egress": { + "interface": { + "name": "port9" + } + } + }, + "@timestamp": "2019-05-15T18:03:36.000Z", + "related": { + "ip": [ + "10.1.100.22", + "195.8.215.136" + ] + }, + "fortinet": { + "firewall": { + "dstintfrole": "wan", + "srcintfrole": "lan", + "subtype": "app-ctrl", + "appid": "40568", + "action": "pass", + "apprisk": "medium", + "sessionid": "4414", + "type": "utm", + "vd": "root", + "incidentserialno": "1962906680" + } + }, + "tls": { + "server": { + "x509": { + "subject": { + "common_name": "*.dailymotion.com" + }, + "issuer": { + "common_name": "DigiCert SHA2 High Assurance Server CA" + } + }, + "issuer": "DigiCert SHA2 High Assurance Server CA" + } + }, + "event": { + "ingested": "2020-12-03T04:21:52.391716900Z", + "code": "1059028704", + "kind": "event", + "module": "fortinet", + "start": "2019-05-16T01:03:35.000Z", + "action": "app-ctrl-all", + "type": [ + "allowed" + ], + "category": [ + "network" + ], + "dataset": "fortinet.firewall", + "outcome": "success" + } + }, + { + "log": { + "level": "notice" + }, + "destination": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "as": { + "number": 15169, + "organization": { + "name": "Google LLC" + } + }, + "port": 500, + "ip": "8.8.8.8" + }, + "rule": { + "description": "Progress IPsec phase 1" + }, + "source": { + "port": 500, + "ip": "10.10.10.10" + }, + "message": "progress IPsec phase 1", + "network": { + "direction": "outbound" + }, + "observer": { + "name": "testfirewall", + "product": "Fortigate", + "serial_number": "newrouterid", + "type": "firewall", + "vendor": "Fortinet" + }, + "@timestamp": "2020-11-02T08:11:38.000Z", + "related": { + "ip": [ + "10.10.10.10", + "8.8.8.8" + ] + }, + "fortinet": { + "firewall": { + "init": "local", + "role": "initiator", + "xauthuser": "N/A", + "outintf": "port1", + "type": "event", + "cookies": "125cbf9ee8349965/0000000000000000", + "vpntunnel": "P1_Test", + "vd": "root", + "xauthgroup": "N/A", + "mode": "aggressive", + "result": "OK", + "stage": "1", + "subtype": "vpn", + "action": "negotiate", + "status": "success" + } + }, + "event": { + "ingested": "2020-12-03T04:21:52.391726300Z", + "code": "0101037127", + "kind": "event", + "module": "fortinet", + "type": [ + "connection" + ], + "category": [ + "network" + ], + "dataset": "fortinet.firewall", + "outcome": "success" + } + } + ] +} \ No newline at end of file diff --git a/packages/fortinet/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml b/packages/fortinet/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml index aa468506f6d..b6d0e101568 100644 --- a/packages/fortinet/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml +++ b/packages/fortinet/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml @@ -66,33 +66,33 @@ processors: field: fortinet.firewall.eventtime pattern: "\\d{6}$" replacement: "" - if: "(ctx.fortinet?.firewall?.eventtime).length() > 18" + if: "ctx.fortinet?.firewall?.eventtime != null && (ctx.fortinet?.firewall?.eventtime).length() > 18" - date: field: fortinet.firewall.eventtime target_field: event.start formats: - UNIX_MS timezone: "{{fortinet.firewall.tz}}" - if: "ctx.fortinet?.firewall?.tz != null && (ctx.fortinet?.firewall?.eventtime).length() > 11" + if: "ctx?.fortinet?.firewall?.eventtime != null && ctx.fortinet?.firewall?.tz != null && (ctx.fortinet?.firewall?.eventtime).length() > 11" - date: field: fortinet.firewall.eventtime target_field: event.start formats: - UNIX timezone: "{{fortinet.firewall.tz}}" - if: "ctx.fortinet?.firewall?.tz != null && (ctx.fortinet?.firewall?.eventtime).length() <= 11" + if: "ctx?.fortinet?.firewall?.eventtime != null && ctx.fortinet?.firewall?.tz != null && (ctx.fortinet?.firewall?.eventtime).length() <= 11" - date: field: fortinet.firewall.eventtime target_field: event.start formats: - UNIX_MS - if: "ctx.fortinet?.firewall?.tz == null && (ctx.fortinet?.firewall?.eventtime).length() > 11" + if: "ctx?.fortinet?.firewall?.eventtime != null && ctx.fortinet?.firewall?.tz == null && (ctx.fortinet?.firewall?.eventtime).length() > 11" - date: field: fortinet.firewall.eventtime target_field: event.start formats: - UNIX - if: "ctx.fortinet?.firewall?.tz == null && (ctx.fortinet?.firewall?.eventtime).length() <= 11" + if: "ctx?.fortinet?.firewall?.eventtime != null && ctx.fortinet?.firewall?.tz == null && (ctx.fortinet?.firewall?.eventtime).length() <= 11" - rename: field: fortinet.firewall.devname target_field: observer.name @@ -159,16 +159,18 @@ processors: if: "ctx.fortinet?.firewall?.tunnelip == 'N/A'" - remove: field: - - _temp - - message - - syslog5424_sd - - syslog5424_pri - - fortinet.firewall.tz - - fortinet.firewall.date - - fortinet.firewall.eventtime - - fortinet.firewall.time - - fortinet.firewall.duration - - host + - _temp.time + - _temp + - message + - syslog5424_sd + - syslog5424_pri + - fortinet.firewall.tz + - fortinet.firewall.date + - fortinet.firewall.devid + - fortinet.firewall.eventtime + - fortinet.firewall.time + - fortinet.firewall.duration + - host ignore_missing: true - pipeline: name: '{{ IngestPipeline "event" }}' @@ -179,6 +181,18 @@ processors: - pipeline: name: '{{ IngestPipeline "utm" }}' if: "ctx.fortinet?.firewall?.type == 'utm' || ctx.fortinet?.firewall?.type == 'dns'" +- convert: + field: fortinet.firewall.quotamax + type: long + ignore_missing: true +- convert: + field: fortinet.firewall.quotaused + type: long + ignore_missing: true +- convert: + field: fortinet.firewall.size + type: long + ignore_missing: true on_failure: - set: field: error.message diff --git a/packages/fortinet/data_stream/firewall/elasticsearch/ingest_pipeline/event.yml b/packages/fortinet/data_stream/firewall/elasticsearch/ingest_pipeline/event.yml index aeebb2dcd82..424052b9300 100644 --- a/packages/fortinet/data_stream/firewall/elasticsearch/ingest_pipeline/event.yml +++ b/packages/fortinet/data_stream/firewall/elasticsearch/ingest_pipeline/event.yml @@ -311,6 +311,34 @@ processors: field: related.user value: "{{source.user.name}}" if: "ctx.source?.user?.name != null" +- convert: + field: fortinet.firewall.disklograte + type: long + ignore_missing: true +- convert: + field: fortinet.firewall.fazlograte + type: long + ignore_missing: true +- convert: + field: fortinet.firewall.setuprate + type: long + ignore_missing: true +- convert: + field: fortinet.firewall.auditid + type: long + ignore_missing: true +- convert: + field: fortinet.firewall.audittime + type: long + ignore_missing: true +- convert: + field: fortinet.firewall.scantime + type: long + ignore_missing: true +- convert: + field: fortinet.firewall.setuprate + type: long + ignore_missing: true - remove: field: - fortinet.firewall.dstport @@ -325,4 +353,4 @@ processors: on_failure: - set: field: error.message - value: '{{ _ingest.on_failure_message }}' \ No newline at end of file + value: '{{ _ingest.on_failure_message }}' diff --git a/packages/fortinet/data_stream/firewall/elasticsearch/ingest_pipeline/traffic.yml b/packages/fortinet/data_stream/firewall/elasticsearch/ingest_pipeline/traffic.yml index 590e662ff3e..8b728a31057 100644 --- a/packages/fortinet/data_stream/firewall/elasticsearch/ingest_pipeline/traffic.yml +++ b/packages/fortinet/data_stream/firewall/elasticsearch/ingest_pipeline/traffic.yml @@ -297,6 +297,22 @@ processors: field: related.user value: "{{destination.user.name}}" if: "ctx.destination?.user?.name != null" +- convert: + field: fortinet.firewall.wanin + type: long + ignore_missing: true +- convert: + field: fortinet.firewall.wanout + type: long + ignore_missing: true +- convert: + field: fortinet.firewall.lanin + type: long + ignore_missing: true +- convert: + field: fortinet.firewall.lanout + type: long + ignore_missing: true - remove: field: - fortinet.firewall.dstport @@ -311,4 +327,4 @@ processors: on_failure: - set: field: error.message - value: '{{ _ingest.on_failure_message }}' \ No newline at end of file + value: '{{ _ingest.on_failure_message }}'