diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 511551bffdb..95560bfc652 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -357,6 +357,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Improve ECS categorization field mappings in misp module. {issue}16026[16026] {pull}17344[17344] - Enhance `elasticsearch/deprecation` fileset to handle ECS-compatible logs emitted by Elasticsearch. {issue}17715[17715] {pull}17728[17728] - Make `decode_cef` processor GA. {pull}17944[17944] +- Added new Fortigate Syslog filebeat module. {pull}17890[17890] - Improve ECS categorization field mappings in redis module. {issue}16179[16179] {pull}17918[17918] - Improve ECS categorization field mappings in rabbitmq module. {issue}16178[16178] {pull}17916[17916] - Improve ECS categorization field mappings in postgresql module. {issue}16177[16177] {pull}17914[17914] diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc index 34d6b83ab7b..e5d006e2614 100644 --- a/filebeat/docs/fields.asciidoc +++ b/filebeat/docs/fields.asciidoc @@ -29,6 +29,7 @@ grouped in the following categories: * <> * <> * <> +* <> * <> * <> * <> @@ -18227,6 +18228,4327 @@ type: keyword -- +[[exported-fields-fortinet]] +== Fortinet fields + +fortinet Module + + + +[float] +=== fortinet + +Fields from fortinet FortiOS + + + +*`fortinet.file.hash.crc32`*:: ++ +-- +CRC32 Hash of file + + +type: keyword + +-- + +[float] +=== firewall + +Module for parsing Fortinet syslog. + + + +*`fortinet.firewall.acct_stat`*:: ++ +-- +Accounting state (RADIUS) + + +type: keyword + +-- + +*`fortinet.firewall.acktime`*:: ++ +-- +Alarm Acknowledge Time + + +type: keyword + +-- + +*`fortinet.firewall.act`*:: ++ +-- +Action + + +type: keyword + +-- + +*`fortinet.firewall.action`*:: ++ +-- +Status of the session + + +type: keyword + +-- + +*`fortinet.firewall.activity`*:: ++ +-- +HA activity message + + +type: keyword + +-- + +*`fortinet.firewall.addr`*:: ++ +-- +IP Address + + +type: ip + +-- + +*`fortinet.firewall.addr_type`*:: ++ +-- +Address Type + + +type: keyword + +-- + +*`fortinet.firewall.addrgrp`*:: ++ +-- +Address Group + + +type: keyword + +-- + +*`fortinet.firewall.adgroup`*:: ++ +-- +AD Group Name + + +type: keyword + +-- + +*`fortinet.firewall.admin`*:: ++ +-- +Admin User + + +type: keyword + +-- + +*`fortinet.firewall.age`*:: ++ +-- +Time in seconds - time passed since last seen + + +type: integer + +-- + +*`fortinet.firewall.agent`*:: ++ +-- +User agent - eg. agent="Mozilla/5.0" + + +type: keyword + +-- + +*`fortinet.firewall.alarmid`*:: ++ +-- +Alarm ID + + +type: integer + +-- + +*`fortinet.firewall.alert`*:: ++ +-- +Alert + + +type: keyword + +-- + +*`fortinet.firewall.analyticscksum`*:: ++ +-- +The checksum of the file submitted for analytics + + +type: keyword + +-- + +*`fortinet.firewall.analyticssubmit`*:: ++ +-- +The flag for analytics submission + + +type: keyword + +-- + +*`fortinet.firewall.ap`*:: ++ +-- +Access Point + + +type: keyword + +-- + +*`fortinet.firewall.app-type`*:: ++ +-- +Address Type + + +type: keyword + +-- + +*`fortinet.firewall.appact`*:: ++ +-- +The security action from app control + + +type: keyword + +-- + +*`fortinet.firewall.appid`*:: ++ +-- +Application ID + + +type: integer + +-- + +*`fortinet.firewall.applist`*:: ++ +-- +Application Control profile + + +type: keyword + +-- + +*`fortinet.firewall.apprisk`*:: ++ +-- +Application Risk Level + + +type: keyword + +-- + +*`fortinet.firewall.apscan`*:: ++ +-- +The name of the AP, which scanned and detected the rogue AP + + +type: keyword + +-- + +*`fortinet.firewall.apsn`*:: ++ +-- +Access Point + + +type: keyword + +-- + +*`fortinet.firewall.apstatus`*:: ++ +-- +Access Point status + + +type: keyword + +-- + +*`fortinet.firewall.aptype`*:: ++ +-- +Access Point type + + +type: keyword + +-- + +*`fortinet.firewall.assigned`*:: ++ +-- +Assigned IP Address + + +type: ip + +-- + +*`fortinet.firewall.assignip`*:: ++ +-- +Assigned IP Address + + +type: ip + +-- + +*`fortinet.firewall.attachment`*:: ++ +-- +The flag for email attachement + + +type: keyword + +-- + +*`fortinet.firewall.attack`*:: ++ +-- +Attack Name + + +type: keyword + +-- + +*`fortinet.firewall.attackcontext`*:: ++ +-- +The trigger patterns and the packetdata with base64 encoding + + +type: keyword + +-- + +*`fortinet.firewall.attackcontextid`*:: ++ +-- +Attack context id / total + + +type: keyword + +-- + +*`fortinet.firewall.attackid`*:: ++ +-- +Attack ID + + +type: integer + +-- + +*`fortinet.firewall.auditid`*:: ++ +-- +Audit ID + + +type: long + +-- + +*`fortinet.firewall.auditscore`*:: ++ +-- +The Audit Score + + +type: keyword + +-- + +*`fortinet.firewall.audittime`*:: ++ +-- +The time of the audit + + +type: long + +-- + +*`fortinet.firewall.authgrp`*:: ++ +-- +Authorization Group + + +type: keyword + +-- + +*`fortinet.firewall.authid`*:: ++ +-- +Authentication ID + + +type: keyword + +-- + +*`fortinet.firewall.authproto`*:: ++ +-- +The protocol that initiated the authentication + + +type: keyword + +-- + +*`fortinet.firewall.authserver`*:: ++ +-- +Authentication server + + +type: keyword + +-- + +*`fortinet.firewall.bandwidth`*:: ++ +-- +Bandwidth + + +type: keyword + +-- + +*`fortinet.firewall.banned_rule`*:: ++ +-- +NAC quarantine Banned Rule Name + + +type: keyword + +-- + +*`fortinet.firewall.banned_src`*:: ++ +-- +NAC quarantine Banned Source IP + + +type: keyword + +-- + +*`fortinet.firewall.banword`*:: ++ +-- +Banned word + + +type: keyword + +-- + +*`fortinet.firewall.botnetdomain`*:: ++ +-- +Botnet Domain Name + + +type: keyword + +-- + +*`fortinet.firewall.botnetip`*:: ++ +-- +Botnet IP Address + + +type: ip + +-- + +*`fortinet.firewall.bssid`*:: ++ +-- +Service Set ID + + +type: keyword + +-- + +*`fortinet.firewall.call_id`*:: ++ +-- +Caller ID + + +type: keyword + +-- + +*`fortinet.firewall.carrier_ep`*:: ++ +-- +The FortiOS Carrier end-point identification + + +type: keyword + +-- + +*`fortinet.firewall.cat`*:: ++ +-- +DNS category ID + + +type: integer + +-- + +*`fortinet.firewall.category`*:: ++ +-- +Authentication category + + +type: keyword + +-- + +*`fortinet.firewall.cc`*:: ++ +-- +CC Email Address + + +type: keyword + +-- + +*`fortinet.firewall.cdrcontent`*:: ++ +-- +Cdrcontent + + +type: keyword + +-- + +*`fortinet.firewall.centralnatid`*:: ++ +-- +Central NAT ID + + +type: integer + +-- + +*`fortinet.firewall.cert`*:: ++ +-- +Certificate + + +type: keyword + +-- + +*`fortinet.firewall.cert-type`*:: ++ +-- +Certificate type + + +type: keyword + +-- + +*`fortinet.firewall.certhash`*:: ++ +-- +Certificate hash + + +type: keyword + +-- + +*`fortinet.firewall.cfgattr`*:: ++ +-- +Configuration attribute + + +type: keyword + +-- + +*`fortinet.firewall.cfgobj`*:: ++ +-- +Configuration object + + +type: keyword + +-- + +*`fortinet.firewall.cfgpath`*:: ++ +-- +Configuration path + + +type: keyword + +-- + +*`fortinet.firewall.cfgtid`*:: ++ +-- +Configuration transaction ID + + +type: keyword + +-- + +*`fortinet.firewall.cfgtxpower`*:: ++ +-- +Configuration TX power + + +type: integer + +-- + +*`fortinet.firewall.channel`*:: ++ +-- +Wireless Channel + + +type: integer + +-- + +*`fortinet.firewall.channeltype`*:: ++ +-- +SSH channel type + + +type: keyword + +-- + +*`fortinet.firewall.chassisid`*:: ++ +-- +Chassis ID + + +type: integer + +-- + +*`fortinet.firewall.checksum`*:: ++ +-- +The checksum of the scanned file + + +type: keyword + +-- + +*`fortinet.firewall.chgheaders`*:: ++ +-- +HTTP Headers + + +type: keyword + +-- + +*`fortinet.firewall.cldobjid`*:: ++ +-- +Connector object ID + + +type: keyword + +-- + +*`fortinet.firewall.client_addr`*:: ++ +-- +Wifi client address + + +type: keyword + +-- + +*`fortinet.firewall.cloudaction`*:: ++ +-- +Cloud Action + + +type: keyword + +-- + +*`fortinet.firewall.clouduser`*:: ++ +-- +Cloud User + + +type: keyword + +-- + +*`fortinet.firewall.column`*:: ++ +-- +VOIP Column + + +type: integer + +-- + +*`fortinet.firewall.command`*:: ++ +-- +CLI Command + + +type: keyword + +-- + +*`fortinet.firewall.community`*:: ++ +-- +SNMP Community + + +type: keyword + +-- + +*`fortinet.firewall.configcountry`*:: ++ +-- +Configuration country + + +type: keyword + +-- + +*`fortinet.firewall.connection_type`*:: ++ +-- +FortiClient Connection Type + + +type: keyword + +-- + +*`fortinet.firewall.conserve`*:: ++ +-- +Flag for conserve mode + + +type: keyword + +-- + +*`fortinet.firewall.constraint`*:: ++ +-- +WAF http protocol restrictions + + +type: keyword + +-- + +*`fortinet.firewall.contentdisarmed`*:: ++ +-- +Email scanned content + + +type: keyword + +-- + +*`fortinet.firewall.contenttype`*:: ++ +-- +Content Type from HTTP header + + +type: keyword + +-- + +*`fortinet.firewall.cookies`*:: ++ +-- +VPN Cookie + + +type: keyword + +-- + +*`fortinet.firewall.count`*:: ++ +-- +Counts of action type + + +type: integer + +-- + +*`fortinet.firewall.countapp`*:: ++ +-- +Number of App Ctrl logs associated with the session + + +type: integer + +-- + +*`fortinet.firewall.countav`*:: ++ +-- +Number of AV logs associated with the session + + +type: integer + +-- + +*`fortinet.firewall.countcifs`*:: ++ +-- +Number of CIFS logs associated with the session + + +type: integer + +-- + +*`fortinet.firewall.countdlp`*:: ++ +-- +Number of DLP logs associated with the session + + +type: integer + +-- + +*`fortinet.firewall.countdns`*:: ++ +-- +Number of DNS logs associated with the session + + +type: integer + +-- + +*`fortinet.firewall.countemail`*:: ++ +-- +Number of email logs associated with the session + + +type: integer + +-- + +*`fortinet.firewall.countff`*:: ++ +-- +Number of ff logs associated with the session + + +type: integer + +-- + +*`fortinet.firewall.countips`*:: ++ +-- +Number of IPS logs associated with the session + + +type: integer + +-- + +*`fortinet.firewall.countssh`*:: ++ +-- +Number of SSH logs associated with the session + + +type: integer + +-- + +*`fortinet.firewall.countssl`*:: ++ +-- +Number of SSL logs associated with the session + + +type: integer + +-- + +*`fortinet.firewall.countwaf`*:: ++ +-- +Number of WAF logs associated with the session + + +type: integer + +-- + +*`fortinet.firewall.countweb`*:: ++ +-- +Number of Web filter logs associated with the session + + +type: integer + +-- + +*`fortinet.firewall.cpu`*:: ++ +-- +CPU Usage + + +type: integer + +-- + +*`fortinet.firewall.craction`*:: ++ +-- +Client Reputation Action + + +type: integer + +-- + +*`fortinet.firewall.criticalcount`*:: ++ +-- +Number of critical ratings + + +type: integer + +-- + +*`fortinet.firewall.crl`*:: ++ +-- +Client Reputation Level + + +type: keyword + +-- + +*`fortinet.firewall.crlevel`*:: ++ +-- +Client Reputation Level + + +type: keyword + +-- + +*`fortinet.firewall.crscore`*:: ++ +-- +Some description + + +type: integer + +-- + +*`fortinet.firewall.cveid`*:: ++ +-- +CVE ID + + +type: keyword + +-- + +*`fortinet.firewall.daemon`*:: ++ +-- +Daemon name + + +type: keyword + +-- + +*`fortinet.firewall.datarange`*:: ++ +-- +Data range for reports + + +type: keyword + +-- + +*`fortinet.firewall.date`*:: ++ +-- +Date + + +type: keyword + +-- + +*`fortinet.firewall.ddnsserver`*:: ++ +-- +DDNS server + + +type: ip + +-- + +*`fortinet.firewall.desc`*:: ++ +-- +Description + + +type: keyword + +-- + +*`fortinet.firewall.detectionmethod`*:: ++ +-- +Detection method + + +type: keyword + +-- + +*`fortinet.firewall.devcategory`*:: ++ +-- +Device category + + +type: keyword + +-- + +*`fortinet.firewall.devintfname`*:: ++ +-- +HA device Interface Name + + +type: keyword + +-- + +*`fortinet.firewall.devtype`*:: ++ +-- +Device type + + +type: keyword + +-- + +*`fortinet.firewall.dhcp_msg`*:: ++ +-- +DHCP Message + + +type: keyword + +-- + +*`fortinet.firewall.dintf`*:: ++ +-- +Destination interface + + +type: keyword + +-- + +*`fortinet.firewall.disk`*:: ++ +-- +Assosciated disk + + +type: keyword + +-- + +*`fortinet.firewall.disklograte`*:: ++ +-- +Disk logging rate + + +type: long + +-- + +*`fortinet.firewall.dlpextra`*:: ++ +-- +DLP extra information + + +type: keyword + +-- + +*`fortinet.firewall.docsource`*:: ++ +-- +DLP fingerprint document source + + +type: keyword + +-- + +*`fortinet.firewall.domainctrlauthstate`*:: ++ +-- +CIFS domain auth state + + +type: integer + +-- + +*`fortinet.firewall.domainctrlauthtype`*:: ++ +-- +CIFS domain auth type + + +type: integer + +-- + +*`fortinet.firewall.domainctrldomain`*:: ++ +-- +CIFS domain auth domain + + +type: keyword + +-- + +*`fortinet.firewall.domainctrlip`*:: ++ +-- +CIFS Domain IP + + +type: ip + +-- + +*`fortinet.firewall.domainctrlname`*:: ++ +-- +CIFS Domain name + + +type: keyword + +-- + +*`fortinet.firewall.domainctrlprotocoltype`*:: ++ +-- +CIFS Domain connection protocol + + +type: integer + +-- + +*`fortinet.firewall.domainctrlusername`*:: ++ +-- +CIFS Domain username + + +type: keyword + +-- + +*`fortinet.firewall.domainfilteridx`*:: ++ +-- +Domain filter ID + + +type: integer + +-- + +*`fortinet.firewall.domainfilterlist`*:: ++ +-- +Domain filter name + + +type: keyword + +-- + +*`fortinet.firewall.ds`*:: ++ +-- +Direction with distribution system + + +type: keyword + +-- + +*`fortinet.firewall.dst_int`*:: ++ +-- +Destination interface + + +type: keyword + +-- + +*`fortinet.firewall.dstintfrole`*:: ++ +-- +Destination interface role + + +type: keyword + +-- + +*`fortinet.firewall.dstcountry`*:: ++ +-- +Destination country + + +type: keyword + +-- + +*`fortinet.firewall.dstdevcategory`*:: ++ +-- +Destination device category + + +type: keyword + +-- + +*`fortinet.firewall.dstdevtype`*:: ++ +-- +Destination device type + + +type: keyword + +-- + +*`fortinet.firewall.dstfamily`*:: ++ +-- +Destination OS family + + +type: keyword + +-- + +*`fortinet.firewall.dsthwvendor`*:: ++ +-- +Destination HW vendor + + +type: keyword + +-- + +*`fortinet.firewall.dsthwversion`*:: ++ +-- +Destination HW version + + +type: keyword + +-- + +*`fortinet.firewall.dstinetsvc`*:: ++ +-- +Destination interface service + + +type: keyword + +-- + +*`fortinet.firewall.dstosname`*:: ++ +-- +Destination OS name + + +type: keyword + +-- + +*`fortinet.firewall.dstosversion`*:: ++ +-- +Destination OS version + + +type: keyword + +-- + +*`fortinet.firewall.dstserver`*:: ++ +-- +Destination server + + +type: integer + +-- + +*`fortinet.firewall.dstssid`*:: ++ +-- +Destination SSID + + +type: keyword + +-- + +*`fortinet.firewall.dstswversion`*:: ++ +-- +Destination software version + + +type: keyword + +-- + +*`fortinet.firewall.dstunauthusersource`*:: ++ +-- +Destination unauthenticated source + + +type: keyword + +-- + +*`fortinet.firewall.dstuuid`*:: ++ +-- +UUID of the Destination IP address + + +type: keyword + +-- + +*`fortinet.firewall.duid`*:: ++ +-- +DHCP UID + + +type: keyword + +-- + +*`fortinet.firewall.eapolcnt`*:: ++ +-- +EAPOL packet count + + +type: integer + +-- + +*`fortinet.firewall.eapoltype`*:: ++ +-- +EAPOL packet type + + +type: keyword + +-- + +*`fortinet.firewall.encrypt`*:: ++ +-- +Whether the packet is encrypted or not + + +type: integer + +-- + +*`fortinet.firewall.encryption`*:: ++ +-- +Encryption method + + +type: keyword + +-- + +*`fortinet.firewall.epoch`*:: ++ +-- +Epoch used for locating file + + +type: integer + +-- + +*`fortinet.firewall.espauth`*:: ++ +-- +ESP Authentication + + +type: keyword + +-- + +*`fortinet.firewall.esptransform`*:: ++ +-- +ESP Transform + + +type: keyword + +-- + +*`fortinet.firewall.exch`*:: ++ +-- +Mail Exchanges from DNS response answer section + + +type: keyword + +-- + +*`fortinet.firewall.exchange`*:: ++ +-- +Mail Exchanges from DNS response answer section + + +type: keyword + +-- + +*`fortinet.firewall.expectedsignature`*:: ++ +-- +Expected SSL signature + + +type: keyword + +-- + +*`fortinet.firewall.expiry`*:: ++ +-- +FortiGuard override expiry timestamp + + +type: keyword + +-- + +*`fortinet.firewall.fams_pause`*:: ++ +-- +Fortinet Analysis and Management Service Pause + + +type: integer + +-- + +*`fortinet.firewall.fazlograte`*:: ++ +-- +FortiAnalyzer Logging Rate + + +type: long + +-- + +*`fortinet.firewall.fctemssn`*:: ++ +-- +FortiClient Endpoint SSN + + +type: keyword + +-- + +*`fortinet.firewall.fctuid`*:: ++ +-- +FortiClient UID + + +type: keyword + +-- + +*`fortinet.firewall.field`*:: ++ +-- +NTP status field + + +type: keyword + +-- + +*`fortinet.firewall.filefilter`*:: ++ +-- +The filter used to identify the affected file + + +type: keyword + +-- + +*`fortinet.firewall.filehashsrc`*:: ++ +-- +Filehash source + + +type: keyword + +-- + +*`fortinet.firewall.filtercat`*:: ++ +-- +DLP filter category + + +type: keyword + +-- + +*`fortinet.firewall.filteridx`*:: ++ +-- +DLP filter ID + + +type: integer + +-- + +*`fortinet.firewall.filtername`*:: ++ +-- +DLP rule name + + +type: keyword + +-- + +*`fortinet.firewall.filtertype`*:: ++ +-- +DLP filter type + + +type: keyword + +-- + +*`fortinet.firewall.fortiguardresp`*:: ++ +-- +Antispam ESP value + + +type: keyword + +-- + +*`fortinet.firewall.forwardedfor`*:: ++ +-- +Email address forwarded + + +type: keyword + +-- + +*`fortinet.firewall.fqdn`*:: ++ +-- +FQDN + + +type: keyword + +-- + +*`fortinet.firewall.frametype`*:: ++ +-- +Wireless frametype + + +type: keyword + +-- + +*`fortinet.firewall.freediskstorage`*:: ++ +-- +Free disk integer + + +type: integer + +-- + +*`fortinet.firewall.from`*:: ++ +-- +From email address + + +type: keyword + +-- + +*`fortinet.firewall.from_vcluster`*:: ++ +-- +Source virtual cluster number + + +type: integer + +-- + +*`fortinet.firewall.fsaverdict`*:: ++ +-- +FSA verdict + + +type: keyword + +-- + +*`fortinet.firewall.fwserver_name`*:: ++ +-- +Web proxy server name + + +type: keyword + +-- + +*`fortinet.firewall.gateway`*:: ++ +-- +Gateway ip address for PPPoE status report + + +type: ip + +-- + +*`fortinet.firewall.green`*:: ++ +-- +Memory status + + +type: keyword + +-- + +*`fortinet.firewall.groupid`*:: ++ +-- +User Group ID + + +type: integer + +-- + +*`fortinet.firewall.ha-prio`*:: ++ +-- +HA Priority + + +type: integer + +-- + +*`fortinet.firewall.ha_group`*:: ++ +-- +HA Group + + +type: keyword + +-- + +*`fortinet.firewall.ha_role`*:: ++ +-- +HA Role + + +type: keyword + +-- + +*`fortinet.firewall.handshake`*:: ++ +-- +SSL Handshake + + +type: keyword + +-- + +*`fortinet.firewall.hash`*:: ++ +-- +Hash value of downloaded file + + +type: keyword + +-- + +*`fortinet.firewall.hbdn_reason`*:: ++ +-- +Heartbeat down reason + + +type: keyword + +-- + +*`fortinet.firewall.highcount`*:: ++ +-- +Highcount fabric summary + + +type: integer + +-- + +*`fortinet.firewall.host`*:: ++ +-- +Hostname + + +type: keyword + +-- + +*`fortinet.firewall.iaid`*:: ++ +-- +DHCPv6 id + + +type: keyword + +-- + +*`fortinet.firewall.icmpcode`*:: ++ +-- +Destination Port of the ICMP message + + +type: keyword + +-- + +*`fortinet.firewall.icmpid`*:: ++ +-- +Source port of the ICMP message + + +type: keyword + +-- + +*`fortinet.firewall.icmptype`*:: ++ +-- +The type of ICMP message + + +type: keyword + +-- + +*`fortinet.firewall.identifier`*:: ++ +-- +Network traffic identifier + + +type: integer + +-- + +*`fortinet.firewall.in_spi`*:: ++ +-- +IPSEC inbound SPI + + +type: keyword + +-- + +*`fortinet.firewall.incidentserialno`*:: ++ +-- +Incident serial number + + +type: integer + +-- + +*`fortinet.firewall.infected`*:: ++ +-- +Infected MMS + + +type: integer + +-- + +*`fortinet.firewall.infectedfilelevel`*:: ++ +-- +DLP infected file level + + +type: integer + +-- + +*`fortinet.firewall.informationsource`*:: ++ +-- +Information source + + +type: keyword + +-- + +*`fortinet.firewall.init`*:: ++ +-- +IPSEC init stage + + +type: keyword + +-- + +*`fortinet.firewall.initiator`*:: ++ +-- +Original login user name for Fortiguard override + + +type: keyword + +-- + +*`fortinet.firewall.interface`*:: ++ +-- +Related interface + + +type: keyword + +-- + +*`fortinet.firewall.intf`*:: ++ +-- +Related interface + + +type: keyword + +-- + +*`fortinet.firewall.invalidmac`*:: ++ +-- +The MAC address with invalid OUI + + +type: keyword + +-- + +*`fortinet.firewall.ip`*:: ++ +-- +Related IP + + +type: ip + +-- + +*`fortinet.firewall.iptype`*:: ++ +-- +Related IP type + + +type: keyword + +-- + +*`fortinet.firewall.keyword`*:: ++ +-- +Keyword used for search + + +type: keyword + +-- + +*`fortinet.firewall.kind`*:: ++ +-- +VOIP kind + + +type: keyword + +-- + +*`fortinet.firewall.lanin`*:: ++ +-- +LAN incoming traffic in bytes + + +type: long + +-- + +*`fortinet.firewall.lanout`*:: ++ +-- +LAN outbound traffic in bytes + + +type: long + +-- + +*`fortinet.firewall.lease`*:: ++ +-- +DHCP lease + + +type: integer + +-- + +*`fortinet.firewall.license_limit`*:: ++ +-- +Maximum Number of FortiClients for the License + + +type: keyword + +-- + +*`fortinet.firewall.limit`*:: ++ +-- +Virtual Domain Resource Limit + + +type: integer + +-- + +*`fortinet.firewall.line`*:: ++ +-- +VOIP line + + +type: keyword + +-- + +*`fortinet.firewall.live`*:: ++ +-- +Time in seconds + + +type: integer + +-- + +*`fortinet.firewall.local`*:: ++ +-- +Local IP for a PPPD Connection + + +type: ip + +-- + +*`fortinet.firewall.log`*:: ++ +-- +Log message + + +type: keyword + +-- + +*`fortinet.firewall.login`*:: ++ +-- +SSH login + + +type: keyword + +-- + +*`fortinet.firewall.lowcount`*:: ++ +-- +Fabric lowcount + + +type: integer + +-- + +*`fortinet.firewall.mac`*:: ++ +-- +DHCP mac address + + +type: keyword + +-- + +*`fortinet.firewall.malform_data`*:: ++ +-- +VOIP malformed data + + +type: integer + +-- + +*`fortinet.firewall.malform_desc`*:: ++ +-- +VOIP malformed data description + + +type: keyword + +-- + +*`fortinet.firewall.manuf`*:: ++ +-- +Manufacturer name + + +type: keyword + +-- + +*`fortinet.firewall.masterdstmac`*:: ++ +-- +Master mac address for a host with multiple network interfaces + + +type: keyword + +-- + +*`fortinet.firewall.mastersrcmac`*:: ++ +-- +The master MAC address for a host that has multiple network interfaces + + +type: keyword + +-- + +*`fortinet.firewall.mediumcount`*:: ++ +-- +Fabric medium count + + +type: integer + +-- + +*`fortinet.firewall.mem`*:: ++ +-- +Memory usage system statistics + + +type: keyword + +-- + +*`fortinet.firewall.meshmode`*:: ++ +-- +Wireless mesh mode + + +type: keyword + +-- + +*`fortinet.firewall.message_type`*:: ++ +-- +VOIP message type + + +type: keyword + +-- + +*`fortinet.firewall.method`*:: ++ +-- +HTTP method + + +type: keyword + +-- + +*`fortinet.firewall.mgmtcnt`*:: ++ +-- +The number of unauthorized client flooding managemet frames + + +type: integer + +-- + +*`fortinet.firewall.mode`*:: ++ +-- +IPSEC mode + + +type: keyword + +-- + +*`fortinet.firewall.module`*:: ++ +-- +PCI-DSS module + + +type: keyword + +-- + +*`fortinet.firewall.monitor-name`*:: ++ +-- +Health Monitor Name + + +type: keyword + +-- + +*`fortinet.firewall.monitor-type`*:: ++ +-- +Health Monitor Type + + +type: keyword + +-- + +*`fortinet.firewall.mpsk`*:: ++ +-- +Wireless MPSK + + +type: keyword + +-- + +*`fortinet.firewall.msgproto`*:: ++ +-- +Message Protocol Number + + +type: keyword + +-- + +*`fortinet.firewall.mtu`*:: ++ +-- +Max Transmission Unit Value + + +type: integer + +-- + +*`fortinet.firewall.name`*:: ++ +-- +Name + + +type: keyword + +-- + +*`fortinet.firewall.nat`*:: ++ +-- +NAT IP Address + + +type: keyword + +-- + +*`fortinet.firewall.netid`*:: ++ +-- +Connector NetID + + +type: keyword + +-- + +*`fortinet.firewall.new_status`*:: ++ +-- +New status on user change + + +type: keyword + +-- + +*`fortinet.firewall.new_value`*:: ++ +-- +New Virtual Domain Name + + +type: keyword + +-- + +*`fortinet.firewall.newchannel`*:: ++ +-- +New Channel Number + + +type: integer + +-- + +*`fortinet.firewall.newchassisid`*:: ++ +-- +New Chassis ID + + +type: integer + +-- + +*`fortinet.firewall.newslot`*:: ++ +-- +New Slot Number + + +type: integer + +-- + +*`fortinet.firewall.nextstat`*:: ++ +-- +Time interval in seconds for the next statistics. + + +type: integer + +-- + +*`fortinet.firewall.nf_type`*:: ++ +-- +Notification Type + + +type: keyword + +-- + +*`fortinet.firewall.noise`*:: ++ +-- +Wifi Noise + + +type: integer + +-- + +*`fortinet.firewall.old_status`*:: ++ +-- +Original Status + + +type: keyword + +-- + +*`fortinet.firewall.old_value`*:: ++ +-- +Original Virtual Domain name + + +type: keyword + +-- + +*`fortinet.firewall.oldchannel`*:: ++ +-- +Original channel + + +type: integer + +-- + +*`fortinet.firewall.oldchassisid`*:: ++ +-- +Original Chassis Number + + +type: integer + +-- + +*`fortinet.firewall.oldslot`*:: ++ +-- +Original Slot Number + + +type: integer + +-- + +*`fortinet.firewall.oldsn`*:: ++ +-- +Old Serial number + + +type: keyword + +-- + +*`fortinet.firewall.oldwprof`*:: ++ +-- +Old Web Filter Profile + + +type: keyword + +-- + +*`fortinet.firewall.onwire`*:: ++ +-- +A flag to indicate if the AP is onwire or not + + +type: keyword + +-- + +*`fortinet.firewall.opercountry`*:: ++ +-- +Operating Country + + +type: keyword + +-- + +*`fortinet.firewall.opertxpower`*:: ++ +-- +Operating TX power + + +type: integer + +-- + +*`fortinet.firewall.osname`*:: ++ +-- +Operating System name + + +type: keyword + +-- + +*`fortinet.firewall.osversion`*:: ++ +-- +Operating System version + + +type: keyword + +-- + +*`fortinet.firewall.out_spi`*:: ++ +-- +Out SPI + + +type: keyword + +-- + +*`fortinet.firewall.outintf`*:: ++ +-- +Out interface + + +type: keyword + +-- + +*`fortinet.firewall.passedcount`*:: ++ +-- +Fabric passed count + + +type: integer + +-- + +*`fortinet.firewall.passwd`*:: ++ +-- +Changed user password information + + +type: keyword + +-- + +*`fortinet.firewall.path`*:: ++ +-- +Path of looped configuration for security fabric + + +type: keyword + +-- + +*`fortinet.firewall.peer`*:: ++ +-- +WAN optimization peer + + +type: keyword + +-- + +*`fortinet.firewall.peer_notif`*:: ++ +-- +VPN peer notification + + +type: keyword + +-- + +*`fortinet.firewall.phase2_name`*:: ++ +-- +VPN phase2 name + + +type: keyword + +-- + +*`fortinet.firewall.phone`*:: ++ +-- +VOIP Phone + + +type: keyword + +-- + +*`fortinet.firewall.pid`*:: ++ +-- +Process ID + + +type: integer + +-- + +*`fortinet.firewall.policytype`*:: ++ +-- +Policy Type + + +type: keyword + +-- + +*`fortinet.firewall.poolname`*:: ++ +-- +IP Pool name + + +type: keyword + +-- + +*`fortinet.firewall.port`*:: ++ +-- +Log upload error port + + +type: integer + +-- + +*`fortinet.firewall.portbegin`*:: ++ +-- +IP Pool port number to begin + + +type: integer + +-- + +*`fortinet.firewall.portend`*:: ++ +-- +IP Pool port number to end + + +type: integer + +-- + +*`fortinet.firewall.probeproto`*:: ++ +-- +Link Monitor Probe Protocol + + +type: keyword + +-- + +*`fortinet.firewall.process`*:: ++ +-- +URL Filter process + + +type: keyword + +-- + +*`fortinet.firewall.processtime`*:: ++ +-- +Process time for reports + + +type: integer + +-- + +*`fortinet.firewall.profile`*:: ++ +-- +Profile Name + + +type: keyword + +-- + +*`fortinet.firewall.profile_vd`*:: ++ +-- +Virtual Domain Name + + +type: keyword + +-- + +*`fortinet.firewall.profilegroup`*:: ++ +-- +Profile Group Name + + +type: keyword + +-- + +*`fortinet.firewall.profiletype`*:: ++ +-- +Profile Type + + +type: keyword + +-- + +*`fortinet.firewall.qtypeval`*:: ++ +-- +DNS question type value + + +type: integer + +-- + +*`fortinet.firewall.quarskip`*:: ++ +-- +Quarantine skip explanation + + +type: keyword + +-- + +*`fortinet.firewall.quotaexceeded`*:: ++ +-- +If quota has been exceeded + + +type: keyword + +-- + +*`fortinet.firewall.quotamax`*:: ++ +-- +Maximum quota allowed - in seconds if time-based - in bytes if traffic-based + + +type: long + +-- + +*`fortinet.firewall.quotatype`*:: ++ +-- +Quota type + + +type: keyword + +-- + +*`fortinet.firewall.quotaused`*:: ++ +-- +Quota used - in seconds if time-based - in bytes if trafficbased) + + +type: long + +-- + +*`fortinet.firewall.radioband`*:: ++ +-- +Radio band + + +type: keyword + +-- + +*`fortinet.firewall.radioid`*:: ++ +-- +Radio ID + + +type: integer + +-- + +*`fortinet.firewall.radioidclosest`*:: ++ +-- +Radio ID on the AP closest the rogue AP + + +type: integer + +-- + +*`fortinet.firewall.radioiddetected`*:: ++ +-- +Radio ID on the AP which detected the rogue AP + + +type: integer + +-- + +*`fortinet.firewall.rate`*:: ++ +-- +Wireless rogue rate value + + +type: keyword + +-- + +*`fortinet.firewall.rawdata`*:: ++ +-- +Raw data value + + +type: keyword + +-- + +*`fortinet.firewall.rawdataid`*:: ++ +-- +Raw data ID + + +type: keyword + +-- + +*`fortinet.firewall.rcvddelta`*:: ++ +-- +Received bytes delta + + +type: keyword + +-- + +*`fortinet.firewall.reason`*:: ++ +-- +Alert reason + + +type: keyword + +-- + +*`fortinet.firewall.received`*:: ++ +-- +Server key exchange received + + +type: integer + +-- + +*`fortinet.firewall.receivedsignature`*:: ++ +-- +Server key exchange received signature + + +type: keyword + +-- + +*`fortinet.firewall.red`*:: ++ +-- +Memory information in red + + +type: keyword + +-- + +*`fortinet.firewall.referralurl`*:: ++ +-- +Web filter referralurl + + +type: keyword + +-- + +*`fortinet.firewall.remote`*:: ++ +-- +Remote PPP IP address + + +type: ip + +-- + +*`fortinet.firewall.remotewtptime`*:: ++ +-- +Remote Wifi Radius authentication time + + +type: keyword + +-- + +*`fortinet.firewall.reporttype`*:: ++ +-- +Report type + + +type: keyword + +-- + +*`fortinet.firewall.reqtype`*:: ++ +-- +Request type + + +type: keyword + +-- + +*`fortinet.firewall.request_name`*:: ++ +-- +VOIP request name + + +type: keyword + +-- + +*`fortinet.firewall.result`*:: ++ +-- +VPN phase result + + +type: keyword + +-- + +*`fortinet.firewall.role`*:: ++ +-- +VPN Phase 2 role + + +type: keyword + +-- + +*`fortinet.firewall.rssi`*:: ++ +-- +Received signal strength indicator + + +type: integer + +-- + +*`fortinet.firewall.rsso_key`*:: ++ +-- +RADIUS SSO attribute value + + +type: keyword + +-- + +*`fortinet.firewall.ruledata`*:: ++ +-- +Rule data + + +type: keyword + +-- + +*`fortinet.firewall.ruletype`*:: ++ +-- +Rule type + + +type: keyword + +-- + +*`fortinet.firewall.scanned`*:: ++ +-- +Number of Scanned MMSs + + +type: integer + +-- + +*`fortinet.firewall.scantime`*:: ++ +-- +Scanned time + + +type: long + +-- + +*`fortinet.firewall.scope`*:: ++ +-- +FortiGuard Override Scope + + +type: keyword + +-- + +*`fortinet.firewall.security`*:: ++ +-- +Wireless rogue security + + +type: keyword + +-- + +*`fortinet.firewall.sensitivity`*:: ++ +-- +Sensitivity for document fingerprint + + +type: keyword + +-- + +*`fortinet.firewall.sensor`*:: ++ +-- +NAC Sensor Name + + +type: keyword + +-- + +*`fortinet.firewall.sentdelta`*:: ++ +-- +Sent bytes delta + + +type: keyword + +-- + +*`fortinet.firewall.seq`*:: ++ +-- +Sequence number + + +type: keyword + +-- + +*`fortinet.firewall.serial`*:: ++ +-- +WAN optimisation serial + + +type: keyword + +-- + +*`fortinet.firewall.serialno`*:: ++ +-- +Serial number + + +type: keyword + +-- + +*`fortinet.firewall.server`*:: ++ +-- +AD server FQDN or IP + + +type: keyword + +-- + +*`fortinet.firewall.session_id`*:: ++ +-- +Session ID + + +type: keyword + +-- + +*`fortinet.firewall.sessionid`*:: ++ +-- +WAD Session ID + + +type: integer + +-- + +*`fortinet.firewall.setuprate`*:: ++ +-- +Session Setup Rate + + +type: long + +-- + +*`fortinet.firewall.severity`*:: ++ +-- +Severity + + +type: keyword + +-- + +*`fortinet.firewall.shaperdroprcvdbyte`*:: ++ +-- +Received bytes dropped by shaper + + +type: integer + +-- + +*`fortinet.firewall.shaperdropsentbyte`*:: ++ +-- +Sent bytes dropped by shaper + + +type: integer + +-- + +*`fortinet.firewall.shaperperipdropbyte`*:: ++ +-- +Dropped bytes per IP by shaper + + +type: integer + +-- + +*`fortinet.firewall.shaperperipname`*:: ++ +-- +Traffic shaper name (per IP) + + +type: keyword + +-- + +*`fortinet.firewall.shaperrcvdname`*:: ++ +-- +Traffic shaper name for received traffic + + +type: keyword + +-- + +*`fortinet.firewall.shapersentname`*:: ++ +-- +Traffic shaper name for sent traffic + + +type: keyword + +-- + +*`fortinet.firewall.shapingpolicyid`*:: ++ +-- +Traffic shaper policy ID + + +type: integer + +-- + +*`fortinet.firewall.signal`*:: ++ +-- +Wireless rogue API signal + + +type: integer + +-- + +*`fortinet.firewall.size`*:: ++ +-- +Email size in bytes + + +type: long + +-- + +*`fortinet.firewall.slot`*:: ++ +-- +Slot number + + +type: integer + +-- + +*`fortinet.firewall.sn`*:: ++ +-- +Security fabric serial number + + +type: keyword + +-- + +*`fortinet.firewall.snclosest`*:: ++ +-- +SN of the AP closest to the rogue AP + + +type: keyword + +-- + +*`fortinet.firewall.sndetected`*:: ++ +-- +SN of the AP which detected the rogue AP + + +type: keyword + +-- + +*`fortinet.firewall.snmeshparent`*:: ++ +-- +SN of the mesh parent + + +type: keyword + +-- + +*`fortinet.firewall.spi`*:: ++ +-- +IPSEC SPI + + +type: keyword + +-- + +*`fortinet.firewall.src_int`*:: ++ +-- +Source interface + + +type: keyword + +-- + +*`fortinet.firewall.srcintfrole`*:: ++ +-- +Source interface role + + +type: keyword + +-- + +*`fortinet.firewall.srccountry`*:: ++ +-- +Source country + + +type: keyword + +-- + +*`fortinet.firewall.srcfamily`*:: ++ +-- +Source family + + +type: keyword + +-- + +*`fortinet.firewall.srchwvendor`*:: ++ +-- +Source hardware vendor + + +type: keyword + +-- + +*`fortinet.firewall.srchwversion`*:: ++ +-- +Source hardware version + + +type: keyword + +-- + +*`fortinet.firewall.srcinetsvc`*:: ++ +-- +Source interface service + + +type: keyword + +-- + +*`fortinet.firewall.srcname`*:: ++ +-- +Source name + + +type: keyword + +-- + +*`fortinet.firewall.srcserver`*:: ++ +-- +Source server + + +type: integer + +-- + +*`fortinet.firewall.srcssid`*:: ++ +-- +Source SSID + + +type: keyword + +-- + +*`fortinet.firewall.srcswversion`*:: ++ +-- +Source software version + + +type: keyword + +-- + +*`fortinet.firewall.srcuuid`*:: ++ +-- +Source UUID + + +type: keyword + +-- + +*`fortinet.firewall.sscname`*:: ++ +-- +SSC name + + +type: keyword + +-- + +*`fortinet.firewall.ssid`*:: ++ +-- +Base Service Set ID + + +type: keyword + +-- + +*`fortinet.firewall.sslaction`*:: ++ +-- +SSL Action + + +type: keyword + +-- + +*`fortinet.firewall.ssllocal`*:: ++ +-- +WAD SSL local + + +type: keyword + +-- + +*`fortinet.firewall.sslremote`*:: ++ +-- +WAD SSL remote + + +type: keyword + +-- + +*`fortinet.firewall.stacount`*:: ++ +-- +Number of stations/clients + + +type: integer + +-- + +*`fortinet.firewall.stage`*:: ++ +-- +IPSEC stage + + +type: keyword + +-- + +*`fortinet.firewall.stamac`*:: ++ +-- +802.1x station mac + + +type: keyword + +-- + +*`fortinet.firewall.state`*:: ++ +-- +Admin login state + + +type: keyword + +-- + +*`fortinet.firewall.status`*:: ++ +-- +Status + + +type: keyword + +-- + +*`fortinet.firewall.stitch`*:: ++ +-- +Automation stitch triggered + + +type: keyword + +-- + +*`fortinet.firewall.subject`*:: ++ +-- +Email subject + + +type: keyword + +-- + +*`fortinet.firewall.submodule`*:: ++ +-- +Configuration Sub-Module Name + + +type: keyword + +-- + +*`fortinet.firewall.subservice`*:: ++ +-- +AV subservice + + +type: keyword + +-- + +*`fortinet.firewall.subtype`*:: ++ +-- +Log subtype + + +type: keyword + +-- + +*`fortinet.firewall.suspicious`*:: ++ +-- +Number of Suspicious MMSs + + +type: integer + +-- + +*`fortinet.firewall.switchproto`*:: ++ +-- +Protocol change information + + +type: keyword + +-- + +*`fortinet.firewall.sync_status`*:: ++ +-- +The sync status with the master + + +type: keyword + +-- + +*`fortinet.firewall.sync_type`*:: ++ +-- +The sync type with the master + + +type: keyword + +-- + +*`fortinet.firewall.sysuptime`*:: ++ +-- +System uptime + + +type: keyword + +-- + +*`fortinet.firewall.tamac`*:: ++ +-- +the MAC address of Transmitter, if none, then Receiver + + +type: keyword + +-- + +*`fortinet.firewall.threattype`*:: ++ +-- +WIDS threat type + + +type: keyword + +-- + +*`fortinet.firewall.time`*:: ++ +-- +Time of the event + + +type: keyword + +-- + +*`fortinet.firewall.to`*:: ++ +-- +Email to field + + +type: keyword + +-- + +*`fortinet.firewall.to_vcluster`*:: ++ +-- +destination virtual cluster number + + +type: integer + +-- + +*`fortinet.firewall.total`*:: ++ +-- +Total memory + + +type: integer + +-- + +*`fortinet.firewall.totalsession`*:: ++ +-- +Total Number of Sessions + + +type: integer + +-- + +*`fortinet.firewall.trace_id`*:: ++ +-- +Session clash trace ID + + +type: keyword + +-- + +*`fortinet.firewall.trandisp`*:: ++ +-- +NAT translation type + + +type: keyword + +-- + +*`fortinet.firewall.transid`*:: ++ +-- +HTTP transaction ID + + +type: integer + +-- + +*`fortinet.firewall.translationid`*:: ++ +-- +DNS filter transaltion ID + + +type: keyword + +-- + +*`fortinet.firewall.trigger`*:: ++ +-- +Automation stitch trigger + + +type: keyword + +-- + +*`fortinet.firewall.trueclntip`*:: ++ +-- +File filter true client IP + + +type: ip + +-- + +*`fortinet.firewall.tunnelid`*:: ++ +-- +IPSEC tunnel ID + + +type: integer + +-- + +*`fortinet.firewall.tunnelip`*:: ++ +-- +IPSEC tunnel IP + + +type: ip + +-- + +*`fortinet.firewall.tunneltype`*:: ++ +-- +IPSEC tunnel type + + +type: keyword + +-- + +*`fortinet.firewall.type`*:: ++ +-- +Module type + + +type: keyword + +-- + +*`fortinet.firewall.ui`*:: ++ +-- +Admin authentication UI type + + +type: keyword + +-- + +*`fortinet.firewall.unauthusersource`*:: ++ +-- +Unauthenticated user source + + +type: keyword + +-- + +*`fortinet.firewall.unit`*:: ++ +-- +Power supply unit + + +type: integer + +-- + +*`fortinet.firewall.urlfilteridx`*:: ++ +-- +URL filter ID + + +type: integer + +-- + +*`fortinet.firewall.urlfilterlist`*:: ++ +-- +URL filter list + + +type: keyword + +-- + +*`fortinet.firewall.urlsource`*:: ++ +-- +URL filter source + + +type: keyword + +-- + +*`fortinet.firewall.urltype`*:: ++ +-- +URL filter type + + +type: keyword + +-- + +*`fortinet.firewall.used`*:: ++ +-- +Number of Used IPs + + +type: integer + +-- + +*`fortinet.firewall.used_for_type`*:: ++ +-- +Connection for the type + + +type: integer + +-- + +*`fortinet.firewall.utmaction`*:: ++ +-- +Security action performed by UTM + + +type: keyword + +-- + +*`fortinet.firewall.vap`*:: ++ +-- +Virtual AP + + +type: keyword + +-- + +*`fortinet.firewall.vapmode`*:: ++ +-- +Virtual AP mode + + +type: keyword + +-- + +*`fortinet.firewall.vcluster`*:: ++ +-- +virtual cluster id + + +type: integer + +-- + +*`fortinet.firewall.vcluster_member`*:: ++ +-- +Virtual cluster member + + +type: integer + +-- + +*`fortinet.firewall.vcluster_state`*:: ++ +-- +Virtual cluster state + + +type: keyword + +-- + +*`fortinet.firewall.vd`*:: ++ +-- +Virtual Domain Name + + +type: keyword + +-- + +*`fortinet.firewall.vdname`*:: ++ +-- +Virtual Domain Name + + +type: keyword + +-- + +*`fortinet.firewall.vendorurl`*:: ++ +-- +Vulnerability scan vendor name + + +type: keyword + +-- + +*`fortinet.firewall.version`*:: ++ +-- +Version + + +type: keyword + +-- + +*`fortinet.firewall.vip`*:: ++ +-- +Virtual IP + + +type: keyword + +-- + +*`fortinet.firewall.virus`*:: ++ +-- +Virus name + + +type: keyword + +-- + +*`fortinet.firewall.virusid`*:: ++ +-- +Virus ID (unique virus identifier) + + +type: integer + +-- + +*`fortinet.firewall.voip_proto`*:: ++ +-- +VOIP protocol + + +type: keyword + +-- + +*`fortinet.firewall.vpn`*:: ++ +-- +VPN description + + +type: keyword + +-- + +*`fortinet.firewall.vpntunnel`*:: ++ +-- +IPsec Vpn Tunnel Name + + +type: keyword + +-- + +*`fortinet.firewall.vpntype`*:: ++ +-- +The type of the VPN tunnel + + +type: keyword + +-- + +*`fortinet.firewall.vrf`*:: ++ +-- +VRF number + + +type: integer + +-- + +*`fortinet.firewall.vulncat`*:: ++ +-- +Vulnerability Category + + +type: keyword + +-- + +*`fortinet.firewall.vulnid`*:: ++ +-- +Vulnerability ID + + +type: integer + +-- + +*`fortinet.firewall.vulnname`*:: ++ +-- +Vulnerability name + + +type: keyword + +-- + +*`fortinet.firewall.vwlid`*:: ++ +-- +VWL ID + + +type: integer + +-- + +*`fortinet.firewall.vwlquality`*:: ++ +-- +VWL quality + + +type: keyword + +-- + +*`fortinet.firewall.vwlservice`*:: ++ +-- +VWL service + + +type: keyword + +-- + +*`fortinet.firewall.vwpvlanid`*:: ++ +-- +VWP VLAN ID + + +type: integer + +-- + +*`fortinet.firewall.wanin`*:: ++ +-- +WAN incoming traffic in bytes + + +type: long + +-- + +*`fortinet.firewall.wanoptapptype`*:: ++ +-- +WAN Optimization Application type + + +type: keyword + +-- + +*`fortinet.firewall.wanout`*:: ++ +-- +WAN outgoing traffic in bytes + + +type: long + +-- + +*`fortinet.firewall.weakwepiv`*:: ++ +-- +Weak Wep Initiation Vector + + +type: keyword + +-- + +*`fortinet.firewall.xauthgroup`*:: ++ +-- +XAuth Group Name + + +type: keyword + +-- + +*`fortinet.firewall.xauthuser`*:: ++ +-- +XAuth User Name + + +type: keyword + +-- + +*`fortinet.firewall.xid`*:: ++ +-- +Wireless X ID + + +type: integer + +-- + [[exported-fields-googlecloud]] == Google Cloud fields diff --git a/filebeat/docs/modules/fortinet.asciidoc b/filebeat/docs/modules/fortinet.asciidoc new file mode 100644 index 00000000000..13ce2650e5a --- /dev/null +++ b/filebeat/docs/modules/fortinet.asciidoc @@ -0,0 +1,163 @@ +//// +This file is generated! See scripts/docs_collector.py +//// + +[[filebeat-module-fortinet]] +[role="xpack"] + +:modulename: fortinet +:has-dashboards: false + +== Fortinet module + +This is a module for Fortinet FortiOS logs sent in the syslog format. + +To configure a remote syslog destination, please reference the https://docs.fortinet.com/document/fortigate/6.0.0/cli-reference/260508/log-syslogd-syslogd2-syslogd3-syslogd4-setting[Fortigate/FortiOS Documentation]. + +The syslog format choosen should be `Default`. + +include::../include/gs-link.asciidoc[] + +[float] +=== Compatibility + +This module has been tested against FortiOS version 6.0.x and 6.2.x. +Versions above this are expected to work but have not been tested. + +include::../include/configuring-intro.asciidoc[] + +:fileset_ex: firewall + +include::../include/config-option-intro.asciidoc[] + +[float] +==== `firewall` fileset settings + +[source,yaml] +---- +- module: fortinet + firewall: + var.syslog_host: 0.0.0.0 + var.syslog_port: 9004 +---- + +include::../include/var-paths.asciidoc[] + +*`var.syslog_host`*:: + +The interface to listen to UDP based syslog traffic. Defaults to localhost. +Set to 0.0.0.0 to bind to all available interfaces. + +*`var.syslog_port`*:: + +The UDP port to listen for syslog traffic. Defaults to 9004. + +[float] +==== Fortinet ECS fields + +This is a list of FortiOS fields that are mapped to ECS. + +[options="header"] +|============================================================== +| Fortinet Fields | ECS Fields | +| action | event.action | +| agent | user_agent.original | +| app | network.application | +| appcat | rule.category | +| applist | rule.ruleset | +| catdesc | rule.category | +| ccertissuer | tls.client_issuer | +| collectedemail | source.user.email | +| comment | rule.description | +| daddr | destination.address | +| devid | observer.serial_number | +| dir | network.direction | +| direction | network.direction | +| dst_host | destination.address | +| dstcollectedemail | destination.user.email | +| dst_int | observer.egress.interface.name | +| dstintf | observer.egress.interface.name | +| dstip | destination.ip | +| dstmac | destination.mac | +| dstname | destination.address | +| dst_port | destination.port | +| dstport | destination.port | +| dstunauthuser | destination.user.name | +| dtype | vulnerability.category | +| duration | event.duration | +| errorcode | error.code | +| event_id | event.id | +| eventid | event.id | +| eventtime | event.start | +| eventtype | event.action | +| file | file.name | +| filename | file.name | +| filesize | file.size | +| filetype | file.extension | +| filehash | file.hash.crc32 | +| from | source.user.email | +| group | source.user.group | +| hostname | url.domain | +| infectedfilename | file.name | +| infectedfilesize | file.size | +| infectedfiletype | file.extension | +| ipaddr | dns.resolved_ip | +| level | log.level | +| locip | source.ip | +| locport | source.port | +| logdesc | rule.description | +| logid | event.code | +| matchfilename | file.name | +| matchfiletype | file.extension | +| msg | message | +| error_num | error.code | +| policyid | rule.id | +| policy_id | rule.id | +| policyname | rule.name | +| policytype | rule.ruleset | +| poluuid | rule.uuid | +| profile | rule.ruleset | +| proto | network.iana_number | +| qclass | dns.question.class | +| qname | dns.question.name | +| qtype | dns.question.type | +| rcvdbyte | source.bytes | +| rcvdpkt | source.packets | +| recipient | destination.user.email | +| ref | event.reference | +| remip | destination.ip | +| remport | destination.port | +| saddr | source.address | +| scertcname | tls.client.server_name | +| scertissuer | tls.server.issuer | +| sender | source.user.email | +| sentbyte | source.bytes | +| sentpkt | source.packets | +| service | network.protocol | +| sess_duration | event.duration | +| srcdomain | source.domain | +| srcintf | observer.ingress.interface.name| +| srcip | source.ip | +| source_mac | source.mac | +| srcmac | source.mac | +| srcport | source.port | +| tranip | destination.nat.ip | +| tranport | destination.nat.port | +| transip | source.nat.ip | +| transport | source.nat.port | +| tz | event.timezone | +| unauthuser | source.user.name | +| url | url.path | +| user | source.user.name | +| xid | dns.id | +|============================================================== + +:modulename!: + + +[float] +=== Fields + +For a description of each field in the module, see the +<> section. + diff --git a/filebeat/docs/modules_list.asciidoc b/filebeat/docs/modules_list.asciidoc index 09db49b33da..dbf82900062 100644 --- a/filebeat/docs/modules_list.asciidoc +++ b/filebeat/docs/modules_list.asciidoc @@ -15,6 +15,7 @@ This file is generated! See scripts/docs_collector.py * <> * <> * <> + * <> * <> * <> * <> @@ -60,6 +61,7 @@ include::modules/coredns.asciidoc[] include::modules/crowdstrike.asciidoc[] include::modules/elasticsearch.asciidoc[] include::modules/envoyproxy.asciidoc[] +include::modules/fortinet.asciidoc[] include::modules/googlecloud.asciidoc[] include::modules/haproxy.asciidoc[] include::modules/ibmmq.asciidoc[] diff --git a/x-pack/filebeat/filebeat.reference.yml b/x-pack/filebeat/filebeat.reference.yml index 056b574abe5..d5930b3cbb7 100644 --- a/x-pack/filebeat/filebeat.reference.yml +++ b/x-pack/filebeat/filebeat.reference.yml @@ -480,6 +480,21 @@ filebeat.modules: # Filebeat will choose the paths depending on your OS. #var.paths: +#------------------------------- Fortinet Module ------------------------------- +- module: fortinet + firewall: + enabled: true + + # Set which input to use between syslog (default) or file. + #var.input: syslog + + # The interface to listen to UDP based syslog traffic. Defaults to + # localhost. Set to 0.0.0.0 to bind to all available interfaces. + #var.syslog_host: localhost + + # The UDP port to listen for syslog traffic. Defaults to 9004. + #var.syslog_port: 9004 + #----------------------------- Google Cloud Module ----------------------------- - module: googlecloud vpcflow: diff --git a/x-pack/filebeat/include/list.go b/x-pack/filebeat/include/list.go index 25a600616c9..1633307c950 100644 --- a/x-pack/filebeat/include/list.go +++ b/x-pack/filebeat/include/list.go @@ -24,6 +24,7 @@ import ( _ "github.com/elastic/beats/v7/x-pack/filebeat/module/coredns" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/crowdstrike" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/envoyproxy" + _ "github.com/elastic/beats/v7/x-pack/filebeat/module/fortinet" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/googlecloud" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/ibmmq" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/iptables" diff --git a/x-pack/filebeat/module/fortinet/_meta/config.yml b/x-pack/filebeat/module/fortinet/_meta/config.yml new file mode 100644 index 00000000000..525156e7590 --- /dev/null +++ b/x-pack/filebeat/module/fortinet/_meta/config.yml @@ -0,0 +1,13 @@ +- module: fortinet + firewall: + enabled: true + + # Set which input to use between syslog (default) or file. + #var.input: syslog + + # The interface to listen to UDP based syslog traffic. Defaults to + # localhost. Set to 0.0.0.0 to bind to all available interfaces. + #var.syslog_host: localhost + + # The UDP port to listen for syslog traffic. Defaults to 9004. + #var.syslog_port: 9004 diff --git a/x-pack/filebeat/module/fortinet/_meta/docs.asciidoc b/x-pack/filebeat/module/fortinet/_meta/docs.asciidoc new file mode 100644 index 00000000000..0c38c94aa47 --- /dev/null +++ b/x-pack/filebeat/module/fortinet/_meta/docs.asciidoc @@ -0,0 +1,150 @@ +[role="xpack"] + +:modulename: fortinet +:has-dashboards: false + +== Fortinet module + +This is a module for Fortinet FortiOS logs sent in the syslog format. + +To configure a remote syslog destination, please reference the https://docs.fortinet.com/document/fortigate/6.0.0/cli-reference/260508/log-syslogd-syslogd2-syslogd3-syslogd4-setting[Fortigate/FortiOS Documentation]. + +The syslog format choosen should be `Default`. + +include::../include/gs-link.asciidoc[] + +[float] +=== Compatibility + +This module has been tested against FortiOS version 6.0.x and 6.2.x. +Versions above this are expected to work but have not been tested. + +include::../include/configuring-intro.asciidoc[] + +:fileset_ex: firewall + +include::../include/config-option-intro.asciidoc[] + +[float] +==== `firewall` fileset settings + +[source,yaml] +---- +- module: fortinet + firewall: + var.syslog_host: 0.0.0.0 + var.syslog_port: 9004 +---- + +include::../include/var-paths.asciidoc[] + +*`var.syslog_host`*:: + +The interface to listen to UDP based syslog traffic. Defaults to localhost. +Set to 0.0.0.0 to bind to all available interfaces. + +*`var.syslog_port`*:: + +The UDP port to listen for syslog traffic. Defaults to 9004. + +[float] +==== Fortinet ECS fields + +This is a list of FortiOS fields that are mapped to ECS. + +[options="header"] +|============================================================== +| Fortinet Fields | ECS Fields | +| action | event.action | +| agent | user_agent.original | +| app | network.application | +| appcat | rule.category | +| applist | rule.ruleset | +| catdesc | rule.category | +| ccertissuer | tls.client_issuer | +| collectedemail | source.user.email | +| comment | rule.description | +| daddr | destination.address | +| devid | observer.serial_number | +| dir | network.direction | +| direction | network.direction | +| dst_host | destination.address | +| dstcollectedemail | destination.user.email | +| dst_int | observer.egress.interface.name | +| dstintf | observer.egress.interface.name | +| dstip | destination.ip | +| dstmac | destination.mac | +| dstname | destination.address | +| dst_port | destination.port | +| dstport | destination.port | +| dstunauthuser | destination.user.name | +| dtype | vulnerability.category | +| duration | event.duration | +| errorcode | error.code | +| event_id | event.id | +| eventid | event.id | +| eventtime | event.start | +| eventtype | event.action | +| file | file.name | +| filename | file.name | +| filesize | file.size | +| filetype | file.extension | +| filehash | file.hash.crc32 | +| from | source.user.email | +| group | source.user.group | +| hostname | url.domain | +| infectedfilename | file.name | +| infectedfilesize | file.size | +| infectedfiletype | file.extension | +| ipaddr | dns.resolved_ip | +| level | log.level | +| locip | source.ip | +| locport | source.port | +| logdesc | rule.description | +| logid | event.code | +| matchfilename | file.name | +| matchfiletype | file.extension | +| msg | message | +| error_num | error.code | +| policyid | rule.id | +| policy_id | rule.id | +| policyname | rule.name | +| policytype | rule.ruleset | +| poluuid | rule.uuid | +| profile | rule.ruleset | +| proto | network.iana_number | +| qclass | dns.question.class | +| qname | dns.question.name | +| qtype | dns.question.type | +| rcvdbyte | source.bytes | +| rcvdpkt | source.packets | +| recipient | destination.user.email | +| ref | event.reference | +| remip | destination.ip | +| remport | destination.port | +| saddr | source.address | +| scertcname | tls.client.server_name | +| scertissuer | tls.server.issuer | +| sender | source.user.email | +| sentbyte | source.bytes | +| sentpkt | source.packets | +| service | network.protocol | +| sess_duration | event.duration | +| srcdomain | source.domain | +| srcintf | observer.ingress.interface.name| +| srcip | source.ip | +| source_mac | source.mac | +| srcmac | source.mac | +| srcport | source.port | +| tranip | destination.nat.ip | +| tranport | destination.nat.port | +| transip | source.nat.ip | +| transport | source.nat.port | +| tz | event.timezone | +| unauthuser | source.user.name | +| url | url.path | +| user | source.user.name | +| xid | dns.id | +|============================================================== + +:modulename!: diff --git a/x-pack/filebeat/module/fortinet/_meta/fields.yml b/x-pack/filebeat/module/fortinet/_meta/fields.yml new file mode 100644 index 00000000000..21a001384ef --- /dev/null +++ b/x-pack/filebeat/module/fortinet/_meta/fields.yml @@ -0,0 +1,14 @@ +- key: fortinet + title: Fortinet + description: > + fortinet Module + fields: + - name: fortinet + type: group + description: > + Fields from fortinet FortiOS + fields: + - name: file.hash.crc32 + type: keyword + description: > + CRC32 Hash of file \ No newline at end of file diff --git a/x-pack/filebeat/module/fortinet/fields.go b/x-pack/filebeat/module/fortinet/fields.go new file mode 100644 index 00000000000..1c8ac2e4fc3 --- /dev/null +++ b/x-pack/filebeat/module/fortinet/fields.go @@ -0,0 +1,23 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// Code generated by beats/dev-tools/cmd/asset/asset.go - DO NOT EDIT. + +package fortinet + +import ( + "github.com/elastic/beats/v7/libbeat/asset" +) + +func init() { + if err := asset.SetFields("filebeat", "fortinet", asset.ModuleFieldsPri, AssetFortinet); err != nil { + panic(err) + } +} + +// AssetFortinet returns asset data. +// This is the base64 encoded gzipped contents of module/fortinet. +func AssetFortinet() string { + return "eJzMXV9z47iRf8+nQOUpqYonuc1d6mqq7qoUaRyrYstay3/2TQWRLRFrEOAAoGTPp78CQEokTRqQ1No9P+2O6f79CAKNRnej+4q8wvtXspbKMAHmD4QYZjh8JdeHf0lBJ4oVhknxlfzvHwgh++fJnUxLDn8gZM2Ap/qr++0VETSHllT7Y94L+Eo2SpZF9S89ku3PtZNF1krmByRH6H5RPdSEa0EyDl8yqrMviUr+/tP+9zX6K7zvpEob/z7Awf6MH8Z//4ncUJ0RuXaie/AU7CjnH4Car2l/FHCgGr6SFRjagl/Tkpule6GvZE25hjh2fujtAJGCKs3EZv/RiH7XXG6+NJ7vDljzJWiSmKU21LR+OzxkAWL2Z5QkshTGkrKCgfzpYTSZPi3+vH9ygMmrYTkg8uBU5WSUvAq545BugDw25Q+QQB0I+5sgYPOZszEXhppS2zlrMiAatI6isGXmHY/EzWgvlOSgNd2Ehj1NVS88K45Dns7JKE0VaB0GXFoIxK/tccljU+og+EZ13wwB+l8txTOA3dVO52JPPCyZ0eDiSnOGONVHVhx50qACsJv+r8yEgQ10510A1KoQwgTRkEiRanJFrNIiBdUaUqKZSIBwqg3RAKF1twGBqG3sQHiZ5IrA5ov/7//54538wTinf/2vL3/7Y4CQVZisC3vGYHkNPJ2EYEFhat2WuH5EQfm7YYlOXnWZ40E/ZkCSDJzUWgVb04HocpUzYyB1W/YePpKl/2tcmmtON20ynqTbL0iAGKb6SBKrueaSidBHK4qr301jFwWqZfDo9uakVHaH9CaAN3lpUZBECqMkDzJCXalFwVlCHZHgerXPaswV2wAf+5cnhZIto3uIiWL69TJMHph+JbewheCX0AlF3Nbs3LCSawUymv+F7DKWZMTiCEgJFSlJwUBiFYp9RMlNaR8MEsXcfY9YuNoZpZfBJh3hAxSQNUeTgAmrD63ZRsDAej3SxB1VwuJtXfcHH2B+K3RjaJLlqKZOawODnDJewUALZ5gPpspw8mKsX/egVe7whjwWRrHNBhQpqDGghHYawiqGgiavYFJqKNkxk5EV1fCP/yQgEpkysTmC8MBmc86QVZIJS8lfiZGGhhSt+zPUXc8TCW54ZcqGBoDLxjDGgVppcZg6kQpRa9mp4tEXLcHDBAYdMse/tpun7LCtOfkhCibDPSeXJpOK/fAbfMxpuTQZ6swvTQbCRFtapckKJY3EnQNOZCI5MRk1hAlmGK1NCdpiGKanQW0/LDu8EeqI76WxoiLdsdRkeCz++UHkELKAdKlKjrhKZ6Mx+V5SRYVhAiwVu90+lBwiNpmKkVbJpQktZKkSINOA0bmiogfxvE9j4Vt/2I8sjQCTypxiOp3+6aSSiRMb80Hc80jGVwUea3qttMZUXgtQW5YAWUB4+0oo50tM8DHlHFQErlIM1BIQdw2rMqsIFBl7+QREelU465+lVl2toxRmMhBmOcl4mcwWViBspHqPGBf/4MUU9QeAfhqIamk8Jt+c6R+1FpJUOXsT8xgy/iizHxuEUZQLOmREnvT9x14qmY0ew58f1cM6BlXN+IDys7DIPrsGdsTB2xLIqEa0DJr4Lcn9+OsNNQbRPBpLsWabUvlFZ2WzVRn8DOuNXP16KRJy9SskoRWw3hQU00BrU2jJHiKAeoRt4xtFha7cuMGluN6Yt0LuBozm01RBi83jL6Qtv59HZg0pjkfihSngoDUZdyR/Bo+rHBaLm1pwjHLIqNZsyEQ67UN4keFJUAWJcI2Ubuip9heHHelJtsmApqAQnbQ3j49zctOR2o/OU7n6FXl5CkiMVJV2Cn8QzkCY5WAewkksXtiaVZJdzD9spHBZptgZIWMrNCoXxcGXGvM478HDMfpE8jLvf+mTFuLz/XROxm2hA8B5TgXm1LudknFH6CByKVDzbhazu7kDb8sdgLd7hsvUwjwWtLeirvghJnaxMimQM3LcoW3s1994DxIR7k2kcI4nRCp1tKIWTXKZRrAwijLMI8vL6JpkxhQHH6ACbRRzIxPSTv6skzJNVT4QzDqJlD/G1btV3JHKP4R8tvBC3QTx4Xi3h/mdMcRHvjJA3D2f5zMydkJDwOXA/DjRkiyFcemDlTkbYUbZP6HFgIfrFBKzMl+BsiRGRUHGRnHC5UYTqrVMvKvaRbOiMxw9xe1FGD5jcEvYun/unMluPL1eYPBL+UU+7+R2jsJOXGTwJjOUsXPx6Uvw84FvBIbr9SXordcY3FhxkW87naN8Wz3gWjqTnT3HorC7yLxbLG4x2O3oRaadtXAw2MHqIuxgZY/jBtS5JIsScdefP5GncJZ+oj45m54G7I3zByhK408MUedUxQxLKEe2fQ5fqQYg9hgjNiG7WPUvsxMPzN0RiUhBTBRvPfR7sRjOVznpgyxkDs1nAvBbQHUhPX8Leo1SCjmmq2bi5DnhIWBDFRUDFxtOxDaUOJnunKqgkMoEZn7ajABhMAi9dir0Jwknx4bTJ9bCi8kwsXIQ3zN2RvscXyZFDiaTiHN7UgsmHckDNLb44eMJuFyCuLBxClsmzLq1Ls5mcDNychMgU2FArWkSk2CTwhbX6VANRPicnWZJscx1N+3uHOib8ZzcxdzPS+3wo64Aw4TfWFg9+CEGqHn+Wktd2V0tyYPYXG7UkLY7PhlywvSrNQA3TGyICus9XsCbURTxC9zOiRNJmFhLlUckr6Qy0S7nC5fFmokNqEIxYSxEmVvDowM0wCenTCRGcZeHaIa+zmmG6fR6USG4NEfSlh9BaFBL4PCJ0Bd7Otg5cB/IdAACdJCS4RyLKg8vlIV4AMfdQ5ocIqy2PYva+36BSVKxOQRV9q7+WHKlBnW5Yfog/RM2/qTM0je8MapYVGfwoIHfoIF7563NI2JAEGMLE6aqqeF8DinTPo3IJVy/awN54AJoqs0SNSx1ikFg/8KslcTMve7lQVoYQ2TQI6lNLlFx1FSbC5nqByLpUWa7I4RtLn8gE7EVarOmOeMXGpT7BemIH2KR7bYgUomYYNHkcfNCOuI/46E0aprJByIq7MR0axiM3uKernuWsPa560E6UuPufJ1pEqPnjdQX/Tj3i+iP85mv5aTNt0Ejyu+iDe4VhiaBxSK4+2ujL7tQtFybHVUQ/UVKYQ1ua0Ohn8UatDxKld0PadxxTJuyxPxWT0/TSZ3J2CQ3nccl06WobJyv5Ck0Y4AWkieYQYlvo/n9bXWP15sBAdvMUcDdc1scwrstiES9F4hj8JKByUA1bjQTpmsYSIlURMjguPjHUZfyt73MKEcqFDJBjBd/s+LsecpXleEycdGqiHRf0IVd4IgDsZh3LgQFCbic+bVUiDnQlsXjB7H9BN4GvsRJwHeUcfLtLcmo2EBVvHAyWxAFupBCA6FC70ARDRHRTajk/L+lV7jCI5ptBDUl5v30b5Vol2HwUf4QHYZ52HE5o/8qqUqJ3IJSLIUKw91e14bmRUDTrGmulwUtNaJrZ1/dcSQof9fMl3i4o4JuXM2L/eXMeQt3gN8PXG+2I+eI/QBFbiu39kPQYbpODOQasyhNM+P3m0j9Dc3FYhbkgWorNFkETQZXnBMPe/Y4ryridCQPgHPwLig8Bo++6JkB5fcmI+s7su++wsB67Vd5eJ+yT2RUZ6jX2a8roVFWrX+RoXu7ZwQ93PjEuVEu4QU9cAjPT/sY8qn4dk5UySHiPOzhkX1Ih7cPW7OuCPHGbgh2u8QjMRKG6YLmzmrZUl6GeeyoSiFdY7qPfOp9dZ46YASofE8xdfbPk5B+VjQH3Cmwv6z4UfYABYCU6VdtpEKtJ3qtAFyA+cOfD/CQiAbztbUEoTkFwujLbcJLPbRjnJjn5UqJbJkyJeWkkk+Ey8cLMNJ0CyplmMUZrxcj0hXaD77zTqwlrnZ8gRUplHx7r3xkEVpyQw3saL8ZfGxc9V9eFmFFUy+Q+Xwuv9Wmhc8OC3BSzQq4Z4/KHeRSvUdV+3MVjjGv9brSur7KcWi7zOhVoVh/waaTsG9GZK6YVMELfRldIpd2vhnF1MjK6BI3CHczIg/BiFtGRaoz+op6e/yW3HwQO4COWVPCdRlwJgCRa5LKneCSplEWcrZKxVIB1ZhurRugyqyAGseFdMT382CbDDkd+6YWSdZ0pVhCdJnnNGQsZxIzSn8jtQlrX0axPc3bfxAWMMJYkhdJ8w7p+cANJ/tcKlM736fju3lcGX/LCbXilDcMipPJ4BqNroThe+FW6RE8qgJRmBbTDMxOqldiFF2vWdKH0c9FLHXB8EZkOl98GxMmVrIUKVnMpyH4xDHVoBjlAnGXnFaSiRcdZTsy4R0RmCwq18bd3SIO22r44bsbJ5/ta/G++jwP391oZIFiBxanB9FRLhcmMGvd1zOUuULRwbXqa2FinrDvFdswQd1FzSr9zYE5o/p671zYe5tDBLvJUWcTfADugryReVe4meBHg28pZ2lOEf2BVqvfjcb7w47LiauAyP1TSKXhJLPW4xBKZGXIW9oBN8IV1o9wBvq//R8dYpgaqEoCpbxeGWa5FlcopiWyF5RTMZBBfXy45HY0szuhzJnYHHZwQVbvBgInW06FLPu142k8ZGn83n0kD6CY0S2XXNGW2Q/LEhAalpyh9kO5o28sL/PGBdBGBMd7P6zpeevRQxSHqJ1Wx6jyiVXpwg/gd1By24IZYCIQFYVbJy2RA6ADVXMwmi0FoGVCB8yoI5XxrZVkVaLrj0Pm8/mkUT8oxALxgtat3MSdMZxtgYdb1R8IXengcod85r/2J/0PgnvhUa0Ap4JymsQ5wnPKrVG7TKnpv5R1etGySjSkpCX8cxqo91N7aMTfws6pKBHtwzsrjiamVFF+8JxqAyrVBnVu3DmpzdlRaYZMauPtxbzkhhUciKhO5nuDNjiTrGytEnSb1ktumbYN1q70f0b1GcwhZWV+GQXgZZMYJQCI8bAqxlBahVvfhNGGGqbD3dpy0FmO6o/bxyit6Ih6cdVOgVxEz2sDLzrijIB9Vd1VYItJrsw3uUHNvHV9uPYWoU+Jlor9gLSu6bnm0rXRsUrP5WEZH04OzRTUWeIdHBGzo+7WjIQ7H0+vJotFV+4AtmBGqivcOOkNUG4ycueFR9zdr2ngLpAOjXB1ybzAvMq+1xJ388W/A8B6g9xNpioeQOZ1NclZhN81N4ili+7om8/5rVtXPglmyHM4nwZ3LoYnn8DMIXM1/yO7gAjArnxelVaegQlFwwXsltjN/2awq9MQZOVP7SRMD1Jpp1mhMOkc0CPmAezQS69bIlXV9agV6DlgFz+vWEQVQBew01xiFu+CHVlwaSLf/80M9rw/x1NhQG0pb/aHrp1HFrJhS34JEFwjW3EzeehRE7FFCckw/XuuEPqsJbMXVvIUXV3s4y+LiMwhSwBZSezxO5oifJiVPEXXFHs2XcmfMMDWE3sOtbKIWbKSp7gK4zAvYrWGpYDoZLvnKVnER6slT3eFkoi+FUvgBVbk2qdCz2M6LkuxY5hXfka+j6uRhInUd9VhddtjwnSFV93wC1ArQKEXYbgvwNeA9JWxQ9lHlgN6d5cDh7jOLth32A/4C+8SiVBd+FfYP7CIujItS4Ob8XJfmnCeiywNbpjcokaGyAuqNaSXcct52TFuOfvkDvPU4Sz81Jv7TrhUaXztMtzmU3NqMiLXhEtZ+IYFjZYXPoxdtfb3mYsBboB5++plNCOyMCyvu9y2xA8SWAprIOLReJ7PnFwiZGxzxCKjGn5CzqV3PJzgCK1VZBI9ZDpvyeyHxTSu5kq61vShA1ghOUvecQ8Zcycz4nhRSIlciM2OtJQ85iPLgVaIJw33rdyQsuCSpgSUkoqE70XYJ1YwFK89Le+wenuXKFv5rI0kbZRBMjCQT4NJBUIJNoWSK0D2Tt4y8br3y84twN5RGSSTNP1qZzN5eritzeyu7M8IDLZfP0s1uC7s0TWei86x4OyxqM4ZEa6yCnq5xcz3OtZfV5FAvlpTD4K/VBTNAllfVyTCCvu7RdkOpdec2r34ewna1E2GYu7Afi+p0q8DKZcnDcHPh77mVjCBt4JTEWGtfC+lofCWAKSYrbCmay/ZheZXAIJ8wBimk9P+K+LHpwbWGXGeC+Vc7iAlV03Hpj2msxyuVlTXv3KJg+4XPpnQ/y6COO60/tmRDoeqHXSpBz7f8YPmcUt9wki5X/35c7qKpkyuUHsVPliRZBVsVeigMa1UDxyyUSvYhEsNA7e6zkInVvV4V1OF4f5XyU1p/zGKnK/Rj3mJpIfdLmNJRmqoo0hiNmjYh5o9uBUeo7UV3Q3myZ04bXc+Ky0eHDMCuocPzt9km6bAUV8dEmBbSCsN0pbeTwL5cuiIgzJRd0JVxRVvaSz8ffhXeN9XyfqI8imXC1St+oxUbBUrhWlDVFlsDeeY3XJUeIjWoBTlJWY7o0a/qz75A0RyOVTL/+hrNVYUmc/n0WUjPfrOFIOHrxMXrmPiIqFWw5ea0FbBPNLCG6Bmz2vYF4DcST1sLSn4jo3s7P84aPsktmvwfjqvRUf4jRTokiOm8Ow9k13J/eioFRYs9txh/xRR3Fxp3R9AOc28aalGTrRRIDbuyp0LAIaqVyut5fIVEGN8D6PJ9GlBFot7Qo2vhB9n15QckA2bkkNE2r8FRl6LFji8EKsWzXiTodFUsur+fHe3CChoS2JQNx9/aquBw+pXJxK9O7mvNHlfV5pctCD6WVSxpYuZ9R8ABmgIzQzb4vavPwh1Dsp9P6BGk6AwLczb27PR2LGKyi/WIAyyvb+wbx9t62v4jgn9vQSRQFR2ii+7gDgn92FMvS8X3wT4hMRAWYlTbfvY/JxPauWfds6a1OW/rn+ezIhUwbvhVd/YJWoFFi8zeNStsDF9RC+jyRHwpiwQK9rWuAsrN6KSrYYt4CrlRVdiP25GC1CpkoVKtqnVExcw1Cr1o2RRuP+rUGOZWa2Iy6ypFE9hVYBihf1LXFqTPRfLrAC7Yk8ghnvKeazu9XsAh0b+5LkF/M3+L+y8ujwjH42s5lvlE49hZ+fWb8POIu2LJISpMbHxGRaYGrHDzQOEdaM7ZyHq5ba5OJpPuxADNH5gaWdftNYKjCxXgZs57BKGo0wCzCv57ZSyY+pcafFZBOU0NrO6HlszdiKPiExo8Wnk5HxWJ8dMtMhBZwVVgNnh7sDN3ebtiO8ngl+pLZi5qlWC29mvKuEXmbyqVYLf1K9LIcLlpVWCnkpe0Yhq5adVgt2wroKPaVSnVYLfqK7Cz6hKq45X4U51FRHkTPKPTCISyd3MRG5V92FiRnWp0yrBNXkqGmEXuFYJdke4CjumGZxFR20GV2GH+8BZ5ItNw+NawGmV4HZZq1g8BfuUaI097RbjmDmH+sn/STXsW+UswISNZ81pu+oTwnvfklFEJSmt+XBJqxOdahOH3hY7BP5JGPYs9I7cfnhDkW+wHCIN7hKuFPqvvopH6Ohghto9nGGGRVQi1YaiVgT677/99OU/3uqXb9XOGsLH/PijNGeiKoEa0Uof+xJwzN1fbZjBbAo3Ko2sy9460cQottlAMBFDl6tfAbOhRXVe7ogdwsYuFDNuXY9alKurO4cQE1ApV12T6Gw6o+c+sUPwuGHWW7n5IHQAWRcsYXJgDZwba91Ljwm37uzcRb6Zsa8XU+VLRV/k0+8iQS8R8JiBE1yXFXEV3cy+hFoEI9xpsufj8uKPZKNL5Myl6rptR2wvOvKeZTqVmeW6LvVjDKi/ELYmQgr4i31Q1PGKwACZTAFFzqF6mU4WleCIJArcr+MKj1SeJdgGfUqYi9hvK0bGNBo08gJ9o9JGw4pTmkcZaTAd449WHMld9mUEcBUyxcZvqHkPoAPhCqNoAhcJGiec6szLDx60jKIiZZgN9majRydVc7q/ZBTmgFrpxBUvdFL9ITJqFCq+qC1lZot9w0PHhkeycfbqb2ASh3iUkHBhkGrtXzMOh+EooS7nGMqvMKUQwDHnhz8Nernhr+HhccagjRz14rh7ZotAxNJEBa8OIGHYEjEC44/AnaTvp2kMC1d7tNSgsHuzPIkGn7q8RkyTlnKoSctpN5Olaz9eFgV/b4vuB1f8Aj1xnx5uY3vi7glwhhlVbTBoCR7igD4bDvhRc0Ah64QGfsSiGLq4eebh+Em7diiBU7FFX66lGj75nUTj0GVgXzgwYiRMju6jrrMNKrulAFVVg1+9k6fHu88JbSmiGVdf2A+F7be0wC2sfACOqK6Mf7jpHmhC/QBrBsscWiefs4k8d4h05H9OBtmN3OUS4Ur+XYtHYOfOHU/ARdlRr/Q9l1yAoivGrYLQCRUVSkQ0Dz2I+hwTNN1iVoyoP0HIaN4yhemjfLbiYkbYPod5RvHA0wn5UynY9xI8QqPjZCCNdCtZsUR2H7ure0VUKZ9tgTnb5rPmI0Fkf7zBw5/ONSTkuRDk0R+cIhRAIfCd06ZqgmrtEzsmnffsJ6L6y8udNikfrqM8fNuSiwSz8Hpb+Y2pgU3Q22dJoK7IFofQWcWiI29CLfwIlbRDdZo8v9yGX3rHv5eUo97IsLhdoUPg6FFLCx4Vs9zuii2nuPPtZU6eb0ez4KjvEJskvpzeJHFHhSwMLZBbZVpG983KmqOi4PvL+8FT2g6zdeOLb924kSeMDtDXHRRsizgyQF/JCxRk6tvn2gF5dj0iPqfyRkuTIRdW+2VUmiy6rNpb7VjDJvCkIebG6Bvqhbn6YsYvvSv18B//FwAA//8G/IQ4" +} diff --git a/x-pack/filebeat/module/fortinet/firewall/_meta/fields.yml b/x-pack/filebeat/module/fortinet/firewall/_meta/fields.yml new file mode 100644 index 00000000000..2ac3946889f --- /dev/null +++ b/x-pack/filebeat/module/fortinet/firewall/_meta/fields.yml @@ -0,0 +1,2154 @@ +- name: firewall + type: group + release: beta + default_field: false + description: > + Module for parsing Fortinet syslog. + fields: + - name: acct_stat + type: keyword + description: > + Accounting state (RADIUS) + + - name: acktime + type: keyword + description: > + Alarm Acknowledge Time + + - name: act + type: keyword + description: > + Action + + - name: action + type: keyword + description: > + Status of the session + + - name: activity + type: keyword + description: > + HA activity message + + - name: addr + type: ip + description: > + IP Address + + - name: addr_type + type: keyword + description: > + Address Type + + - name: addrgrp + type: keyword + description: > + Address Group + + - name: adgroup + type: keyword + description: > + AD Group Name + + - name: admin + type: keyword + description: > + Admin User + + - name: age + type: integer + description: > + Time in seconds - time passed since last seen + + - name: agent + type: keyword + description: > + User agent - eg. agent="Mozilla/5.0" + + - name: alarmid + type: integer + description: > + Alarm ID + + - name: alert + type: keyword + description: > + Alert + + - name: analyticscksum + type: keyword + description: > + The checksum of the file submitted for analytics + + - name: analyticssubmit + type: keyword + description: > + The flag for analytics submission + + - name: ap + type: keyword + description: > + Access Point + + - name: app-type + type: keyword + description: > + Address Type + + - name: appact + type: keyword + description: > + The security action from app control + + - name: appid + type: integer + description: > + Application ID + + - name: applist + type: keyword + description: > + Application Control profile + + - name: apprisk + type: keyword + description: > + Application Risk Level + + - name: apscan + type: keyword + description: > + The name of the AP, which scanned and detected the rogue AP + + - name: apsn + type: keyword + description: > + Access Point + + - name: apstatus + type: keyword + description: > + Access Point status + + - name: aptype + type: keyword + description: > + Access Point type + + - name: assigned + type: ip + description: > + Assigned IP Address + + - name: assignip + type: ip + description: > + Assigned IP Address + + - name: attachment + type: keyword + description: > + The flag for email attachement + + - name: attack + type: keyword + description: > + Attack Name + + - name: attackcontext + type: keyword + description: > + The trigger patterns and the packetdata with base64 encoding + + - name: attackcontextid + type: keyword + description: > + Attack context id / total + + - name: attackid + type: integer + description: > + Attack ID + + - name: auditid + type: long + description: > + Audit ID + + - name: auditscore + type: keyword + description: > + The Audit Score + + - name: audittime + type: long + description: > + The time of the audit + + - name: authgrp + type: keyword + description: > + Authorization Group + + - name: authid + type: keyword + description: > + Authentication ID + + - name: authproto + type: keyword + description: > + The protocol that initiated the authentication + + - name: authserver + type: keyword + description: > + Authentication server + + - name: bandwidth + type: keyword + description: > + Bandwidth + + - name: banned_rule + type: keyword + description: > + NAC quarantine Banned Rule Name + + - name: banned_src + type: keyword + description: > + NAC quarantine Banned Source IP + + - name: banword + type: keyword + description: > + Banned word + + - name: botnetdomain + type: keyword + description: > + Botnet Domain Name + + - name: botnetip + type: ip + description: > + Botnet IP Address + + - name: bssid + type: keyword + description: > + Service Set ID + + - name: call_id + type: keyword + description: > + Caller ID + + - name: carrier_ep + type: keyword + description: > + The FortiOS Carrier end-point identification + + - name: cat + type: integer + description: > + DNS category ID + + - name: category + type: keyword + description: > + Authentication category + + - name: cc + type: keyword + description: > + CC Email Address + + - name: cdrcontent + type: keyword + description: > + Cdrcontent + + - name: centralnatid + type: integer + description: > + Central NAT ID + + - name: cert + type: keyword + description: > + Certificate + + - name: cert-type + type: keyword + description: > + Certificate type + + - name: certhash + type: keyword + description: > + Certificate hash + + - name: cfgattr + type: keyword + description: > + Configuration attribute + + - name: cfgobj + type: keyword + description: > + Configuration object + + - name: cfgpath + type: keyword + description: > + Configuration path + + - name: cfgtid + type: keyword + description: > + Configuration transaction ID + + - name: cfgtxpower + type: integer + description: > + Configuration TX power + + - name: channel + type: integer + description: > + Wireless Channel + + - name: channeltype + type: keyword + description: > + SSH channel type + + - name: chassisid + type: integer + description: > + Chassis ID + + - name: checksum + type: keyword + description: > + The checksum of the scanned file + + - name: chgheaders + type: keyword + description: > + HTTP Headers + + - name: cldobjid + type: keyword + description: > + Connector object ID + + - name: client_addr + type: keyword + description: > + Wifi client address + + - name: cloudaction + type: keyword + description: > + Cloud Action + + - name: clouduser + type: keyword + description: > + Cloud User + + - name: column + type: integer + description: > + VOIP Column + + - name: command + type: keyword + description: > + CLI Command + + - name: community + type: keyword + description: > + SNMP Community + + - name: configcountry + type: keyword + description: > + Configuration country + + - name: connection_type + type: keyword + description: > + FortiClient Connection Type + + - name: conserve + type: keyword + description: > + Flag for conserve mode + + - name: constraint + type: keyword + description: > + WAF http protocol restrictions + + - name: contentdisarmed + type: keyword + description: > + Email scanned content + + - name: contenttype + type: keyword + description: > + Content Type from HTTP header + + - name: cookies + type: keyword + description: > + VPN Cookie + + - name: count + type: integer + description: > + Counts of action type + + - name: countapp + type: integer + description: > + Number of App Ctrl logs associated with the session + + - name: countav + type: integer + description: > + Number of AV logs associated with the session + + - name: countcifs + type: integer + description: > + Number of CIFS logs associated with the session + + - name: countdlp + type: integer + description: > + Number of DLP logs associated with the session + + - name: countdns + type: integer + description: > + Number of DNS logs associated with the session + + - name: countemail + type: integer + description: > + Number of email logs associated with the session + + - name: countff + type: integer + description: > + Number of ff logs associated with the session + + - name: countips + type: integer + description: > + Number of IPS logs associated with the session + + - name: countssh + type: integer + description: > + Number of SSH logs associated with the session + + - name: countssl + type: integer + description: > + Number of SSL logs associated with the session + + - name: countwaf + type: integer + description: > + Number of WAF logs associated with the session + + - name: countweb + type: integer + description: > + Number of Web filter logs associated with the session + + - name: cpu + type: integer + description: > + CPU Usage + + - name: craction + type: integer + description: > + Client Reputation Action + + - name: criticalcount + type: integer + description: > + Number of critical ratings + + - name: crl + type: keyword + description: > + Client Reputation Level + + - name: crlevel + type: keyword + description: > + Client Reputation Level + + - name: crscore + type: integer + description: > + Some description + + - name: cveid + type: keyword + description: > + CVE ID + + - name: daemon + type: keyword + description: > + Daemon name + + - name: datarange + type: keyword + description: > + Data range for reports + + - name: date + type: keyword + description: > + Date + + - name: ddnsserver + type: ip + description: > + DDNS server + + - name: desc + type: keyword + description: > + Description + + - name: detectionmethod + type: keyword + description: > + Detection method + + - name: devcategory + type: keyword + description: > + Device category + + - name: devintfname + type: keyword + description: > + HA device Interface Name + + - name: devtype + type: keyword + description: > + Device type + + - name: dhcp_msg + type: keyword + description: > + DHCP Message + + - name: dintf + type: keyword + description: > + Destination interface + + - name: disk + type: keyword + description: > + Assosciated disk + + - name: disklograte + type: long + description: > + Disk logging rate + + - name: dlpextra + type: keyword + description: > + DLP extra information + + - name: docsource + type: keyword + description: > + DLP fingerprint document source + + - name: domainctrlauthstate + type: integer + description: > + CIFS domain auth state + + - name: domainctrlauthtype + type: integer + description: > + CIFS domain auth type + + - name: domainctrldomain + type: keyword + description: > + CIFS domain auth domain + + - name: domainctrlip + type: ip + description: > + CIFS Domain IP + + - name: domainctrlname + type: keyword + description: > + CIFS Domain name + + - name: domainctrlprotocoltype + type: integer + description: > + CIFS Domain connection protocol + + - name: domainctrlusername + type: keyword + description: > + CIFS Domain username + + - name: domainfilteridx + type: integer + description: > + Domain filter ID + + - name: domainfilterlist + type: keyword + description: > + Domain filter name + + - name: ds + type: keyword + description: > + Direction with distribution system + + - name: dst_int + type: keyword + description: > + Destination interface + + - name: dstintfrole + type: keyword + description: > + Destination interface role + + - name: dstcountry + type: keyword + description: > + Destination country + + - name: dstdevcategory + type: keyword + description: > + Destination device category + + - name: dstdevtype + type: keyword + description: > + Destination device type + + - name: dstfamily + type: keyword + description: > + Destination OS family + + - name: dsthwvendor + type: keyword + description: > + Destination HW vendor + + - name: dsthwversion + type: keyword + description: > + Destination HW version + + - name: dstinetsvc + type: keyword + description: > + Destination interface service + + - name: dstosname + type: keyword + description: > + Destination OS name + + - name: dstosversion + type: keyword + description: > + Destination OS version + + - name: dstserver + type: integer + description: > + Destination server + + - name: dstssid + type: keyword + description: > + Destination SSID + + - name: dstswversion + type: keyword + description: > + Destination software version + + - name: dstunauthusersource + type: keyword + description: > + Destination unauthenticated source + + - name: dstuuid + type: keyword + description: > + UUID of the Destination IP address + + - name: duid + type: keyword + description: > + DHCP UID + + - name: eapolcnt + type: integer + description: > + EAPOL packet count + + - name: eapoltype + type: keyword + description: > + EAPOL packet type + + - name: encrypt + type: integer + description: > + Whether the packet is encrypted or not + + - name: encryption + type: keyword + description: > + Encryption method + + - name: epoch + type: integer + description: > + Epoch used for locating file + + - name: espauth + type: keyword + description: > + ESP Authentication + + - name: esptransform + type: keyword + description: > + ESP Transform + + - name: exch + type: keyword + description: > + Mail Exchanges from DNS response answer section + + - name: exchange + type: keyword + description: > + Mail Exchanges from DNS response answer section + + - name: expectedsignature + type: keyword + description: > + Expected SSL signature + + - name: expiry + type: keyword + description: > + FortiGuard override expiry timestamp + + - name: fams_pause + type: integer + description: > + Fortinet Analysis and Management Service Pause + + - name: fazlograte + type: long + description: > + FortiAnalyzer Logging Rate + + - name: fctemssn + type: keyword + description: > + FortiClient Endpoint SSN + + - name: fctuid + type: keyword + description: > + FortiClient UID + + - name: field + type: keyword + description: > + NTP status field + + - name: filefilter + type: keyword + description: > + The filter used to identify the affected file + + - name: filehashsrc + type: keyword + description: > + Filehash source + + - name: filtercat + type: keyword + description: > + DLP filter category + + - name: filteridx + type: integer + description: > + DLP filter ID + + - name: filtername + type: keyword + description: > + DLP rule name + + - name: filtertype + type: keyword + description: > + DLP filter type + + - name: fortiguardresp + type: keyword + description: > + Antispam ESP value + + - name: forwardedfor + type: keyword + description: > + Email address forwarded + + - name: fqdn + type: keyword + description: > + FQDN + + - name: frametype + type: keyword + description: > + Wireless frametype + + - name: freediskstorage + type: integer + description: > + Free disk integer + + - name: from + type: keyword + description: > + From email address + + - name: from_vcluster + type: integer + description: > + Source virtual cluster number + + - name: fsaverdict + type: keyword + description: > + FSA verdict + + - name: fwserver_name + type: keyword + description: > + Web proxy server name + + - name: gateway + type: ip + description: > + Gateway ip address for PPPoE status report + + - name: green + type: keyword + description: > + Memory status + + - name: groupid + type: integer + description: > + User Group ID + + - name: ha-prio + type: integer + description: > + HA Priority + + - name: ha_group + type: keyword + description: > + HA Group + + - name: ha_role + type: keyword + description: > + HA Role + + - name: handshake + type: keyword + description: > + SSL Handshake + + - name: hash + type: keyword + description: > + Hash value of downloaded file + + - name: hbdn_reason + type: keyword + description: > + Heartbeat down reason + + - name: highcount + type: integer + description: > + Highcount fabric summary + + - name: host + type: keyword + description: > + Hostname + + - name: iaid + type: keyword + description: > + DHCPv6 id + + - name: icmpcode + type: keyword + description: > + Destination Port of the ICMP message + + - name: icmpid + type: keyword + description: > + Source port of the ICMP message + + - name: icmptype + type: keyword + description: > + The type of ICMP message + + - name: identifier + type: integer + description: > + Network traffic identifier + + - name: in_spi + type: keyword + description: > + IPSEC inbound SPI + + - name: incidentserialno + type: integer + description: > + Incident serial number + + - name: infected + type: integer + description: > + Infected MMS + + - name: infectedfilelevel + type: integer + description: > + DLP infected file level + + - name: informationsource + type: keyword + description: > + Information source + + - name: init + type: keyword + description: > + IPSEC init stage + + - name: initiator + type: keyword + description: > + Original login user name for Fortiguard override + + - name: interface + type: keyword + description: > + Related interface + + - name: intf + type: keyword + description: > + Related interface + + - name: invalidmac + type: keyword + description: > + The MAC address with invalid OUI + + - name: ip + type: ip + description: > + Related IP + + - name: iptype + type: keyword + description: > + Related IP type + + - name: keyword + type: keyword + description: > + Keyword used for search + + - name: kind + type: keyword + description: > + VOIP kind + + - name: lanin + type: long + description: > + LAN incoming traffic in bytes + + - name: lanout + type: long + description: > + LAN outbound traffic in bytes + + - name: lease + type: integer + description: > + DHCP lease + + - name: license_limit + type: keyword + description: > + Maximum Number of FortiClients for the License + + - name: limit + type: integer + description: > + Virtual Domain Resource Limit + + - name: line + type: keyword + description: > + VOIP line + + - name: live + type: integer + description: > + Time in seconds + + - name: local + type: ip + description: > + Local IP for a PPPD Connection + + - name: log + type: keyword + description: > + Log message + + - name: login + type: keyword + description: > + SSH login + + - name: lowcount + type: integer + description: > + Fabric lowcount + + - name: mac + type: keyword + description: > + DHCP mac address + + - name: malform_data + type: integer + description: > + VOIP malformed data + + - name: malform_desc + type: keyword + description: > + VOIP malformed data description + + - name: manuf + type: keyword + description: > + Manufacturer name + + - name: masterdstmac + type: keyword + description: > + Master mac address for a host with multiple network interfaces + + - name: mastersrcmac + type: keyword + description: > + The master MAC address for a host that has multiple network interfaces + + - name: mediumcount + type: integer + description: > + Fabric medium count + + - name: mem + type: keyword + description: > + Memory usage system statistics + + - name: meshmode + type: keyword + description: > + Wireless mesh mode + + - name: message_type + type: keyword + description: > + VOIP message type + + - name: method + type: keyword + description: > + HTTP method + + - name: mgmtcnt + type: integer + description: > + The number of unauthorized client flooding managemet frames + + - name: mode + type: keyword + description: > + IPSEC mode + + - name: module + type: keyword + description: > + PCI-DSS module + + - name: monitor-name + type: keyword + description: > + Health Monitor Name + + - name: monitor-type + type: keyword + description: > + Health Monitor Type + + - name: mpsk + type: keyword + description: > + Wireless MPSK + + - name: msgproto + type: keyword + description: > + Message Protocol Number + + - name: mtu + type: integer + description: > + Max Transmission Unit Value + + - name: name + type: keyword + description: > + Name + + - name: nat + type: keyword + description: > + NAT IP Address + + - name: netid + type: keyword + description: > + Connector NetID + + - name: new_status + type: keyword + description: > + New status on user change + + - name: new_value + type: keyword + description: > + New Virtual Domain Name + + - name: newchannel + type: integer + description: > + New Channel Number + + - name: newchassisid + type: integer + description: > + New Chassis ID + + - name: newslot + type: integer + description: > + New Slot Number + + - name: nextstat + type: integer + description: > + Time interval in seconds for the next statistics. + + - name: nf_type + type: keyword + description: > + Notification Type + + - name: noise + type: integer + description: > + Wifi Noise + + - name: old_status + type: keyword + description: > + Original Status + + - name: old_value + type: keyword + description: > + Original Virtual Domain name + + - name: oldchannel + type: integer + description: > + Original channel + + - name: oldchassisid + type: integer + description: > + Original Chassis Number + + - name: oldslot + type: integer + description: > + Original Slot Number + + - name: oldsn + type: keyword + description: > + Old Serial number + + - name: oldwprof + type: keyword + description: > + Old Web Filter Profile + + - name: onwire + type: keyword + description: > + A flag to indicate if the AP is onwire or not + + - name: opercountry + type: keyword + description: > + Operating Country + + - name: opertxpower + type: integer + description: > + Operating TX power + + - name: osname + type: keyword + description: > + Operating System name + + - name: osversion + type: keyword + description: > + Operating System version + + - name: out_spi + type: keyword + description: > + Out SPI + + - name: outintf + type: keyword + description: > + Out interface + + - name: passedcount + type: integer + description: > + Fabric passed count + + - name: passwd + type: keyword + description: > + Changed user password information + + - name: path + type: keyword + description: > + Path of looped configuration for security fabric + + - name: peer + type: keyword + description: > + WAN optimization peer + + - name: peer_notif + type: keyword + description: > + VPN peer notification + + - name: phase2_name + type: keyword + description: > + VPN phase2 name + + - name: phone + type: keyword + description: > + VOIP Phone + + - name: pid + type: integer + description: > + Process ID + + - name: policytype + type: keyword + description: > + Policy Type + + - name: poolname + type: keyword + description: > + IP Pool name + + - name: port + type: integer + description: > + Log upload error port + + - name: portbegin + type: integer + description: > + IP Pool port number to begin + + - name: portend + type: integer + description: > + IP Pool port number to end + + - name: probeproto + type: keyword + description: > + Link Monitor Probe Protocol + + - name: process + type: keyword + description: > + URL Filter process + + - name: processtime + type: integer + description: > + Process time for reports + + - name: profile + type: keyword + description: > + Profile Name + + - name: profile_vd + type: keyword + description: > + Virtual Domain Name + + - name: profilegroup + type: keyword + description: > + Profile Group Name + + - name: profiletype + type: keyword + description: > + Profile Type + + - name: qtypeval + type: integer + description: > + DNS question type value + + - name: quarskip + type: keyword + description: > + Quarantine skip explanation + + - name: quotaexceeded + type: keyword + description: > + If quota has been exceeded + + - name: quotamax + type: long + description: > + Maximum quota allowed - in seconds if time-based - in bytes if traffic-based + + - name: quotatype + type: keyword + description: > + Quota type + + - name: quotaused + type: long + description: > + Quota used - in seconds if time-based - in bytes if trafficbased) + + - name: radioband + type: keyword + description: > + Radio band + + - name: radioid + type: integer + description: > + Radio ID + + - name: radioidclosest + type: integer + description: > + Radio ID on the AP closest the rogue AP + + - name: radioiddetected + type: integer + description: > + Radio ID on the AP which detected the rogue AP + + - name: rate + type: keyword + description: > + Wireless rogue rate value + + - name: rawdata + type: keyword + description: > + Raw data value + + - name: rawdataid + type: keyword + description: > + Raw data ID + + - name: rcvddelta + type: keyword + description: > + Received bytes delta + + - name: reason + type: keyword + description: > + Alert reason + + - name: received + type: integer + description: > + Server key exchange received + + - name: receivedsignature + type: keyword + description: > + Server key exchange received signature + + - name: red + type: keyword + description: > + Memory information in red + + - name: referralurl + type: keyword + description: > + Web filter referralurl + + - name: remote + type: ip + description: > + Remote PPP IP address + + - name: remotewtptime + type: keyword + description: > + Remote Wifi Radius authentication time + + - name: reporttype + type: keyword + description: > + Report type + + - name: reqtype + type: keyword + description: > + Request type + + - name: request_name + type: keyword + description: > + VOIP request name + + - name: result + type: keyword + description: > + VPN phase result + + - name: role + type: keyword + description: > + VPN Phase 2 role + + - name: rssi + type: integer + description: > + Received signal strength indicator + + - name: rsso_key + type: keyword + description: > + RADIUS SSO attribute value + + - name: ruledata + type: keyword + description: > + Rule data + + - name: ruletype + type: keyword + description: > + Rule type + + - name: scanned + type: integer + description: > + Number of Scanned MMSs + + - name: scantime + type: long + description: > + Scanned time + + - name: scope + type: keyword + description: > + FortiGuard Override Scope + + - name: security + type: keyword + description: > + Wireless rogue security + + - name: sensitivity + type: keyword + description: > + Sensitivity for document fingerprint + + - name: sensor + type: keyword + description: > + NAC Sensor Name + + - name: sentdelta + type: keyword + description: > + Sent bytes delta + + - name: seq + type: keyword + description: > + Sequence number + + - name: serial + type: keyword + description: > + WAN optimisation serial + + - name: serialno + type: keyword + description: > + Serial number + + - name: server + type: keyword + description: > + AD server FQDN or IP + + - name: session_id + type: keyword + description: > + Session ID + + - name: sessionid + type: integer + description: > + WAD Session ID + + - name: setuprate + type: long + description: > + Session Setup Rate + + - name: severity + type: keyword + description: > + Severity + + - name: shaperdroprcvdbyte + type: integer + description: > + Received bytes dropped by shaper + + - name: shaperdropsentbyte + type: integer + description: > + Sent bytes dropped by shaper + + - name: shaperperipdropbyte + type: integer + description: > + Dropped bytes per IP by shaper + + - name: shaperperipname + type: keyword + description: > + Traffic shaper name (per IP) + + - name: shaperrcvdname + type: keyword + description: > + Traffic shaper name for received traffic + + - name: shapersentname + type: keyword + description: > + Traffic shaper name for sent traffic + + - name: shapingpolicyid + type: integer + description: > + Traffic shaper policy ID + + - name: signal + type: integer + description: > + Wireless rogue API signal + + - name: size + type: long + description: > + Email size in bytes + + - name: slot + type: integer + description: > + Slot number + + - name: sn + type: keyword + description: > + Security fabric serial number + + - name: snclosest + type: keyword + description: > + SN of the AP closest to the rogue AP + + - name: sndetected + type: keyword + description: > + SN of the AP which detected the rogue AP + + - name: snmeshparent + type: keyword + description: > + SN of the mesh parent + + - name: spi + type: keyword + description: > + IPSEC SPI + + - name: src_int + type: keyword + description: > + Source interface + + - name: srcintfrole + type: keyword + description: > + Source interface role + + - name: srccountry + type: keyword + description: > + Source country + + - name: srcfamily + type: keyword + description: > + Source family + + - name: srchwvendor + type: keyword + description: > + Source hardware vendor + + - name: srchwversion + type: keyword + description: > + Source hardware version + + - name: srcinetsvc + type: keyword + description: > + Source interface service + + - name: srcname + type: keyword + description: > + Source name + + - name: srcserver + type: integer + description: > + Source server + + - name: srcssid + type: keyword + description: > + Source SSID + + - name: srcswversion + type: keyword + description: > + Source software version + + - name: srcuuid + type: keyword + description: > + Source UUID + + - name: sscname + type: keyword + description: > + SSC name + + - name: ssid + type: keyword + description: > + Base Service Set ID + + - name: sslaction + type: keyword + description: > + SSL Action + + - name: ssllocal + type: keyword + description: > + WAD SSL local + + - name: sslremote + type: keyword + description: > + WAD SSL remote + + - name: stacount + type: integer + description: > + Number of stations/clients + + - name: stage + type: keyword + description: > + IPSEC stage + + - name: stamac + type: keyword + description: > + 802.1x station mac + + - name: state + type: keyword + description: > + Admin login state + + - name: status + type: keyword + description: > + Status + + - name: stitch + type: keyword + description: > + Automation stitch triggered + + - name: subject + type: keyword + description: > + Email subject + + - name: submodule + type: keyword + description: > + Configuration Sub-Module Name + + - name: subservice + type: keyword + description: > + AV subservice + + - name: subtype + type: keyword + description: > + Log subtype + + - name: suspicious + type: integer + description: > + Number of Suspicious MMSs + + - name: switchproto + type: keyword + description: > + Protocol change information + + - name: sync_status + type: keyword + description: > + The sync status with the master + + - name: sync_type + type: keyword + description: > + The sync type with the master + + - name: sysuptime + type: keyword + description: > + System uptime + + - name: tamac + type: keyword + description: > + the MAC address of Transmitter, if none, then Receiver + + - name: threattype + type: keyword + description: > + WIDS threat type + + - name: time + type: keyword + description: > + Time of the event + + - name: to + type: keyword + description: > + Email to field + + - name: to_vcluster + type: integer + description: > + destination virtual cluster number + + - name: total + type: integer + description: > + Total memory + + - name: totalsession + type: integer + description: > + Total Number of Sessions + + - name: trace_id + type: keyword + description: > + Session clash trace ID + + - name: trandisp + type: keyword + description: > + NAT translation type + + - name: transid + type: integer + description: > + HTTP transaction ID + + - name: translationid + type: keyword + description: > + DNS filter transaltion ID + + - name: trigger + type: keyword + description: > + Automation stitch trigger + + - name: trueclntip + type: ip + description: > + File filter true client IP + + - name: tunnelid + type: integer + description: > + IPSEC tunnel ID + + - name: tunnelip + type: ip + description: > + IPSEC tunnel IP + + - name: tunneltype + type: keyword + description: > + IPSEC tunnel type + + - name: type + type: keyword + description: > + Module type + + - name: ui + type: keyword + description: > + Admin authentication UI type + + - name: unauthusersource + type: keyword + description: > + Unauthenticated user source + + - name: unit + type: integer + description: > + Power supply unit + + - name: urlfilteridx + type: integer + description: > + URL filter ID + + - name: urlfilterlist + type: keyword + description: > + URL filter list + + - name: urlsource + type: keyword + description: > + URL filter source + + - name: urltype + type: keyword + description: > + URL filter type + + - name: used + type: integer + description: > + Number of Used IPs + + - name: used_for_type + type: integer + description: > + Connection for the type + + - name: utmaction + type: keyword + description: > + Security action performed by UTM + + - name: vap + type: keyword + description: > + Virtual AP + + - name: vapmode + type: keyword + description: > + Virtual AP mode + + - name: vcluster + type: integer + description: > + virtual cluster id + + - name: vcluster_member + type: integer + description: > + Virtual cluster member + + - name: vcluster_state + type: keyword + description: > + Virtual cluster state + + - name: vd + type: keyword + description: > + Virtual Domain Name + + - name: vdname + type: keyword + description: > + Virtual Domain Name + + - name: vendorurl + type: keyword + description: > + Vulnerability scan vendor name + + - name: version + type: keyword + description: > + Version + + - name: vip + type: keyword + description: > + Virtual IP + + - name: virus + type: keyword + description: > + Virus name + + - name: virusid + type: integer + description: > + Virus ID (unique virus identifier) + + - name: voip_proto + type: keyword + description: > + VOIP protocol + + - name: vpn + type: keyword + description: > + VPN description + + - name: vpntunnel + type: keyword + description: > + IPsec Vpn Tunnel Name + + - name: vpntype + type: keyword + description: > + The type of the VPN tunnel + + - name: vrf + type: integer + description: > + VRF number + + - name: vulncat + type: keyword + description: > + Vulnerability Category + + - name: vulnid + type: integer + description: > + Vulnerability ID + + - name: vulnname + type: keyword + description: > + Vulnerability name + + - name: vwlid + type: integer + description: > + VWL ID + + - name: vwlquality + type: keyword + description: > + VWL quality + + - name: vwlservice + type: keyword + description: > + VWL service + + - name: vwpvlanid + type: integer + description: > + VWP VLAN ID + + - name: wanin + type: long + description: > + WAN incoming traffic in bytes + + - name: wanoptapptype + type: keyword + description: > + WAN Optimization Application type + + - name: wanout + type: long + description: > + WAN outgoing traffic in bytes + + - name: weakwepiv + type: keyword + description: > + Weak Wep Initiation Vector + + - name: xauthgroup + type: keyword + description: > + XAuth Group Name + + - name: xauthuser + type: keyword + description: > + XAuth User Name + + - name: xid + type: integer + description: > + Wireless X ID + + + diff --git a/x-pack/filebeat/module/fortinet/firewall/config/firewall.yml b/x-pack/filebeat/module/fortinet/firewall/config/firewall.yml new file mode 100644 index 00000000000..32e87abc838 --- /dev/null +++ b/x-pack/filebeat/module/fortinet/firewall/config/firewall.yml @@ -0,0 +1,21 @@ +{{ if eq .input "syslog" }} + +type: syslog +protocol.udp: + host: "{{.syslog_host}}:{{.syslog_port}}" + +{{ else if eq .input "file" }} + +type: log +paths: +{{ range $i, $path := .paths }} + - {{$path}} +{{ end }} +exclude_files: [".gz$"] + +{{ end }} + +tags: {{.tags}} + +processors: + - add_locale: ~ diff --git a/x-pack/filebeat/module/fortinet/firewall/ingest/event.yml b/x-pack/filebeat/module/fortinet/firewall/ingest/event.yml new file mode 100644 index 00000000000..7365c802a83 --- /dev/null +++ b/x-pack/filebeat/module/fortinet/firewall/ingest/event.yml @@ -0,0 +1,295 @@ +description: Pipeline for parsing fortinet firewall logs (event pipeline) +processors: +- set: + field: event.kind + value: event +- set: + field: event.outcome + value: failure + if: "ctx.fortinet?.firewall?.result == 'ERROR' || ctx.fortinet?.firewall?.status == 'negotiate_error'" +- set: + field: event.outcome + value: success + if: "ctx.fortinet?.firewall?.result == 'OK' || ['FSSO-logon', 'auth-logon', 'FSSO-logoff', 'auth-logout'].contains(ctx.fortinet?.firewall?.action)" +- append: + field: event.type + value: + - user + - start + if: "['FSSO-logon', 'auth-logon'].contains(ctx.fortinet?.firewall?.action)" +- append: + field: event.type + value: + - user + - end + if: "['FSSO-logoff', 'auth-logout'].contains(ctx.fortinet?.firewall?.action)" +- append: + field: event.type + value: connection + if: "ctx.fortinet?.firewall?.subtype == 'vpn'" +- append: + field: event.category + value: network + if: "ctx.fortinet?.firewall?.subtype == 'vpn'" +- append: + field: event.type + value: info + if: "ctx.fortinet?.firewall?.action == 'perf-stats'" +- append: + field: event.category + value: host + if: "ctx.fortinet?.firewall?.action == 'perf-stats'" +- append: + field: event.type + value: info + if: "ctx.fortinet?.firewall?.subtype == 'update'" +- append: + field: event.category + value: + - host + - malware + if: "ctx.fortinet?.firewall?.subtype == 'update'" +- append: + field: event.category + value: authentication + if: "ctx.fortinet?.firewall?.subtype == 'user'" +- rename: + field: fortinet.firewall.dstip + target_field: destination.ip + ignore_missing: true +- rename: + field: fortinet.firewall.remip + target_field: destination.ip + ignore_missing: true + if: "ctx.destination?.ip == null" +- rename: + field: fortinet.firewall.dstport + target_field: destination.port + ignore_missing: true +- rename: + field: fortinet.firewall.remport + target_field: destination.port + ignore_missing: true + if: "ctx.destination?.port == null" +- rename: + field: fortinet.firewall.rcvdbyte + target_field: destination.bytes + ignore_missing: true +- rename: + field: fortinet.firewall.daddr + target_field: destination.address + ignore_missing: true +- rename: + field: fortinet.firewall.dst_host + target_field: destination.address + ignore_missing: true + if: "ctx.destination?.address == null" +- rename: + field: fortinet.firewall.dst_host + target_field: destination.domain + ignore_missing: true + if: "ctx.destination?.address == null" +- rename: + field: fortinet.firewall.group + target_field: source.user.group.name + ignore_missing: true +- rename: + field: fortinet.firewall.sentbyte + target_field: source.bytes + ignore_missing: true +- rename: + field: fortinet.firewall.srcip + target_field: source.ip + ignore_missing: true +- rename: + field: fortinet.firewall.locip + target_field: source.ip + ignore_missing: true + if: "ctx.source?.ip == null" +- rename: + field: fortinet.firewall.srcmac + target_field: source.mac + ignore_missing: true +- rename: + field: fortinet.firewall.source_mac + target_field: source.mac + ignore_missing: true + if: "ctx.source?.mac == null" +- rename: + field: fortinet.firewall.srcport + target_field: source.port + ignore_missing: true +- rename: + field: fortinet.firewall.locport + target_field: source.port + ignore_missing: true + if: "ctx.source?.port == null" +- rename: + field: fortinet.firewall.user + target_field: source.user.name + ignore_missing: true +- rename: + field: fortinet.firewall.saddr + target_field: source.address + ignore_missing: true +- rename: + field: fortinet.firewall.agent + target_field: user_agent.original + ignore_missing: true +- rename: + field: fortinet.firewall.file + target_field: file.name + ignore_missing: true +- rename: + field: fortinet.firewall.filesize + target_field: file.size + ignore_missing: true +- rename: + field: fortinet.firewall.level + target_field: log.level + ignore_missing: true +- rename: + field: fortinet.firewall.logid + target_field: event.code + ignore_missing: true + if: "ctx.event?.code == null" +- rename: + field: fortinet.firewall.msg + target_field: message + ignore_missing: true +- rename: + field: fortinet.firewall.policyid + target_field: rule.id + ignore_missing: true +- rename: + field: fortinet.firewall.proto + target_field: network.iana_number + ignore_missing: true +- rename: + field: fortinet.firewall.dir + target_field: network.direction + ignore_missing: true +- rename: + field: fortinet.firewall.direction + target_field: network.direction + ignore_missing: true + if: "ctx.network?.direction == null" +- rename: + field: fortinet.firewall.service + target_field: network.protocol + ignore_missing: true +- lowercase: + field: network.protocol + ignore_missing: true +- rename: + field: fortinet.firewall.error_num + target_field: error.code + ignore_missing: true +- rename: + field: fortinet.firewall.hostname + target_field: url.domain + ignore_missing: true +- rename: + field: fortinet.firewall.logdesc + target_field: rule.description + ignore_missing: true +- rename: + field: fortinet.firewall.url + target_field: url.path + ignore_missing: true +- rename: + field: fortinet.firewall.sess_duration + target_field: event.duration + ignore_missing: true + if: "ctx.event?.duration == null" +- geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +- geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + field: source.nat.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +- geoip: + field: destination.nat.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.nat.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.source?.as == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.nat.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.destination?.as == null" +- rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true +- rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true +- rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true +- rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true +- script: + lang: painless + source: ctx.network.bytes = ctx.source.bytes + ctx.destination.bytes + if: "ctx?.source?.bytes != null && ctx?.destination?.bytes != null" + ignore_failure: true +- append: + field: related.ip + value: "{{source.ip}}" + if: "ctx.source?.ip != null" +- append: + field: related.ip + value: "{{destination.ip}}" + if: "ctx.destination?.ip != null" +- append: + field: related.user + value: "{{source.user.name}}" + if: "ctx.source?.user?.name != null" +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' \ No newline at end of file diff --git a/x-pack/filebeat/module/fortinet/firewall/ingest/pipeline.yml b/x-pack/filebeat/module/fortinet/firewall/ingest/pipeline.yml new file mode 100644 index 00000000000..c08c794af6c --- /dev/null +++ b/x-pack/filebeat/module/fortinet/firewall/ingest/pipeline.yml @@ -0,0 +1,155 @@ +description: Pipeline for parsing fortinet firewall logs +processors: +- grok: + field: message + patterns: + - '%{SYSLOG5424PRI}%{GREEDYDATA:syslog5424_sd}$' +- kv: + field: syslog5424_sd + field_split: " (?=[a-z\\_\\-]+=)" + value_split: "=" + prefix: "fortinet.firewall." + ignore_missing: true + ignore_failure: false + trim_value: "\"" +- set: + field: observer.vendor + value: Fortinet +- set: + field: observer.product + value: Fortigate +- set: + field: observer.type + value: firewall +- set: + field: event.module + value: fortinet +- set: + field: event.dataset + value: fortinet.firewall +- set: + field: event.timezone + value: "{{fortinet.firewall.tz}}" + if: "ctx.fortinet?.firewall?.tz != null" +- set: + field: _temp.time + value: "{{fortinet.firewall.date}} {{fortinet.firewall.time}} {{fortinet.firewall.tz}}" + if: "ctx.fortinet?.firewall?.tz != null" +- set: + field: _temp.time + value: "{{fortinet.firewall.date}} {{fortinet.firewall.time}}Z" + if: "ctx.fortinet?.firewall?.tz == null" +- date: + field: _temp.time + target_field: "@timestamp" + formats: + - yyyy-MM-dd HH:mm:ss + - yyyy-MM-dd HH:mm:ss Z + - ISO8601 + timezone: "{{fortinet.firewall.tz}}" + if: "ctx.fortinet?.firewall?.tz != null" +- date: + field: _temp.time + target_field: "@timestamp" + formats: + - yyyy-MM-dd HH:mm:ss + - yyyy-MM-dd HH:mm:ss Z + - ISO8601 + if: "ctx.fortinet?.firewall?.tz == null" +- gsub: + field: fortinet.firewall.eventtime + pattern: "\\d{6}$" + replacement: "" +- date: + field: fortinet.firewall.eventtime + target_field: event.start + formats: + - UNIX_MS + timezone: "{{fortinet.firewall.tz}}" +- rename: + field: fortinet.firewall.devname + target_field: observer.name + ignore_missing: true +- script: + lang: painless + source: "ctx.event.duration = Long.parseLong(ctx.fortinet.firewall.duration) * 1000000000" + if: "ctx.fortinet?.firewall?.duration != null" +- rename: + field: fortinet.firewall.devid + target_field: observer.serial_number + ignore_missing: true +- rename: + field: fortinet.firewall.dstintf + target_field: observer.egress.interface.name + ignore_missing: true + if: "ctx.observer?.egress?.interface?.name == null" +- rename: + field: fortinet.firewall.srcintf + target_field: observer.ingress.interface.name + ignore_missing: true + if: "ctx.observer?.ingress?.interface?.name == null" +- rename: + field: fortinet.firewall.dst_int + target_field: observer.egress.interface.name + ignore_missing: true +- rename: + field: fortinet.firewall.src_int + target_field: observer.ingress.interface.name + ignore_missing: true +- rename: + field: fortinet.firewall.level + target_field: log.level + ignore_missing: true +- remove: + field: fortinet.firewall.assignip + if: "ctx.fortinet?.firewall?.assignip == 'N/A'" +- remove: + field: fortinet.firewall.dstip + if: "ctx.fortinet?.firewall?.dstip == 'N/A'" +- remove: + field: fortinet.firewall.srcip + if: "ctx.fortinet?.firewall?.srcip == 'N/A'" +- remove: + field: fortinet.firewall.remip + if: "ctx.fortinet?.firewall?.remip == 'N/A'" +- remove: + field: fortinet.firewall.locip + if: "ctx.fortinet?.firewall?.locip == 'N/A'" +- remove: + field: fortinet.firewall.group + if: "ctx.fortinet?.firewall?.group == 'N/A'" +- remove: + field: fortinet.firewall.user + if: "ctx.fortinet?.firewall?.user == 'N/A'" +- remove: + field: fortinet.firewall.tranip + if: "ctx.fortinet?.firewall?.tranip == 'N/A'" +- remove: + field: fortinet.firewall.transip + if: "ctx.fortinet?.firewall?.transip == 'N/A'" +- remove: + field: + - _temp + - message + - syslog5424_sd + - syslog5424_pri + - fortinet.firewall.tz + - fortinet.firewall.date + - fortinet.firewall.eventtime + - fortinet.firewall.time + - fortinet.firewall.duration + - host + ignore_missing: true +- pipeline: + name: '{< IngestPipeline "event" >}' + if: "ctx.fortinet?.firewall?.type == 'event'" +- pipeline: + name: '{< IngestPipeline "traffic" >}' + if: "ctx.fortinet?.firewall?.type == 'traffic'" +- pipeline: + name: '{< IngestPipeline "utm" >}' + if: "ctx.fortinet?.firewall?.type == 'utm' || ctx.fortinet?.firewall?.type == 'dns'" +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' \ No newline at end of file diff --git a/x-pack/filebeat/module/fortinet/firewall/ingest/traffic.yml b/x-pack/filebeat/module/fortinet/firewall/ingest/traffic.yml new file mode 100644 index 00000000000..35aa4f68153 --- /dev/null +++ b/x-pack/filebeat/module/fortinet/firewall/ingest/traffic.yml @@ -0,0 +1,286 @@ +description: Pipeline for parsing fortinet firewall logs (traffic pipeline) +processors: +- set: + field: event.kind + value: event +- set: + field: event.action + value: "{{fortinet.firewall.action}}" + if: "ctx.fortinet?.firewall?.action != null" +- set: + field: event.outcome + value: success + if: "ctx.fortinet?.firewall?.action != null" +- append: + field: event.category + value: network +- append: + field: event.type + value: connection +- append: + field: event.type + value: start + if: "ctx.fortinet?.firewall?.action == 'start'" +- append: + field: event.type + value: end + if: "ctx.fortinet?.firewall?.action != null && ctx.fortinet?.firewall?.action !='start'" +- append: + field: event.type + value: protocol + if: "ctx.fortinet?.firewall?.app != null && ctx.fortinet?.firewall?.action != 'deny'" +- append: + field: event.type + value: allowed + if: "ctx.fortinet?.firewall?.utmaction == null && ctx.fortinet?.firewall?.action != 'deny'" +- append: + field: event.type + value: denied + if: "ctx.fortinet?.firewall?.utmaction == 'block'" +- rename: + field: fortinet.firewall.dstip + target_field: destination.ip + ignore_missing: true +- rename: + field: fortinet.firewall.tranip + target_field: destination.nat.ip + ignore_missing: true +- rename: + field: fortinet.firewall.dstport + target_field: destination.port + ignore_missing: true +- rename: + field: fortinet.firewall.tranport + target_field: destination.nat.port + ignore_missing: true +- rename: + field: fortinet.firewall.rcvdbyte + target_field: destination.bytes + ignore_missing: true +- rename: + field: fortinet.firewall.rcvdpkt + target_field: destination.packets + ignore_missing: true +- rename: + field: fortinet.firewall.dstcollectedemail + target_field: destination.user.email + ignore_missing: true +- rename: + field: fortinet.firewall.dstname + target_field: destination.address + ignore_missing: true +- rename: + field: fortinet.firewall.dstunauthuser + target_field: destination.user.name + ignore_missing: true +- rename: + field: fortinet.firewall.group + target_field: source.user.group.name + ignore_missing: true +- rename: + field: fortinet.firewall.sentbyte + target_field: source.bytes + ignore_missing: true +- rename: + field: fortinet.firewall.srcdomain + target_field: source.domain + ignore_missing: true +- rename: + field: fortinet.firewall.srcip + target_field: source.ip + ignore_missing: true +- rename: + field: fortinet.firewall.srcmac + target_field: source.mac + ignore_missing: true +- rename: + field: fortinet.firewall.srcport + target_field: source.port + ignore_missing: true +- rename: + field: fortinet.firewall.unauthuser + target_field: source.user.name + ignore_missing: true +- rename: + field: fortinet.firewall.user + target_field: source.user.name + ignore_missing: true + if: "ctx.source?.user?.name == null" +- rename: + field: fortinet.firewall.collectedemail + target_field: source.user.email + ignore_missing: true +- rename: + field: fortinet.firewall.sentpkt + target_field: source.packets + ignore_missing: true +- rename: + field: fortinet.firewall.transip + target_field: source.nat.ip + ignore_missing: true +- rename: + field: fortinet.firewall.transport + target_field: source.nat.port + ignore_missing: true +- rename: + field: fortinet.firewall.app + target_field: network.application + ignore_missing: true +- rename: + field: fortinet.firewall.filename + target_field: file.name + ignore_missing: true +- rename: + field: fortinet.firewall.logid + target_field: event.code + ignore_missing: true + if: "ctx.event?.code == null" +- rename: + field: fortinet.firewall.msg + target_field: message + ignore_missing: true +- rename: + field: fortinet.firewall.comment + target_field: rule.description + ignore_missing: true +- rename: + field: fortinet.firewall.policyid + target_field: rule.id + ignore_missing: true + if: "ctx.rule?.id == null" +- rename: + field: fortinet.firewall.poluuid + target_field: rule.uuid + ignore_missing: true +- rename: + field: fortinet.firewall.policytype + target_field: rule.ruleset + ignore_missing: true +- rename: + field: fortinet.firewall.policyname + target_field: rule.name + ignore_missing: true +- rename: + field: fortinet.firewall.appcat + target_field: rule.category + ignore_missing: true +- gsub: + field: rule.category + pattern: "\\." + replacement: "-" + ignore_missing: true +- rename: + field: fortinet.firewall.proto + target_field: network.iana_number + ignore_missing: true +- rename: + field: fortinet.firewall.service + target_field: network.protocol + ignore_missing: true +- lowercase: + field: network.protocol + ignore_missing: true +- rename: + field: fortinet.firewall.url + target_field: url.path + ignore_missing: true +- geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +- geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + field: source.nat.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +- geoip: + field: destination.nat.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.nat.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.source?.as == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.nat.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.destination?.as == null" +- rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true +- rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true +- rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true +- rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true +- script: + lang: painless + source: "ctx.network.bytes = ctx.source.bytes + ctx.destination.bytes" + if: "ctx?.source?.bytes != null && ctx?.destination?.bytes != null" + ignore_failure: true +- script: + lang: painless + source: "ctx.network.packets = ctx.source.packets + ctx.destination.packets" + if: "ctx?.source?.packets != null && ctx?.destination?.packets != null" + ignore_failure: true +- append: + field: related.ip + value: "{{source.ip}}" + if: "ctx.source?.ip != null" +- append: + field: related.ip + value: "{{destination.ip}}" + if: "ctx.destination?.ip != null" +- append: + field: related.user + value: "{{source.user.name}}" + if: "ctx.source?.user?.name != null" +- append: + field: related.user + value: "{{destination.user.name}}" + if: "ctx.destination?.user?.name != null" +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' \ No newline at end of file diff --git a/x-pack/filebeat/module/fortinet/firewall/ingest/utm.yml b/x-pack/filebeat/module/fortinet/firewall/ingest/utm.yml new file mode 100644 index 00000000000..3fe35bbacf8 --- /dev/null +++ b/x-pack/filebeat/module/fortinet/firewall/ingest/utm.yml @@ -0,0 +1,396 @@ +description: Pipeline for parsing fortinet firewall logs (utm pipeline) +processors: +- set: + field: event.kind + value: event +- append: + field: event.type + value: denied + if: "['block', 'blocked'].contains(ctx.fortinet?.firewall?.action)" +- append: + field: event.type + value: info + if: "ctx.fortinet?.firewall?.subtype == 'dns'" +- append: + field: event.type + value: allowed + if: "['pass', 'passthrough'].contains(ctx.fortinet?.firewall?.action)" +- set: + field: event.outcome + value: success + if: "ctx.fortinet?.firewall?.action != null" +- append: + field: event.category + value: network +- rename: + field: fortinet.firewall.dstip + target_field: destination.ip + ignore_missing: true +- rename: + field: fortinet.firewall.remip + target_field: destination.ip + ignore_missing: true + if: "ctx.destination?.ip == null" +- rename: + field: fortinet.firewall.dst_port + target_field: destination.port + ignore_missing: true +- rename: + field: fortinet.firewall.remport + target_field: destination.port + ignore_missing: true + if: "ctx.destination?.port == null" +- rename: + field: fortinet.firewall.dstport + target_field: destination.port + ignore_missing: true + if: "ctx.destination?.port == null" +- rename: + field: fortinet.firewall.rcvdbyte + target_field: destination.bytes + ignore_missing: true +- rename: + field: fortinet.firewall.recipient + target_field: destination.user.email + ignore_missing: true +- rename: + field: fortinet.firewall.group + target_field: source.user.group.name + ignore_missing: true +- rename: + field: fortinet.firewall.locip + target_field: source.ip + ignore_missing: true +- rename: + field: fortinet.firewall.locport + target_field: source.port + ignore_missing: true +- rename: + field: fortinet.firewall.src_port + target_field: source.port + ignore_missing: true + if: "ctx.source?.port == null" +- rename: + field: fortinet.firewall.sentbyte + target_field: source.bytes + ignore_missing: true +- rename: + field: fortinet.firewall.srcdomain + target_field: source.domain + ignore_missing: true +- rename: + field: fortinet.firewall.srcip + target_field: source.ip + ignore_missing: true + if: "ctx.source?.ip == null" +- rename: + field: fortinet.firewall.srcmac + target_field: source.mac + ignore_missing: true +- rename: + field: fortinet.firewall.srcport + target_field: source.port + ignore_missing: true + if: "ctx.source?.port == null" +- rename: + field: fortinet.firewall.unauthuser + target_field: source.user.name + ignore_missing: true +- rename: + field: fortinet.firewall.user + target_field: source.user.name + ignore_missing: true + if: "ctx.source?.user?.name == null" +- rename: + field: fortinet.firewall.sender + target_field: source.user.email + ignore_missing: true +- rename: + field: fortinet.firewall.from + target_field: source.user.email + ignore_missing: true + if: "ctx.source?.user?.email == null" +- rename: + field: fortinet.firewall.agent + target_field: user_agent.original + ignore_missing: true +- rename: + field: fortinet.firewall.app + target_field: network.application + ignore_missing: true +- rename: + field: fortinet.firewall.appcat + target_field: rule.category + ignore_missing: true +- rename: + field: fortinet.firewall.applist + target_field: rule.ruleset + ignore_missing: true +- rename: + field: fortinet.firewall.catdesc + target_field: rule.category + ignore_missing: true + if: "ctx.rule?.category == null" +- gsub: + field: rule.category + pattern: "\\." + replacement: "-" + ignore_missing: true + if: "ctx.rule?.category != null" +- rename: + field: fortinet.firewall.dir + target_field: network.direction + ignore_missing: true +- rename: + field: fortinet.firewall.direction + target_field: network.direction + ignore_missing: true + if: "ctx.network?.direction == null" +- rename: + field: fortinet.firewall.error + target_field: event.message + ignore_missing: true +- rename: + field: fortinet.firewall.errorcode + target_field: event.code + ignore_missing: true +- rename: + field: fortinet.firewall.event_id + target_field: event.id + ignore_missing: true +- rename: + field: fortinet.firewall.eventid + target_field: event.id + ignore_missing: true + if: "ctx.event?.id == null" +- rename: + field: fortinet.firewall.eventtype + target_field: event.action + ignore_missing: true +- rename: + field: fortinet.firewall.filename + target_field: file.name + ignore_missing: true +- rename: + field: fortinet.firewall.filesize + target_field: file.size + ignore_missing: true +- rename: + field: fortinet.firewall.filetype + target_field: file.extension + ignore_missing: true +- rename: + field: fortinet.firewall.infectedfilename + target_field: file.name + ignore_missing: true + if: "ctx.file?.name == null" +- rename: + field: fortinet.firewall.infectedfilesize + target_field: file.size + ignore_missing: true + if: "ctx.file?.size == null" +- rename: + field: fortinet.firewall.infectedfiletype + target_field: file.extension + ignore_missing: true + if: "ctx.file?.extension == null" +- rename: + field: fortinet.firewall.matchedfilename + target_field: file.name + ignore_missing: true + if: "ctx.file?.name == null" +- rename: + field: fortinet.firewall.matchedfiletype + target_field: file.extension + ignore_missing: true + if: "ctx.file?.extension == null" +- rename: + field: fortinet.firewall.hostname + target_field: url.domain + ignore_missing: true +- rename: + field: fortinet.firewall.ipaddr + target_field: dns.resolved_ip + ignore_missing: true +- rename: + field: fortinet.firewall.level + target_field: log.level + ignore_missing: true +- rename: + field: fortinet.firewall.logid + target_field: event.code + ignore_missing: true + if: "ctx.event?.code == null" +- rename: + field: fortinet.firewall.msg + target_field: message + ignore_missing: true +- rename: + field: fortinet.firewall.policy_id + target_field: rule.id + ignore_missing: true + if: "ctx.rule?.id == null" +- rename: + field: fortinet.firewall.policyid + target_field: rule.id + ignore_missing: true + if: "ctx.rule?.id == null" +- rename: + field: fortinet.firewall.profile + target_field: rule.ruleset + ignore_missing: true + if: "ctx.rule?.ruleset == null" +- rename: + field: fortinet.firewall.proto + target_field: network.iana_number + ignore_missing: true +- rename: + field: fortinet.firewall.qclass + target_field: dns.question.class + ignore_missing: true +- rename: + field: fortinet.firewall.qname + target_field: dns.question.name + ignore_missing: true +- rename: + field: fortinet.firewall.qtype + target_field: dns.question.type + ignore_missing: true +- rename: + field: fortinet.firewall.service + target_field: network.protocol + ignore_missing: true +- lowercase: + field: network.protocol + ignore_missing: true +- rename: + field: fortinet.firewall.url + target_field: url.path + ignore_missing: true +- rename: + field: fortinet.firewall.xid + target_field: dns.id + ignore_missing: true +- rename: + field: fortinet.firewall.scertcname + target_field: tls.client.server_name + ignore_missing: true +- rename: + field: fortinet.firewall.scertissuer + target_field: tls.server.issuer + ignore_missing: true +- rename: + field: fortinet.firewall.ccertissuer + target_field: tls.client.issuer + ignore_missing: true +- rename: + field: fortinet.firewall.sender + target_field: tls.server.issuer + ignore_missing: true +- rename: + field: fortinet.firewall.dtype + target_field: vulnerability.category + ignore_missing: true +- rename: + field: fortinet.firewall.ref + target_field: event.reference + ignore_missing: true +- rename: + field: fortinet.firewall.filehash + target_field: fortinet.file.hash.crc32 + ignore_missing: true +- geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +- geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + field: source.nat.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +- geoip: + field: destination.nat.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.nat.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.source?.as == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.nat.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.destination?.as == null" +- rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true +- rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true +- rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true +- rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true +- script: + lang: painless + source: "ctx.network.bytes = ctx.source.bytes + ctx.destination.bytes" + if: "ctx?.source?.bytes != null && ctx?.destination?.bytes != null" + ignore_failure: true +- append: + field: related.ip + value: "{{source.ip}}" + if: "ctx.source?.ip != null" +- append: + field: related.ip + value: "{{destination.ip}}" + if: "ctx.destination?.ip != null" +- append: + field: related.user + value: "{{source.user.name}}" + if: "ctx.source?.user?.name != null" +- append: + field: related.hash + value: "{{fortinet.file.hash.crc32}}" + if: "ctx.fortinet?.file?.hash?.crc32 != null" +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' \ No newline at end of file diff --git a/x-pack/filebeat/module/fortinet/firewall/manifest.yml b/x-pack/filebeat/module/fortinet/firewall/manifest.yml new file mode 100644 index 00000000000..9482a0369b4 --- /dev/null +++ b/x-pack/filebeat/module/fortinet/firewall/manifest.yml @@ -0,0 +1,19 @@ +module_version: 1.0 + +var: + - name: syslog_host + default: localhost + - name: tags + default: [fortinet-firewall] + - name: syslog_port + default: 9004 + - name: input + default: syslog + +ingest_pipeline: + - ingest/pipeline.yml + - ingest/event.yml + - ingest/utm.yml + - ingest/traffic.yml + +input: config/firewall.yml \ No newline at end of file diff --git a/x-pack/filebeat/module/fortinet/firewall/test/fortinet.log b/x-pack/filebeat/module/fortinet/firewall/test/fortinet.log new file mode 100644 index 00000000000..78921e79db8 --- /dev/null +++ b/x-pack/filebeat/module/fortinet/firewall/test/fortinet.log @@ -0,0 +1,27 @@ +<188>date=2020-04-23 time=12:17:48 devname="testswitch1" devid="somerouterid" logid="0316013056" type="utm" subtype="webfilter" eventtype="ftgd_blk" level="warning" vd="root" eventtime=1587230269052907555 tz="-0500" policyid=100602 sessionid=1234 user="elasticuser" group="elasticgroup" authserver="elasticauth" srcip=192.168.2.1 srcport=61930 srcintf="port1" srcintfrole="lan" dstip=8.8.8.8 dstport=443 dstintf="wan1" dstintfrole="wan" proto=6 service="HTTPS" hostname="elastic.co" profile="elasticruleset" action="blocked" reqtype="direct" url="/config/" sentbyte=1152 rcvdbyte=1130 direction="outgoing" msg="URL belongs to a denied category in policy" method="domain" cat=76 catdesc="Internet Telephony" +<189>date=2020-04-23 time=12:17:45 devname="testswitch1" devid="somerouterid" logid="0317013312" type="utm" subtype="webfilter" eventtype="ftgd_allow" level="notice" vd="root" eventtime=1587230266314799756 tz="-0500" policyid=38 sessionid=543234 user="elasticuser" group="elasticgroup" authserver="elasticauth" srcip=192.168.2.1 srcport=65236 srcintf="port1" srcintfrole="lan" dstip=8.8.8.8 dstport=443 dstintf="wan1" dstintfrole="wan" proto=6 service="HTTPS" hostname="elastic.co" profile="elasticruleset" action="passthrough" reqtype="direct" url="/" sentbyte=3545 rcvdbyte=6812 direction="outgoing" msg="URL belongs to an allowed category in policy" method="domain" cat=23 catdesc="Web-based Email" +<190>date=2020-04-23 time=13:17:35 devname="testswitch1" devid="somerouterid" logid="1059028704" type="utm" subtype="app-ctrl" eventtype="signature" level="information" vd="root" eventtime=1587230255061492894 tz="-0400" appid=40568 user="elasticuser" group="elasticgroup" authserver="elasticauth" srcip=192.168.2.1 dstip=8.8.8.8 srcport=59790 dstport=443 srcintf="LAN" srcintfrole="lan" dstintf="wan1" dstintfrole="wan" proto=6 service="SSL" direction="outgoing" policyid=12 sessionid=453234 applist="elasticruleset" action="pass" appcat="Web.Client" app="HTTPS.BROWSER" hostname="elastic.co" incidentserialno=23465 url="/" msg="Web.Client: HTTPS.BROWSER," apprisk="medium" scertcname="test.elastic.co" +<189>date=2020-04-23 time=12:17:29 devname="testswitch1" devid="somerouterid" logid="1501054802" type="utm" subtype="dns" eventtype="dns-response" level="notice" vd="root" eventtime=1587230249360109339 tz="-0500" policyid=26 sessionid=543234 srcip=192.168.2.1 srcport=53430 srcintf="port1" srcintfrole="lan" dstip=8.8.8.8 dstport=53 dstintf="wan1" dstintfrole="wan" proto=17 profile="test" xid=2234 qname="elastic.example.com" qtype="A" qtypeval=1 qclass="IN" ipaddr="8.8.8.8" msg="Domain is monitored" action="pass" cat=23 catdesc="Web-based Email" +<190>date=2020-04-23 time=12:17:11 devname="testswitch1" devid="somerouterid" logid="1059028704" type="utm" subtype="app-ctrl" eventtype="signature" level="information" vd="root" eventtime=1587230232148674303 tz="-0500" appid=40568 user="elasticuser" group="elasticgroup" authserver="elasticauth" srcip=192.168.2.1 dstip=8.8.8.8 srcport=63012 dstport=443 srcintf="port1" srcintfrole="lan" dstintf="wan1" dstintfrole="wan" proto=6 service="SSL" direction="outgoing" policyid=100602 sessionid=543234 applist="elasticruleset" action="pass" appcat="Web.Client" app="HTTPS.BROWSER" hostname="elastic.no" incidentserialno=54323 url="/" msg="Web.Client: HTTPS.BROWSER," apprisk="medium" +<189>date=2020-04-23 time=12:17:04 devname="testswitch1" devid="somerouterid" logid="1501054802" type="utm" subtype="dns" eventtype="dns-response" level="notice" vd="root" eventtime=1587230224712900694 tz="-0500" policyid=26 sessionid=5432 srcip=192.168.2.1 srcport=54438 srcintf="port1" srcintfrole="lan" dstip=8.8.8.8 dstport=53 dstintf="wan1" dstintfrole="wan" proto=17 profile="elastictest" xid=2352 qname="elastic.co" qtype="A" qtypeval=1 qclass="IN" ipaddr="8.8.8.8" msg="Domain is monitored" action="pass" cat=93 catdesc="Remote Access" +<190>date=2020-04-23 time=12:17:12 devname="testswitch1" devid="somerouterid" logid="1500054000" type="utm" subtype="dns" eventtype="dns-query" level="information" vd="root" eventtime=1587230232658642672 tz="-0500" policyid=26 sessionid=543234 srcip=192.168.2.1 srcport=54788 srcintf="port1" srcintfrole="lan" dstip=8.8.8.8 dstport=53 dstintf="wan1" dstintfrole="wan" proto=17 profile="elastictest" xid=235 qname="elastic.co" qtype="A" qtypeval=1 qclass="IN" +<189>date=2020-04-23 time=13:15:18 devname="testswitch2" devid="someotherid" logid="1700062001" type="utm" subtype="ssl" eventtype="ssl-anomalies" level="notice" vd="root" eventtime=1587230118838592454 tz="-0400" policyid=12 sessionid=42346234 service="HTTPS" user="elasticuser2" group="elasticgroup2" profile="somecerts" srcip=192.168.2.1 srcport=59726 dstip=8.8.4.4 dstport=443 srcintf="LAN" srcintfrole="lan" dstintf="wan1" dstintfrole="wan" proto=6 action="passthrough" msg="Server certificate passed" reason="untrusted-cert" +<189>date=2020-04-23 time=12:32:48 devname="testswitch3" devid="someotherrouteridagain" logid="0102043014" type="event" subtype="user" level="notice" vd="root" eventtime=1587231168439640874 tz="-0500" logdesc="FSSO logon authentication status" srcip=10.10.10.10 user="elasticouser" server="elasticserver" action="FSSO-logon" msg="FSSO-logon event from FSSO_elasticserver: user elasticouser logged on 10.10.10.10" +<187>date=2020-04-23 time=12:32:47 devname="testswitch3" devid="someotherrouteridagain" logid="0101037124" type="event" subtype="vpn" level="error" vd="root" eventtime=1587231168339114138 tz="-0500" logdesc="IPsec phase 1 error" msg="IPsec phase 1 error" action="negotiate" remip=8.8.4.4 locip=8.8.8.8 remport=500 locport=500 outintf="wan2" cookies="345hkjhdrs87/0000000000000000" user="N/A" group="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="N/A" status="negotiate_error" reason="peer SA proposal not match local policy" peer_notif="NOT-APPLICABLE" +<189>date=2020-04-23 time=12:32:31 devname="testswitch3" devid="someotherrouteridagain" logid="0101037127" type="event" subtype="vpn" level="notice" vd="root" eventtime=1587231151628960857 tz="-0500" logdesc="Progress IPsec phase 1" msg="progress IPsec phase 1" action="negotiate" remip=8.4.5.4 locip=9.9.9.9 remport=500 locport=500 outintf="wan1" cookies="df868dsg876d/0000000000000000" user="N/A" group="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="elasticvpn" status="success" init="local" mode="main" dir="outbound" stage=1 role="initiator" result="OK" +<189>date=2020-04-23 time=14:32:09 devname="testswitch3" devid="someotherrouteridagain" logid="0100040704" type="event" subtype="system" level="notice" vd="root" eventtime=1587231129938795255 tz="-0300" logdesc="System performance statistics" action="perf-stats" cpu=0 mem=10 totalsession=23 disk=0 bandwidth="23/4" setuprate=0 disklograte=0 fazlograte=0 freediskstorage=331 sysuptime=25170 msg="Performance statistics: average CPU: 0, memory: 23, concurrent sessions: 20, setup-rate: 0" +<189>date=2020-04-23 time=12:32:09 devname="testswitch3" devid="someotherrouteridagain" logid="0102043039" type="event" subtype="user" level="notice" vd="root" eventtime=1587231130109462858 tz="-0500" logdesc="Authentication logon" srcip=10.10.10.10 user="elastiiiuser" authserver="FSSO_elastiauth" action="auth-logon" status="logon" msg="User elastiiiuser added to auth logon" +<189>date=2020-04-23 time=12:32:00 devname="testswitch3" devid="someotherrouteridagain" logid="0101037127" type="event" subtype="vpn" level="notice" vd="root" eventtime=1587231120608961118 tz="-0500" logdesc="Progress IPsec phase 1" msg="progress IPsec phase 1" action="negotiate" remip=8.8.5.4 locip=7.6.3.4 remport=500 locport=500 outintf="wan1" cookies="345khj34566/0000000000000000" user="N/A" group="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="testvpn" status="success" init="local" mode="main" dir="outbound" stage=1 role="initiator" result="OK" +<189>date=2020-04-23 time=14:24:13 devname="testswitch3" devid="someotherrouteridagain" logid="0100041006" type="event" subtype="system" level="notice" vd="root" eventtime=1587230655301863513 tz="-0300" logdesc="FortiSandbox AV database updated" version="1.522479" msg="FortiSandbox AV database updated" +<190>date=2020-04-23 time=12:23:47 devname="testswitch3" devid="someotherrouteridagain" logid="0107045057" type="event" subtype="endpoint" level="information" vd="root" eventtime=1587230627558979735 tz="-0500" logdesc="FortiClient connection added" action="add" status="success" license_limit="unlimited" used_for_type=3 connection_type="sslvpn" count=2 user="elastico" ip=172.16.0.2 name="somerouter" fctuid="645234fdd01F885824F764" msg="Add a FortiClient Connection." +<190>date=2020-04-23 time=12:23:47 devname="testswitch3" devid="someotherrouteridagain" logid="0101039943" type="event" subtype="vpn" level="information" vd="root" eventtime=1587230627334405765 tz="-0500" logdesc="SSL VPN new connection" action="ssl-new-con" tunneltype="ssl" tunnelid=2 remip=8.8.8.6 user="N/A" group="N/A" dst_host="N/A" reason="N/A" msg="SSL new connection" +<190>date=2020-04-23 time=12:23:47 devname="testswitch3" devid="someotherrouteridagain" logid="0101039947" type="event" subtype="vpn" level="information" vd="root" eventtime=1587230627698970007 tz="-0500" logdesc="SSL VPN tunnel up" action="tunnel-up" tunneltype="ssl-tunnel" tunnelid=2345 remip=8.8.5.4 tunnelip=10.10.10.10 user="someuser" group="somegroup" dst_host="N/A" reason="tunnel established" msg="SSL tunnel established" +<189>date=2020-04-23 time=14:16:42 devname="testswitch3" devid="someotherrouteridagain" logid="0102043015" type="event" subtype="user" level="notice" vd="root" eventtime=1587230204674924332 tz="-0300" logdesc="FSSO log off authentication status" srcip=192.168.1.1 user="elasticadmin" server="FSSO_somefssoserver" action="FSSO-logoff" msg="FSSO-logoff event from FSSO_somefssoserver: user elasticuser logged off 1192.168.1.1" +<189>date=2020-04-23 time=12:16:02 devname="testswitch3" devid="someotherrouteridagain" logid="0100022915" type="event" subtype="system" level="notice" vd="root" eventtime=1587230163121116383 tz="-0500" logdesc="FortiCloud server connected" server="9.9.9.9" action="connect" msg="FortiCloud 9.9.9.9 server is connected" +<189>date=2020-04-23 time=12:16:02 devname="testswitch3" devid="someotherrouteridagain" logid="0100022913" type="event" subtype="system" level="notice" vd="root" eventtime=1587230163375149856 tz="-0500" logdesc="FortiCloud server disconnected" server="4.4.4.4" action="disconnect" reason="connection reset" msg="FortiCloud 4.4.4.4 server is disconnected" +<188>date=2020-04-23 time=12:14:09 devname="newfirewall" devid="newrouterid" logid="0000000011" type="traffic" subtype="forward" level="warning" vd="root" eventtime=1587230049761513222 tz="-0500" srcip=192.168.1.6 srcport=53438 srcintf="port1" srcintfrole="lan" dstip=8.8.8.8 dstport=53 dstintf="wan1" dstintfrole="wan" sessionid=435234 proto=17 action="dns" policyid=26 policytype="policy" poluuid="2345de-b143-52134d8-6654f-4654sdfg16f431" policyname="elasticnewruleset" service="DNS" dstcountry="Netherlands" srccountry="Reserved" appcat="unscanned" crscore=5 craction=54144 crlevel="low" +<189>date=2020-04-23 time=12:11:51 devname="newfirewall" devid="newrouterid" logid="0000000020" type="traffic" subtype="forward" level="notice" vd="root" eventtime=1587229911390385486 tz="-0500" srcip=192.168.10.10 srcport=6000 srcintf="port1" srcintfrole="lan" dstip=8.6.4.7 dstport=6000 dstintf="wan1" dstintfrole="wan" sessionid=4352 proto=17 action="accept" policyid=3426 policytype="policy" poluuid="1765de8-5a13-765da73fdsfa1c" policyname="newruleelastic" service="portname" dstcountry="Netherlands" srccountry="Reserved" trandisp="snat" transip=123.123.123.123 transport=60964 appcat="unknown" applist="policylist" duration=5462 sentbyte=438650 rcvdbyte=65446 sentpkt=723417 rcvdpkt=1045601 vwlid=0 sentdelta=576 rcvddelta=728 +<189>date=2020-04-23 time=12:11:48 devname="newfirewall" devid="newrouterid" logid="0001000014" type="traffic" subtype="local" level="notice" vd="root" eventtime=1587229908751434997 tz="-0500" srcip=2001:4860:4860::8888 identifier=0 srcintf="port1" srcintfrole="lan" dstip=2001:4860:4860::8888 dstintf="unknown0" dstintfrole="undefined" sessionid=6542345 proto=58 action="accept" policyid=0 policytype="someotherpolicy" service="icmp6/1/0" trandisp="noop" app="icmp6/25/0" duration=42 sentbyte=3014 rcvdbyte=20 sentpkt=4 rcvdpkt=0 appcat="unscanned" +<189>date=2020-04-23 time=13:10:57 devname="newfirewall" devid="newrouterid" logid="0001000014" type="traffic" subtype="local" level="notice" vd="root" eventtime=1587229857509058693 tz="-0400" srcip=9.7.7.7 identifier=61 srcintf="wan1" srcintfrole="wan" dstip=8.8.8.8 dstintf="unknown0" dstintfrole="undefined" sessionid=123 proto=1 action="accept" policyid=0 policytype="rulepolicy" service="PING" dstcountry="Norway" srccountry="Netherlands" trandisp="noop" app="PING" duration=20 sentbyte=0 rcvdbyte=10 sentpkt=0 rcvdpkt=40 appcat="unscanned" +<188>date=2020-04-23 time=12:14:39 devname="firewall3" devid="oldfwid" logid="0000000011" type="traffic" subtype="forward" level="warning" vd="root" eventtime=1587230079841464445 tz="-0500" srcip=192.168.1.1 srcport=62493 srcintf="port1" srcintfrole="lan" dstip=192.168.100.100 dstport=1235 dstintf="newinterface" dstintfrole="undefined" sessionid=54234 proto=17 action="ip-conn" policyid=49 policytype="policy" poluuid="654cc-b6542-53467u8-e45234-1566casd35f7836" policyname="oldpolicyname" user="elasticsuper" authserver="FSSO_newfsso" service="udp/12302" dstcountry="Reserved" srccountry="Reserved" appcat="unscanned" crscore=5 craction=63332144 crlevel="low" +<189>date=2020-04-23 time=12:14:28 devname="firewall3" devid="oldfwid" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" eventtime=1587230069291463928 tz="-0500" srcip=192.168.50.50 srcport=56603 srcintf="port1" srcintfrole="lan" dstip=8.8.8.8 dstport=442 dstintf="wan1" dstintfrole="wan" sessionid=2345 proto=6 action="close" policyid=2365 policytype="policy" poluuid="654644c-b064-fdgdf3425-f003-1234ghdf682e05f" policyname="someoldpolicyname" user="elasticuser" group="testgroup" authserver="FSSO_something" service="HTTPS" dstcountry="Netherlands" srccountry="Reserved" trandisp="snat" transip=23.23.23.23 transport=603 appid=43540 app="Skype.Portals" appcat="Collaboration" apprisk="elevated" applist="someapplist" appact="detected" duration=126 sentbyte=923 rcvdbyte=77654 sentpkt=113 rcvdpkt=70 vwlid=4 vwlquality="Seq_num(3), alive, selected" wanin=1130 wanout=6671 lanin=1406 lanout=146506 utmaction="block" countweb=1 countapp=1 crscore=5 craction=6144 crlevel="low" \ No newline at end of file diff --git a/x-pack/filebeat/module/fortinet/firewall/test/fortinet.log-expected.json b/x-pack/filebeat/module/fortinet/firewall/test/fortinet.log-expected.json new file mode 100644 index 00000000000..667eb25b9b5 --- /dev/null +++ b/x-pack/filebeat/module/fortinet/firewall/test/fortinet.log-expected.json @@ -0,0 +1,1524 @@ +[ + { + "@timestamp": "2020-04-23T12:17:48.000-05:00", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.bytes": "1130", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.port": "443", + "event.action": "ftgd_blk", + "event.category": [ + "network" + ], + "event.code": "0316013056", + "event.dataset": "fortinet.firewall", + "event.kind": "event", + "event.module": "fortinet", + "event.outcome": "success", + "event.start": "2020-04-18T12:17:49.052-05:00", + "event.timezone": "-0500", + "event.type": [ + "denied" + ], + "fileset.name": "firewall", + "fortinet.firewall.action": "blocked", + "fortinet.firewall.authserver": "elasticauth", + "fortinet.firewall.cat": "76", + "fortinet.firewall.dstintfrole": "wan", + "fortinet.firewall.method": "domain", + "fortinet.firewall.reqtype": "direct", + "fortinet.firewall.sessionid": "1234", + "fortinet.firewall.srcintfrole": "lan", + "fortinet.firewall.subtype": "webfilter", + "fortinet.firewall.type": "utm", + "fortinet.firewall.vd": "root", + "input.type": "log", + "log.level": "warning", + "log.offset": 0, + "message": "URL belongs to a denied category in policy", + "network.bytes": "11521130", + "network.direction": "outgoing", + "network.iana_number": "6", + "network.protocol": "https", + "observer.egress.interface.name": "wan1", + "observer.ingress.interface.name": "port1", + "observer.name": "testswitch1", + "observer.product": "Fortigate", + "observer.serial_number": "somerouterid", + "observer.type": "firewall", + "observer.vendor": "Fortinet", + "related.ip": [ + "192.168.2.1", + "8.8.8.8" + ], + "related.user": [ + "elasticuser" + ], + "rule.category": "Internet Telephony", + "rule.id": "100602", + "rule.ruleset": "elasticruleset", + "service.type": "fortinet", + "source.bytes": "1152", + "source.ip": "192.168.2.1", + "source.port": "61930", + "source.user.group.name": "elasticgroup", + "source.user.name": "elasticuser", + "tags": [ + "fortinet-firewall" + ], + "url.domain": "elastic.co", + "url.path": "/config/" + }, + { + "@timestamp": "2020-04-23T12:17:45.000-05:00", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.bytes": "6812", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.port": "443", + "event.action": "ftgd_allow", + "event.category": [ + "network" + ], + "event.code": "0317013312", + "event.dataset": "fortinet.firewall", + "event.kind": "event", + "event.module": "fortinet", + "event.outcome": "success", + "event.start": "2020-04-18T12:17:46.314-05:00", + "event.timezone": "-0500", + "event.type": [ + "allowed" + ], + "fileset.name": "firewall", + "fortinet.firewall.action": "passthrough", + "fortinet.firewall.authserver": "elasticauth", + "fortinet.firewall.cat": "23", + "fortinet.firewall.dstintfrole": "wan", + "fortinet.firewall.method": "domain", + "fortinet.firewall.reqtype": "direct", + "fortinet.firewall.sessionid": "543234", + "fortinet.firewall.srcintfrole": "lan", + "fortinet.firewall.subtype": "webfilter", + "fortinet.firewall.type": "utm", + "fortinet.firewall.vd": "root", + "input.type": "log", + "log.level": "notice", + "log.offset": 707, + "message": "URL belongs to an allowed category in policy", + "network.bytes": "35456812", + "network.direction": "outgoing", + "network.iana_number": "6", + "network.protocol": "https", + "observer.egress.interface.name": "wan1", + "observer.ingress.interface.name": "port1", + "observer.name": "testswitch1", + "observer.product": "Fortigate", + "observer.serial_number": "somerouterid", + "observer.type": "firewall", + "observer.vendor": "Fortinet", + "related.ip": [ + "192.168.2.1", + "8.8.8.8" + ], + "related.user": [ + "elasticuser" + ], + "rule.category": "Web-based Email", + "rule.id": "38", + "rule.ruleset": "elasticruleset", + "service.type": "fortinet", + "source.bytes": "3545", + "source.ip": "192.168.2.1", + "source.port": "65236", + "source.user.group.name": "elasticgroup", + "source.user.name": "elasticuser", + "tags": [ + "fortinet-firewall" + ], + "url.domain": "elastic.co", + "url.path": "/" + }, + { + "@timestamp": "2020-04-23T13:17:35.000-04:00", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.port": "443", + "event.action": "signature", + "event.category": [ + "network" + ], + "event.code": "1059028704", + "event.dataset": "fortinet.firewall", + "event.kind": "event", + "event.module": "fortinet", + "event.outcome": "success", + "event.start": "2020-04-18T13:17:35.061-04:00", + "event.timezone": "-0400", + "event.type": [ + "allowed" + ], + "fileset.name": "firewall", + "fortinet.firewall.action": "pass", + "fortinet.firewall.appid": "40568", + "fortinet.firewall.apprisk": "medium", + "fortinet.firewall.authserver": "elasticauth", + "fortinet.firewall.dstintfrole": "wan", + "fortinet.firewall.incidentserialno": "23465", + "fortinet.firewall.sessionid": "453234", + "fortinet.firewall.srcintfrole": "lan", + "fortinet.firewall.subtype": "app-ctrl", + "fortinet.firewall.type": "utm", + "fortinet.firewall.vd": "root", + "input.type": "log", + "log.level": "information", + "log.offset": 1409, + "message": "Web.Client: HTTPS.BROWSER,", + "network.application": "HTTPS.BROWSER", + "network.direction": "outgoing", + "network.iana_number": "6", + "network.protocol": "ssl", + "observer.egress.interface.name": "wan1", + "observer.ingress.interface.name": "LAN", + "observer.name": "testswitch1", + "observer.product": "Fortigate", + "observer.serial_number": "somerouterid", + "observer.type": "firewall", + "observer.vendor": "Fortinet", + "related.ip": [ + "192.168.2.1", + "8.8.8.8" + ], + "related.user": [ + "elasticuser" + ], + "rule.category": "Web-Client", + "rule.id": "12", + "rule.ruleset": "elasticruleset", + "service.type": "fortinet", + "source.ip": "192.168.2.1", + "source.port": "59790", + "source.user.group.name": "elasticgroup", + "source.user.name": "elasticuser", + "tags": [ + "fortinet-firewall" + ], + "tls.client.server_name": "test.elastic.co", + "url.domain": "elastic.co", + "url.path": "/" + }, + { + "@timestamp": "2020-04-23T12:17:29.000-05:00", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.port": "53", + "dns.id": "2234", + "dns.question.class": "IN", + "dns.question.name": "elastic.example.com", + "dns.question.type": "A", + "dns.resolved_ip": "8.8.8.8", + "event.action": "dns-response", + "event.category": [ + "network" + ], + "event.code": "1501054802", + "event.dataset": "fortinet.firewall", + "event.kind": "event", + "event.module": "fortinet", + "event.outcome": "success", + "event.start": "2020-04-18T12:17:29.360-05:00", + "event.timezone": "-0500", + "event.type": [ + "info", + "allowed" + ], + "fileset.name": "firewall", + "fortinet.firewall.action": "pass", + "fortinet.firewall.cat": "23", + "fortinet.firewall.dstintfrole": "wan", + "fortinet.firewall.qtypeval": "1", + "fortinet.firewall.sessionid": "543234", + "fortinet.firewall.srcintfrole": "lan", + "fortinet.firewall.subtype": "dns", + "fortinet.firewall.type": "utm", + "fortinet.firewall.vd": "root", + "input.type": "log", + "log.level": "notice", + "log.offset": 2112, + "message": "Domain is monitored", + "network.iana_number": "17", + "observer.egress.interface.name": "wan1", + "observer.ingress.interface.name": "port1", + "observer.name": "testswitch1", + "observer.product": "Fortigate", + "observer.serial_number": "somerouterid", + "observer.type": "firewall", + "observer.vendor": "Fortinet", + "related.ip": [ + "192.168.2.1", + "8.8.8.8" + ], + "rule.category": "Web-based Email", + "rule.id": "26", + "rule.ruleset": "test", + "service.type": "fortinet", + "source.ip": "192.168.2.1", + "source.port": "53430", + "tags": [ + "fortinet-firewall" + ] + }, + { + "@timestamp": "2020-04-23T12:17:11.000-05:00", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.port": "443", + "event.action": "signature", + "event.category": [ + "network" + ], + "event.code": "1059028704", + "event.dataset": "fortinet.firewall", + "event.kind": "event", + "event.module": "fortinet", + "event.outcome": "success", + "event.start": "2020-04-18T12:17:12.148-05:00", + "event.timezone": "-0500", + "event.type": [ + "allowed" + ], + "fileset.name": "firewall", + "fortinet.firewall.action": "pass", + "fortinet.firewall.appid": "40568", + "fortinet.firewall.apprisk": "medium", + "fortinet.firewall.authserver": "elasticauth", + "fortinet.firewall.dstintfrole": "wan", + "fortinet.firewall.incidentserialno": "54323", + "fortinet.firewall.sessionid": "543234", + "fortinet.firewall.srcintfrole": "lan", + "fortinet.firewall.subtype": "app-ctrl", + "fortinet.firewall.type": "utm", + "fortinet.firewall.vd": "root", + "input.type": "log", + "log.level": "information", + "log.offset": 2662, + "message": "Web.Client: HTTPS.BROWSER,", + "network.application": "HTTPS.BROWSER", + "network.direction": "outgoing", + "network.iana_number": "6", + "network.protocol": "ssl", + "observer.egress.interface.name": "wan1", + "observer.ingress.interface.name": "port1", + "observer.name": "testswitch1", + "observer.product": "Fortigate", + "observer.serial_number": "somerouterid", + "observer.type": "firewall", + "observer.vendor": "Fortinet", + "related.ip": [ + "192.168.2.1", + "8.8.8.8" + ], + "related.user": [ + "elasticuser" + ], + "rule.category": "Web-Client", + "rule.id": "100602", + "rule.ruleset": "elasticruleset", + "service.type": "fortinet", + "source.ip": "192.168.2.1", + "source.port": "63012", + "source.user.group.name": "elasticgroup", + "source.user.name": "elasticuser", + "tags": [ + "fortinet-firewall" + ], + "url.domain": "elastic.no", + "url.path": "/" + }, + { + "@timestamp": "2020-04-23T12:17:04.000-05:00", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.port": "53", + "dns.id": "2352", + "dns.question.class": "IN", + "dns.question.name": "elastic.co", + "dns.question.type": "A", + "dns.resolved_ip": "8.8.8.8", + "event.action": "dns-response", + "event.category": [ + "network" + ], + "event.code": "1501054802", + "event.dataset": "fortinet.firewall", + "event.kind": "event", + "event.module": "fortinet", + "event.outcome": "success", + "event.start": "2020-04-18T12:17:04.712-05:00", + "event.timezone": "-0500", + "event.type": [ + "info", + "allowed" + ], + "fileset.name": "firewall", + "fortinet.firewall.action": "pass", + "fortinet.firewall.cat": "93", + "fortinet.firewall.dstintfrole": "wan", + "fortinet.firewall.qtypeval": "1", + "fortinet.firewall.sessionid": "5432", + "fortinet.firewall.srcintfrole": "lan", + "fortinet.firewall.subtype": "dns", + "fortinet.firewall.type": "utm", + "fortinet.firewall.vd": "root", + "input.type": "log", + "log.level": "notice", + "log.offset": 3342, + "message": "Domain is monitored", + "network.iana_number": "17", + "observer.egress.interface.name": "wan1", + "observer.ingress.interface.name": "port1", + "observer.name": "testswitch1", + "observer.product": "Fortigate", + "observer.serial_number": "somerouterid", + "observer.type": "firewall", + "observer.vendor": "Fortinet", + "related.ip": [ + "192.168.2.1", + "8.8.8.8" + ], + "rule.category": "Remote Access", + "rule.id": "26", + "rule.ruleset": "elastictest", + "service.type": "fortinet", + "source.ip": "192.168.2.1", + "source.port": "54438", + "tags": [ + "fortinet-firewall" + ] + }, + { + "@timestamp": "2020-04-23T12:17:12.000-05:00", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.port": "53", + "dns.id": "235", + "dns.question.class": "IN", + "dns.question.name": "elastic.co", + "dns.question.type": "A", + "event.action": "dns-query", + "event.category": [ + "network" + ], + "event.code": "1500054000", + "event.dataset": "fortinet.firewall", + "event.kind": "event", + "event.module": "fortinet", + "event.start": "2020-04-18T12:17:12.658-05:00", + "event.timezone": "-0500", + "event.type": [ + "info" + ], + "fileset.name": "firewall", + "fortinet.firewall.dstintfrole": "wan", + "fortinet.firewall.qtypeval": "1", + "fortinet.firewall.sessionid": "543234", + "fortinet.firewall.srcintfrole": "lan", + "fortinet.firewall.subtype": "dns", + "fortinet.firewall.type": "utm", + "fortinet.firewall.vd": "root", + "input.type": "log", + "log.level": "information", + "log.offset": 3886, + "network.iana_number": "17", + "observer.egress.interface.name": "wan1", + "observer.ingress.interface.name": "port1", + "observer.name": "testswitch1", + "observer.product": "Fortigate", + "observer.serial_number": "somerouterid", + "observer.type": "firewall", + "observer.vendor": "Fortinet", + "related.ip": [ + "192.168.2.1", + "8.8.8.8" + ], + "rule.id": "26", + "rule.ruleset": "elastictest", + "service.type": "fortinet", + "source.ip": "192.168.2.1", + "source.port": "54788", + "tags": [ + "fortinet-firewall" + ] + }, + { + "@timestamp": "2020-04-23T13:15:18.000-04:00", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.4.4", + "destination.port": "443", + "event.action": "ssl-anomalies", + "event.category": [ + "network" + ], + "event.code": "1700062001", + "event.dataset": "fortinet.firewall", + "event.kind": "event", + "event.module": "fortinet", + "event.outcome": "success", + "event.start": "2020-04-18T13:15:18.838-04:00", + "event.timezone": "-0400", + "event.type": [ + "allowed" + ], + "fileset.name": "firewall", + "fortinet.firewall.action": "passthrough", + "fortinet.firewall.dstintfrole": "wan", + "fortinet.firewall.reason": "untrusted-cert", + "fortinet.firewall.sessionid": "42346234", + "fortinet.firewall.srcintfrole": "lan", + "fortinet.firewall.subtype": "ssl", + "fortinet.firewall.type": "utm", + "fortinet.firewall.vd": "root", + "input.type": "log", + "log.level": "notice", + "log.offset": 4345, + "message": "Server certificate passed", + "network.iana_number": "6", + "network.protocol": "https", + "observer.egress.interface.name": "wan1", + "observer.ingress.interface.name": "LAN", + "observer.name": "testswitch2", + "observer.product": "Fortigate", + "observer.serial_number": "someotherid", + "observer.type": "firewall", + "observer.vendor": "Fortinet", + "related.ip": [ + "192.168.2.1", + "8.8.4.4" + ], + "related.user": [ + "elasticuser2" + ], + "rule.id": "12", + "rule.ruleset": "somecerts", + "service.type": "fortinet", + "source.ip": "192.168.2.1", + "source.port": "59726", + "source.user.group.name": "elasticgroup2", + "source.user.name": "elasticuser2", + "tags": [ + "fortinet-firewall" + ] + }, + { + "@timestamp": "2020-04-23T12:32:48.000-05:00", + "event.category": [ + "authentication" + ], + "event.code": "0102043014", + "event.dataset": "fortinet.firewall", + "event.kind": "event", + "event.module": "fortinet", + "event.outcome": "success", + "event.start": "2020-04-18T12:32:48.439-05:00", + "event.timezone": "-0500", + "event.type": [ + "user", + "start" + ], + "fileset.name": "firewall", + "fortinet.firewall.action": "FSSO-logon", + "fortinet.firewall.server": "elasticserver", + "fortinet.firewall.subtype": "user", + "fortinet.firewall.type": "event", + "fortinet.firewall.vd": "root", + "input.type": "log", + "log.level": "notice", + "log.offset": 4875, + "message": "FSSO-logon event from FSSO_elasticserver: user elasticouser logged on 10.10.10.10", + "observer.name": "testswitch3", + "observer.product": "Fortigate", + "observer.serial_number": "someotherrouteridagain", + "observer.type": "firewall", + "observer.vendor": "Fortinet", + "related.ip": [ + "10.10.10.10" + ], + "related.user": [ + "elasticouser" + ], + "rule.description": "FSSO logon authentication status", + "service.type": "fortinet", + "source.ip": "10.10.10.10", + "source.user.name": "elasticouser", + "tags": [ + "fortinet-firewall" + ] + }, + { + "@timestamp": "2020-04-23T12:32:47.000-05:00", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.4.4", + "destination.port": "500", + "event.category": [ + "network" + ], + "event.code": "0101037124", + "event.dataset": "fortinet.firewall", + "event.kind": "event", + "event.module": "fortinet", + "event.outcome": "failure", + "event.start": "2020-04-18T12:32:48.339-05:00", + "event.timezone": "-0500", + "event.type": [ + "connection" + ], + "fileset.name": "firewall", + "fortinet.firewall.action": "negotiate", + "fortinet.firewall.cookies": "345hkjhdrs87/0000000000000000", + "fortinet.firewall.outintf": "wan2", + "fortinet.firewall.peer_notif": "NOT-APPLICABLE", + "fortinet.firewall.reason": "peer SA proposal not match local policy", + "fortinet.firewall.status": "negotiate_error", + "fortinet.firewall.subtype": "vpn", + "fortinet.firewall.type": "event", + "fortinet.firewall.vd": "root", + "fortinet.firewall.vpntunnel": "N/A", + "fortinet.firewall.xauthgroup": "N/A", + "fortinet.firewall.xauthuser": "N/A", + "input.type": "log", + "log.level": "error", + "log.offset": 5288, + "message": "IPsec phase 1 error", + "observer.name": "testswitch3", + "observer.product": "Fortigate", + "observer.serial_number": "someotherrouteridagain", + "observer.type": "firewall", + "observer.vendor": "Fortinet", + "related.ip": [ + "8.8.8.8", + "8.8.4.4" + ], + "rule.description": "IPsec phase 1 error", + "service.type": "fortinet", + "source.as.number": 15169, + "source.as.organization.name": "Google LLC", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 37.751, + "source.geo.location.lon": -97.822, + "source.ip": "8.8.8.8", + "source.port": "500", + "tags": [ + "fortinet-firewall" + ] + }, + { + "@timestamp": "2020-04-23T12:32:31.000-05:00", + "destination.as.number": 3356, + "destination.as.organization.name": "Level 3 Parent, LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.4.5.4", + "destination.port": "500", + "event.category": [ + "network" + ], + "event.code": "0101037127", + "event.dataset": "fortinet.firewall", + "event.kind": "event", + "event.module": "fortinet", + "event.outcome": "success", + "event.start": "2020-04-18T12:32:31.628-05:00", + "event.timezone": "-0500", + "event.type": [ + "connection" + ], + "fileset.name": "firewall", + "fortinet.firewall.action": "negotiate", + "fortinet.firewall.cookies": "df868dsg876d/0000000000000000", + "fortinet.firewall.init": "local", + "fortinet.firewall.mode": "main", + "fortinet.firewall.outintf": "wan1", + "fortinet.firewall.result": "OK", + "fortinet.firewall.role": "initiator", + "fortinet.firewall.stage": "1", + "fortinet.firewall.status": "success", + "fortinet.firewall.subtype": "vpn", + "fortinet.firewall.type": "event", + "fortinet.firewall.vd": "root", + "fortinet.firewall.vpntunnel": "elasticvpn", + "fortinet.firewall.xauthgroup": "N/A", + "fortinet.firewall.xauthuser": "N/A", + "input.type": "log", + "log.level": "notice", + "log.offset": 5856, + "message": "progress IPsec phase 1", + "network.direction": "outbound", + "observer.name": "testswitch3", + "observer.product": "Fortigate", + "observer.serial_number": "someotherrouteridagain", + "observer.type": "firewall", + "observer.vendor": "Fortinet", + "related.ip": [ + "9.9.9.9", + "8.4.5.4" + ], + "rule.description": "Progress IPsec phase 1", + "service.type": "fortinet", + "source.as.number": 19281, + "source.as.organization.name": "Quad9", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "FR", + "source.geo.location.lat": 48.8582, + "source.geo.location.lon": 2.3387, + "source.ip": "9.9.9.9", + "source.port": "500", + "tags": [ + "fortinet-firewall" + ] + }, + { + "@timestamp": "2020-04-23T14:32:09.000-03:00", + "event.category": [ + "host" + ], + "event.code": "0100040704", + "event.dataset": "fortinet.firewall", + "event.kind": "event", + "event.module": "fortinet", + "event.start": "2020-04-18T14:32:09.938-03:00", + "event.timezone": "-0300", + "event.type": [ + "info" + ], + "fileset.name": "firewall", + "fortinet.firewall.action": "perf-stats", + "fortinet.firewall.bandwidth": "23/4", + "fortinet.firewall.cpu": "0", + "fortinet.firewall.disk": "0", + "fortinet.firewall.disklograte": "0", + "fortinet.firewall.fazlograte": "0", + "fortinet.firewall.freediskstorage": "331", + "fortinet.firewall.mem": "10", + "fortinet.firewall.setuprate": "0", + "fortinet.firewall.subtype": "system", + "fortinet.firewall.sysuptime": "25170", + "fortinet.firewall.totalsession": "23", + "fortinet.firewall.type": "event", + "fortinet.firewall.vd": "root", + "input.type": "log", + "log.level": "notice", + "log.offset": 6430, + "message": "Performance statistics: average CPU: 0, memory: 23, concurrent sessions: 20, setup-rate: 0", + "observer.name": "testswitch3", + "observer.product": "Fortigate", + "observer.serial_number": "someotherrouteridagain", + "observer.type": "firewall", + "observer.vendor": "Fortinet", + "rule.description": "System performance statistics", + "service.type": "fortinet", + "tags": [ + "fortinet-firewall" + ] + }, + { + "@timestamp": "2020-04-23T12:32:09.000-05:00", + "event.category": [ + "authentication" + ], + "event.code": "0102043039", + "event.dataset": "fortinet.firewall", + "event.kind": "event", + "event.module": "fortinet", + "event.outcome": "success", + "event.start": "2020-04-18T12:32:10.109-05:00", + "event.timezone": "-0500", + "event.type": [ + "user", + "start" + ], + "fileset.name": "firewall", + "fortinet.firewall.action": "auth-logon", + "fortinet.firewall.authserver": "FSSO_elastiauth", + "fortinet.firewall.status": "logon", + "fortinet.firewall.subtype": "user", + "fortinet.firewall.type": "event", + "fortinet.firewall.vd": "root", + "input.type": "log", + "log.level": "notice", + "log.offset": 6920, + "message": "User elastiiiuser added to auth logon", + "observer.name": "testswitch3", + "observer.product": "Fortigate", + "observer.serial_number": "someotherrouteridagain", + "observer.type": "firewall", + "observer.vendor": "Fortinet", + "related.ip": [ + "10.10.10.10" + ], + "related.user": [ + "elastiiiuser" + ], + "rule.description": "Authentication logon", + "service.type": "fortinet", + "source.ip": "10.10.10.10", + "source.user.name": "elastiiiuser", + "tags": [ + "fortinet-firewall" + ] + }, + { + "@timestamp": "2020-04-23T12:32:00.000-05:00", + "destination.as.number": 3356, + "destination.as.organization.name": "Level 3 Parent, LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.5.4", + "destination.port": "500", + "event.category": [ + "network" + ], + "event.code": "0101037127", + "event.dataset": "fortinet.firewall", + "event.kind": "event", + "event.module": "fortinet", + "event.outcome": "success", + "event.start": "2020-04-18T12:32:00.608-05:00", + "event.timezone": "-0500", + "event.type": [ + "connection" + ], + "fileset.name": "firewall", + "fortinet.firewall.action": "negotiate", + "fortinet.firewall.cookies": "345khj34566/0000000000000000", + "fortinet.firewall.init": "local", + "fortinet.firewall.mode": "main", + "fortinet.firewall.outintf": "wan1", + "fortinet.firewall.result": "OK", + "fortinet.firewall.role": "initiator", + "fortinet.firewall.stage": "1", + "fortinet.firewall.status": "success", + "fortinet.firewall.subtype": "vpn", + "fortinet.firewall.type": "event", + "fortinet.firewall.vd": "root", + "fortinet.firewall.vpntunnel": "testvpn", + "fortinet.firewall.xauthgroup": "N/A", + "fortinet.firewall.xauthuser": "N/A", + "input.type": "log", + "log.level": "notice", + "log.offset": 7298, + "message": "progress IPsec phase 1", + "network.direction": "outbound", + "observer.name": "testswitch3", + "observer.product": "Fortigate", + "observer.serial_number": "someotherrouteridagain", + "observer.type": "firewall", + "observer.vendor": "Fortinet", + "related.ip": [ + "7.6.3.4", + "8.8.5.4" + ], + "rule.description": "Progress IPsec phase 1", + "service.type": "fortinet", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 37.751, + "source.geo.location.lon": -97.822, + "source.ip": "7.6.3.4", + "source.port": "500", + "tags": [ + "fortinet-firewall" + ] + }, + { + "@timestamp": "2020-04-23T14:24:13.000-03:00", + "event.code": "0100041006", + "event.dataset": "fortinet.firewall", + "event.kind": "event", + "event.module": "fortinet", + "event.start": "2020-04-18T14:24:15.301-03:00", + "event.timezone": "-0300", + "fileset.name": "firewall", + "fortinet.firewall.subtype": "system", + "fortinet.firewall.type": "event", + "fortinet.firewall.vd": "root", + "fortinet.firewall.version": "1.522479", + "input.type": "log", + "log.level": "notice", + "log.offset": 7868, + "message": "FortiSandbox AV database updated", + "observer.name": "testswitch3", + "observer.product": "Fortigate", + "observer.serial_number": "someotherrouteridagain", + "observer.type": "firewall", + "observer.vendor": "Fortinet", + "rule.description": "FortiSandbox AV database updated", + "service.type": "fortinet", + "tags": [ + "fortinet-firewall" + ] + }, + { + "@timestamp": "2020-04-23T12:23:47.000-05:00", + "event.code": "0107045057", + "event.dataset": "fortinet.firewall", + "event.kind": "event", + "event.module": "fortinet", + "event.start": "2020-04-18T12:23:47.558-05:00", + "event.timezone": "-0500", + "fileset.name": "firewall", + "fortinet.firewall.action": "add", + "fortinet.firewall.connection_type": "sslvpn", + "fortinet.firewall.count": "2", + "fortinet.firewall.fctuid": "645234fdd01F885824F764", + "fortinet.firewall.ip": "172.16.0.2", + "fortinet.firewall.license_limit": "unlimited", + "fortinet.firewall.name": "somerouter", + "fortinet.firewall.status": "success", + "fortinet.firewall.subtype": "endpoint", + "fortinet.firewall.type": "event", + "fortinet.firewall.used_for_type": "3", + "fortinet.firewall.vd": "root", + "input.type": "log", + "log.level": "information", + "log.offset": 8172, + "message": "Add a FortiClient Connection.", + "observer.name": "testswitch3", + "observer.product": "Fortigate", + "observer.serial_number": "someotherrouteridagain", + "observer.type": "firewall", + "observer.vendor": "Fortinet", + "related.user": [ + "elastico" + ], + "rule.description": "FortiClient connection added", + "service.type": "fortinet", + "source.user.name": "elastico", + "tags": [ + "fortinet-firewall" + ] + }, + { + "@timestamp": "2020-04-23T12:23:47.000-05:00", + "destination.address": "N/A", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.6", + "event.category": [ + "network" + ], + "event.code": "0101039943", + "event.dataset": "fortinet.firewall", + "event.kind": "event", + "event.module": "fortinet", + "event.start": "2020-04-18T12:23:47.334-05:00", + "event.timezone": "-0500", + "event.type": [ + "connection" + ], + "fileset.name": "firewall", + "fortinet.firewall.action": "ssl-new-con", + "fortinet.firewall.reason": "N/A", + "fortinet.firewall.subtype": "vpn", + "fortinet.firewall.tunnelid": "2", + "fortinet.firewall.tunneltype": "ssl", + "fortinet.firewall.type": "event", + "fortinet.firewall.vd": "root", + "input.type": "log", + "log.level": "information", + "log.offset": 8642, + "message": "SSL new connection", + "observer.name": "testswitch3", + "observer.product": "Fortigate", + "observer.serial_number": "someotherrouteridagain", + "observer.type": "firewall", + "observer.vendor": "Fortinet", + "related.ip": [ + "8.8.8.6" + ], + "rule.description": "SSL VPN new connection", + "service.type": "fortinet", + "tags": [ + "fortinet-firewall" + ] + }, + { + "@timestamp": "2020-04-23T12:23:47.000-05:00", + "destination.address": "N/A", + "destination.as.number": 3356, + "destination.as.organization.name": "Level 3 Parent, LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.5.4", + "event.category": [ + "network" + ], + "event.code": "0101039947", + "event.dataset": "fortinet.firewall", + "event.kind": "event", + "event.module": "fortinet", + "event.start": "2020-04-18T12:23:47.698-05:00", + "event.timezone": "-0500", + "event.type": [ + "connection" + ], + "fileset.name": "firewall", + "fortinet.firewall.action": "tunnel-up", + "fortinet.firewall.reason": "tunnel established", + "fortinet.firewall.subtype": "vpn", + "fortinet.firewall.tunnelid": "2345", + "fortinet.firewall.tunnelip": "10.10.10.10", + "fortinet.firewall.tunneltype": "ssl-tunnel", + "fortinet.firewall.type": "event", + "fortinet.firewall.vd": "root", + "input.type": "log", + "log.level": "information", + "log.offset": 9019, + "message": "SSL tunnel established", + "observer.name": "testswitch3", + "observer.product": "Fortigate", + "observer.serial_number": "someotherrouteridagain", + "observer.type": "firewall", + "observer.vendor": "Fortinet", + "related.ip": [ + "8.8.5.4" + ], + "related.user": [ + "someuser" + ], + "rule.description": "SSL VPN tunnel up", + "service.type": "fortinet", + "source.user.group.name": "somegroup", + "source.user.name": "someuser", + "tags": [ + "fortinet-firewall" + ] + }, + { + "@timestamp": "2020-04-23T14:16:42.000-03:00", + "event.category": [ + "authentication" + ], + "event.code": "0102043015", + "event.dataset": "fortinet.firewall", + "event.kind": "event", + "event.module": "fortinet", + "event.outcome": "success", + "event.start": "2020-04-18T14:16:44.674-03:00", + "event.timezone": "-0300", + "event.type": [ + "user", + "end" + ], + "fileset.name": "firewall", + "fortinet.firewall.action": "FSSO-logoff", + "fortinet.firewall.server": "FSSO_somefssoserver", + "fortinet.firewall.subtype": "user", + "fortinet.firewall.type": "event", + "fortinet.firewall.vd": "root", + "input.type": "log", + "log.level": "notice", + "log.offset": 9450, + "message": "FSSO-logoff event from FSSO_somefssoserver: user elasticuser logged off 1192.168.1.1", + "observer.name": "testswitch3", + "observer.product": "Fortigate", + "observer.serial_number": "someotherrouteridagain", + "observer.type": "firewall", + "observer.vendor": "Fortinet", + "related.ip": [ + "192.168.1.1" + ], + "related.user": [ + "elasticadmin" + ], + "rule.description": "FSSO log off authentication status", + "service.type": "fortinet", + "source.ip": "192.168.1.1", + "source.user.name": "elasticadmin", + "tags": [ + "fortinet-firewall" + ] + }, + { + "@timestamp": "2020-04-23T12:16:02.000-05:00", + "event.code": "0100022915", + "event.dataset": "fortinet.firewall", + "event.kind": "event", + "event.module": "fortinet", + "event.start": "2020-04-18T12:16:03.121-05:00", + "event.timezone": "-0500", + "fileset.name": "firewall", + "fortinet.firewall.action": "connect", + "fortinet.firewall.server": "9.9.9.9", + "fortinet.firewall.subtype": "system", + "fortinet.firewall.type": "event", + "fortinet.firewall.vd": "root", + "input.type": "log", + "log.level": "notice", + "log.offset": 9875, + "message": "FortiCloud 9.9.9.9 server is connected", + "observer.name": "testswitch3", + "observer.product": "Fortigate", + "observer.serial_number": "someotherrouteridagain", + "observer.type": "firewall", + "observer.vendor": "Fortinet", + "rule.description": "FortiCloud server connected", + "service.type": "fortinet", + "tags": [ + "fortinet-firewall" + ] + }, + { + "@timestamp": "2020-04-23T12:16:02.000-05:00", + "event.code": "0100022913", + "event.dataset": "fortinet.firewall", + "event.kind": "event", + "event.module": "fortinet", + "event.start": "2020-04-18T12:16:03.375-05:00", + "event.timezone": "-0500", + "fileset.name": "firewall", + "fortinet.firewall.action": "disconnect", + "fortinet.firewall.reason": "connection reset", + "fortinet.firewall.server": "4.4.4.4", + "fortinet.firewall.subtype": "system", + "fortinet.firewall.type": "event", + "fortinet.firewall.vd": "root", + "input.type": "log", + "log.level": "notice", + "log.offset": 10195, + "message": "FortiCloud 4.4.4.4 server is disconnected", + "observer.name": "testswitch3", + "observer.product": "Fortigate", + "observer.serial_number": "someotherrouteridagain", + "observer.type": "firewall", + "observer.vendor": "Fortinet", + "rule.description": "FortiCloud server disconnected", + "service.type": "fortinet", + "tags": [ + "fortinet-firewall" + ] + }, + { + "@timestamp": "2020-04-23T12:14:09.000-05:00", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.port": "53", + "event.action": "dns", + "event.category": [ + "network" + ], + "event.code": "0000000011", + "event.dataset": "fortinet.firewall", + "event.kind": "event", + "event.module": "fortinet", + "event.outcome": "success", + "event.start": "2020-04-18T12:14:09.761-05:00", + "event.timezone": "-0500", + "event.type": [ + "connection", + "end", + "allowed" + ], + "fileset.name": "firewall", + "fortinet.firewall.action": "dns", + "fortinet.firewall.craction": "54144", + "fortinet.firewall.crlevel": "low", + "fortinet.firewall.crscore": "5", + "fortinet.firewall.dstcountry": "Netherlands", + "fortinet.firewall.dstintfrole": "wan", + "fortinet.firewall.sessionid": "435234", + "fortinet.firewall.srccountry": "Reserved", + "fortinet.firewall.srcintfrole": "lan", + "fortinet.firewall.subtype": "forward", + "fortinet.firewall.type": "traffic", + "fortinet.firewall.vd": "root", + "input.type": "log", + "log.level": "warning", + "log.offset": 10550, + "network.iana_number": "17", + "network.protocol": "dns", + "observer.egress.interface.name": "wan1", + "observer.ingress.interface.name": "port1", + "observer.name": "newfirewall", + "observer.product": "Fortigate", + "observer.serial_number": "newrouterid", + "observer.type": "firewall", + "observer.vendor": "Fortinet", + "related.ip": [ + "192.168.1.6", + "8.8.8.8" + ], + "rule.category": "unscanned", + "rule.id": "26", + "rule.name": "elasticnewruleset", + "rule.ruleset": "policy", + "rule.uuid": "2345de-b143-52134d8-6654f-4654sdfg16f431", + "service.type": "fortinet", + "source.ip": "192.168.1.6", + "source.port": "53438", + "tags": [ + "fortinet-firewall" + ] + }, + { + "@timestamp": "2020-04-23T12:11:51.000-05:00", + "destination.as.number": 40386, + "destination.as.organization.name": "Bloomip Inc.", + "destination.bytes": "65446", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.6.4.7", + "destination.packets": "1045601", + "destination.port": "6000", + "event.action": "accept", + "event.category": [ + "network" + ], + "event.code": "0000000020", + "event.dataset": "fortinet.firewall", + "event.duration": 5462000000000, + "event.kind": "event", + "event.module": "fortinet", + "event.outcome": "success", + "event.start": "2020-04-18T12:11:51.390-05:00", + "event.timezone": "-0500", + "event.type": [ + "connection", + "end", + "allowed" + ], + "fileset.name": "firewall", + "fortinet.firewall.action": "accept", + "fortinet.firewall.applist": "policylist", + "fortinet.firewall.dstcountry": "Netherlands", + "fortinet.firewall.dstintfrole": "wan", + "fortinet.firewall.rcvddelta": "728", + "fortinet.firewall.sentdelta": "576", + "fortinet.firewall.sessionid": "4352", + "fortinet.firewall.srccountry": "Reserved", + "fortinet.firewall.srcintfrole": "lan", + "fortinet.firewall.subtype": "forward", + "fortinet.firewall.trandisp": "snat", + "fortinet.firewall.type": "traffic", + "fortinet.firewall.vd": "root", + "fortinet.firewall.vwlid": "0", + "input.type": "log", + "log.level": "notice", + "log.offset": 11142, + "network.bytes": "43865065446", + "network.iana_number": "17", + "network.packets": "7234171045601", + "network.protocol": "portname", + "observer.egress.interface.name": "wan1", + "observer.ingress.interface.name": "port1", + "observer.name": "newfirewall", + "observer.product": "Fortigate", + "observer.serial_number": "newrouterid", + "observer.type": "firewall", + "observer.vendor": "Fortinet", + "related.ip": [ + "192.168.10.10", + "8.6.4.7" + ], + "rule.category": "unknown", + "rule.id": "3426", + "rule.name": "newruleelastic", + "rule.ruleset": "policy", + "rule.uuid": "1765de8-5a13-765da73fdsfa1c", + "service.type": "fortinet", + "source.as.number": 4808, + "source.as.organization.name": "China Unicom Beijing Province Network", + "source.bytes": "438650", + "source.geo.city_name": "Beijing", + "source.geo.continent_name": "Asia", + "source.geo.country_iso_code": "CN", + "source.geo.location.lat": 39.9288, + "source.geo.location.lon": 116.3889, + "source.geo.region_iso_code": "CN-BJ", + "source.geo.region_name": "Beijing", + "source.ip": "192.168.10.10", + "source.nat.ip": "123.123.123.123", + "source.nat.port": "60964", + "source.packets": "723417", + "source.port": "6000", + "tags": [ + "fortinet-firewall" + ] + }, + { + "@timestamp": "2020-04-23T12:11:48.000-05:00", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.bytes": "20", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "2001:4860:4860::8888", + "destination.packets": "0", + "event.action": "accept", + "event.category": [ + "network" + ], + "event.code": "0001000014", + "event.dataset": "fortinet.firewall", + "event.duration": 42000000000, + "event.kind": "event", + "event.module": "fortinet", + "event.outcome": "success", + "event.start": "2020-04-18T12:11:48.751-05:00", + "event.timezone": "-0500", + "event.type": [ + "connection", + "end", + "protocol", + "allowed" + ], + "fileset.name": "firewall", + "fortinet.firewall.action": "accept", + "fortinet.firewall.dstintfrole": "undefined", + "fortinet.firewall.identifier": "0", + "fortinet.firewall.sessionid": "6542345", + "fortinet.firewall.srcintfrole": "lan", + "fortinet.firewall.subtype": "local", + "fortinet.firewall.trandisp": "noop", + "fortinet.firewall.type": "traffic", + "fortinet.firewall.vd": "root", + "input.type": "log", + "log.level": "notice", + "log.offset": 11876, + "network.application": "icmp6/25/0", + "network.bytes": "301420", + "network.iana_number": "58", + "network.packets": "40", + "network.protocol": "icmp6/1/0", + "observer.egress.interface.name": "unknown0", + "observer.ingress.interface.name": "port1", + "observer.name": "newfirewall", + "observer.product": "Fortigate", + "observer.serial_number": "newrouterid", + "observer.type": "firewall", + "observer.vendor": "Fortinet", + "related.ip": [ + "2001:4860:4860::8888", + "2001:4860:4860::8888" + ], + "rule.category": "unscanned", + "rule.id": "0", + "rule.ruleset": "someotherpolicy", + "service.type": "fortinet", + "source.as.number": 15169, + "source.as.organization.name": "Google LLC", + "source.bytes": "3014", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 37.751, + "source.geo.location.lon": -97.822, + "source.ip": "2001:4860:4860::8888", + "source.packets": "4", + "tags": [ + "fortinet-firewall" + ] + }, + { + "@timestamp": "2020-04-23T13:10:57.000-04:00", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.bytes": "10", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.packets": "40", + "event.action": "accept", + "event.category": [ + "network" + ], + "event.code": "0001000014", + "event.dataset": "fortinet.firewall", + "event.duration": 20000000000, + "event.kind": "event", + "event.module": "fortinet", + "event.outcome": "success", + "event.start": "2020-04-18T13:10:57.509-04:00", + "event.timezone": "-0400", + "event.type": [ + "connection", + "end", + "protocol", + "allowed" + ], + "fileset.name": "firewall", + "fortinet.firewall.action": "accept", + "fortinet.firewall.dstcountry": "Norway", + "fortinet.firewall.dstintfrole": "undefined", + "fortinet.firewall.identifier": "61", + "fortinet.firewall.sessionid": "123", + "fortinet.firewall.srccountry": "Netherlands", + "fortinet.firewall.srcintfrole": "wan", + "fortinet.firewall.subtype": "local", + "fortinet.firewall.trandisp": "noop", + "fortinet.firewall.type": "traffic", + "fortinet.firewall.vd": "root", + "input.type": "log", + "log.level": "notice", + "log.offset": 12426, + "network.application": "PING", + "network.bytes": "010", + "network.iana_number": "1", + "network.packets": "040", + "network.protocol": "ping", + "observer.egress.interface.name": "unknown0", + "observer.ingress.interface.name": "wan1", + "observer.name": "newfirewall", + "observer.product": "Fortigate", + "observer.serial_number": "newrouterid", + "observer.type": "firewall", + "observer.vendor": "Fortinet", + "related.ip": [ + "9.7.7.7", + "8.8.8.8" + ], + "rule.category": "unscanned", + "rule.id": "0", + "rule.ruleset": "rulepolicy", + "service.type": "fortinet", + "source.bytes": "0", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 37.751, + "source.geo.location.lon": -97.822, + "source.ip": "9.7.7.7", + "source.packets": "0", + "tags": [ + "fortinet-firewall" + ] + }, + { + "@timestamp": "2020-04-23T12:14:39.000-05:00", + "destination.ip": "192.168.100.100", + "destination.port": "1235", + "event.action": "ip-conn", + "event.category": [ + "network" + ], + "event.code": "0000000011", + "event.dataset": "fortinet.firewall", + "event.kind": "event", + "event.module": "fortinet", + "event.outcome": "success", + "event.start": "2020-04-18T12:14:39.841-05:00", + "event.timezone": "-0500", + "event.type": [ + "connection", + "end", + "allowed" + ], + "fileset.name": "firewall", + "fortinet.firewall.action": "ip-conn", + "fortinet.firewall.authserver": "FSSO_newfsso", + "fortinet.firewall.craction": "63332144", + "fortinet.firewall.crlevel": "low", + "fortinet.firewall.crscore": "5", + "fortinet.firewall.dstcountry": "Reserved", + "fortinet.firewall.dstintfrole": "undefined", + "fortinet.firewall.sessionid": "54234", + "fortinet.firewall.srccountry": "Reserved", + "fortinet.firewall.srcintfrole": "lan", + "fortinet.firewall.subtype": "forward", + "fortinet.firewall.type": "traffic", + "fortinet.firewall.vd": "root", + "input.type": "log", + "log.level": "warning", + "log.offset": 12972, + "network.iana_number": "17", + "network.protocol": "udp/12302", + "observer.egress.interface.name": "newinterface", + "observer.ingress.interface.name": "port1", + "observer.name": "firewall3", + "observer.product": "Fortigate", + "observer.serial_number": "oldfwid", + "observer.type": "firewall", + "observer.vendor": "Fortinet", + "related.ip": [ + "192.168.1.1", + "192.168.100.100" + ], + "related.user": [ + "elasticsuper" + ], + "rule.category": "unscanned", + "rule.id": "49", + "rule.name": "oldpolicyname", + "rule.ruleset": "policy", + "rule.uuid": "654cc-b6542-53467u8-e45234-1566casd35f7836", + "service.type": "fortinet", + "source.ip": "192.168.1.1", + "source.port": "62493", + "source.user.name": "elasticsuper", + "tags": [ + "fortinet-firewall" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/fortinet/module.yml b/x-pack/filebeat/module/fortinet/module.yml new file mode 100644 index 00000000000..73b314ff7c7 --- /dev/null +++ b/x-pack/filebeat/module/fortinet/module.yml @@ -0,0 +1 @@ +--- \ No newline at end of file diff --git a/x-pack/filebeat/modules.d/fortinet.yml.disabled b/x-pack/filebeat/modules.d/fortinet.yml.disabled new file mode 100644 index 00000000000..52dc7e79a9e --- /dev/null +++ b/x-pack/filebeat/modules.d/fortinet.yml.disabled @@ -0,0 +1,16 @@ +# Module: fortinet +# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-fortinet.html + +- module: fortinet + firewall: + enabled: true + + # Set which input to use between syslog (default) or file. + #var.input: syslog + + # The interface to listen to UDP based syslog traffic. Defaults to + # localhost. Set to 0.0.0.0 to bind to all available interfaces. + #var.syslog_host: localhost + + # The UDP port to listen for syslog traffic. Defaults to 9004. + #var.syslog_port: 9004