topic Re: FortiAnalzer Field Extraction in Getting Data In

FortiAnalzer Field Extraction

Rhidian — Mon, 10 May 2021 11:30:29 GMT

Hi,

I'm receiving FortiGate event via FortiAnalyser and I need to set the Host to the name of the device that created the event which is contained in the event message as devname.

May 10 10:44:30 10.90.223.5 date=2021-05-10 time=11:44:30 devname="test" devid="test" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" eventtime=1620643470882685981 tz="+0100" srcip= srcport=62408 srcintf="" srcintfrole="undefined" dstip= dstport=53 dstintf="port2" dstintfrole="wan" sessionid=81948384 proto=17 action="accept" policyid=23 policytype="policy" poluuid="cbd3e37e-5bf1-51eb-f2ad-0a49a47d1d1d" service="Domain Services UDP" dstcountry="Reserved" srccountry="Reserved" trandisp="noop" duration=180 sentbyte=76 rcvdbyte=194 sentpkt=1 rcvdpkt=1 vpn="" vpntype="ipsec-dynamic" appcat="unscanned"

I have started to build the transform below but it doesn't work.

[Set-Host-By-Devname]

REGEX = ([^.+?devname=\"[A-Z0-9]+")

FORMAT = host::$1

DEST_KEY = MetaData:Host

Re: FortiAnalzer Field Extraction

aasabatini — Mon, 10 May 2021 11:39:43 GMT

Hi @Rhidian

Can you share also your props.conf?

Re: FortiAnalzer Field Extraction

Rhidian — Mon, 10 May 2021 11:45:16 GMT

Sure

[fortigate_log]
TRANSFORMS-Set-Host-By-DevName
SHOULD_LINEMERGE = false

Re: FortiAnalzer Field Extraction

aasabatini — Mon, 10 May 2021 11:52:51 GMT

Hi @Rhidian

try your props like this

[fortigate_log] TRANSFORMS-meta = Set-Host-By-Devname SHOULD_LINEMERGE = false

if doesn't works we need to works on your regex

Re: FortiAnalzer Field Extraction

Rhidian — Mon, 10 May 2021 12:31:08 GMT

No joy I think it is the regex...