Syslog data from my Fortinet firewall is not being parsed out correctly. I have noticed that there are multiple formats of messages.
This first format parses out correctly.
... policyid=474 sessionid=3929476361 user="FRED" group="RegularSupport.Grp" srcip=10.120.2.26 ...
These do not (specifically the user field is not populated)
.... policyid=441 sessionid=3929476369 user="BARNEY" srcip=10.120.36.105 ....
(missing group after user field)
..... policyid=471 sessionid=3929476336 user="BETTY" group="TL-AVP-SVP.Grp" srcip=10.120.2.128 ....
(has "-" in the text for group)
.... policyid=103 sessionid=3929476142 user="WILMA" group="Wkstns_SSLVPN_PD.Grp" srcip=172.24.1.18 ......
(has "_" in the text for group).
I tried to do a extract fields on one of the different events, that solved the issue for the new event but the original event no longer works.
I assume that there is a regex somewhere that parses this out but I cannot find it. My question is where do I go find out where it is so I can hopefully generate one that works?
Scott