Hi,
I'm receiving FortiGate event via FortiAnalyser and I need to set the Host to the name of the device that created the event which is contained in the event message as devname.
May 10 10:44:30 10.90.223.5 date=2021-05-10 time=11:44:30 devname="test" devid="test" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" eventtime=1620643470882685981 tz="+0100" srcip= srcport=62408 srcintf="" srcintfrole="undefined" dstip= dstport=53 dstintf="port2" dstintfrole="wan" sessionid=81948384 proto=17 action="accept" policyid=23 policytype="policy" poluuid="cbd3e37e-5bf1-51eb-f2ad-0a49a47d1d1d" service="Domain Services UDP" dstcountry="Reserved" srccountry="Reserved" trandisp="noop" duration=180 sentbyte=76 rcvdbyte=194 sentpkt=1 rcvdpkt=1 vpn="" vpntype="ipsec-dynamic" appcat="unscanned"
I have started to build the transform below but it doesn't work.
[Set-Host-By-Devname]
REGEX = ([^.+?devname=\"[A-Z0-9]+")
FORMAT = host::$1
DEST_KEY = MetaData:Host
Sure
[fortigate_log]
TRANSFORMS-Set-Host-By-DevName
SHOULD_LINEMERGE = false
Hi @Rhidian
Can you share also your props.conf?
Sure
[fortigate_log]
TRANSFORMS-Set-Host-By-DevName
SHOULD_LINEMERGE = false
Hi @Rhidian
try your props like this
[fortigate_log]
TRANSFORMS-meta = Set-Host-By-Devname
SHOULD_LINEMERGE = false
if doesn't works we need to works on your regex
No joy I think it is the regex...