I'm sharing here the final version of syslog-ng.conf that worked on trimming part of fortigate logs. However i noticed that license is being consumed like before 😞 @version: 3.35 @include "scl.conf" # Syslog-ng configuration file, compatible with default Debian syslogd # installation. # First, set some global options. options { chain_hostnames(off); flush_lines(0); use_dns(no); use_fqdn(no); owner("root"); group("adm"); perm(0640); stats_freq(0); bad_hostname("^gconfd$"); create_dirs(yes); keep_hostname(yes); log_fifo_size(2048); log_msg_size(8192); time_reopen(10); }; # Adding param to make syslog-ng listen on udp/514 for syslog source s_net { udp(port(514)); }; # Adding destination for local file to receive FortiGate logs destination d_fortinet_fortigate { file("/root/syslog/logs/fortinet/fortigate/$HOST/$YEAR-$MONTH-$DAY-fortinet-fortigate.log" create_dirs(yes)); }; destination d_fortinet_fortiweb { file("/root/syslog/logs/fortinet/fortiweb/$HOST/$YEAR-$MONTH-$DAY-fortinet-fortiweb.log" create_dirs(yes)); }; destination d_fortinet_fortiauthenticator { file("/root/syslog/logs/fortinet/fortiauthenticator/$HOST/$YEAR-$MONTH-$DAY-fortinet-fortiauthenticator.log" create_dirs(yes)); }; destination d_fortinet_fortimail { file("/root/syslog/logs/fortinet/fortimail/$HOST/$YEAR-$MONTH-$DAY-fortinet-fortimail.log" create_dirs(yes)); }; # Filter to instruct syslog-ng how to identify FortiGate syslog filter f_fortinet_fortigate { match("devid=\"FG[A-Z0-9]+\"" value("MESSAGE")); }; filter f_fortinet_fortiweb { match("device_id=FV[A-Z0-9]+" value("MESSAGE")); }; filter f_fortinet_fortiauthenticator { match("subcategory=\"Authentication\"" value("MESSAGE")); }; filter f_fortinet_fortimail { match("device_id=FE[A-Z0-9]+" value("MESSAGE")); }; # Trimming different parts together for logging rewrite rewrite_fortigate { #subst ( '^time=\d\d:\d\d:\d\d(\.\d{3,6})? ', "", value("MESSAGE") ); subst ( ' devid="[A-Z0-9]{16}" ', " ", value("MESSAGE") ); subst ( ' logid="[0-9]{10}" ', " ", value("MESSAGE") ); subst ( ' srcname="([\w-]+)\.example\.local" ', ' srcname="$1" ', value("MESSAGE") ); subst ( ' srcintfrole="[a-z]+" ', " ", value("MESSAGE") ); subst ( ' dstname="([\w-]+)\.example\.local" ', ' dstname="$1" ', value("MESSAGE") ); subst ( ' dstintfrole="[a-z]+" ', " ", value("MESSAGE") ); subst ( ' poluuid="[a-z0-9-]{36}" ', " ", value("MESSAGE") ); subst ( ' sessionid=[0-9]+ ', " ", value("MESSAGE") ); subst ( ' policytype="policy" ', " ", value("MESSAGE") ); subst ( ' appcat="unscanned"', "", value("MESSAGE") ); subst ( ' crscore=[0-9]+ craction=[0-9]+ crlevel="[a-z]+"', "", value("MESSAGE") ); subst ( ' attackid=[0-9]+ ', " ", value("MESSAGE") ); subst ( ' incidentserialno=[0-9]+ ', " ", value("MESSAGE") ); subst ( ' ref="http:\/\/www\.fortinet\.com\/ids\/VID[0-9]+"', " ", value("MESSAGE") ); subst ( ' msg="application[s]?([0-9]+)?:[^.]+.[^.]+.[^.]+.[^.]+.[^.]+"', " ", value("MESSAGE") ); }; # Creating the different parts together for logging log { source(s_net); filter(f_fortinet_fortigate); rewrite(rewrite_fortigate); destination(d_fortinet_fortigate); }; log { source(s_net); filter(f_fortinet_fortiweb); destination(d_fortinet_fortiweb); }; log { source(s_net); filter(f_fortinet_fortiauthenticator); destination(d_fortinet_fortiauthenticator); }; log { source(s_net); filter(f_fortinet_fortimail); destination(d_fortinet_fortimail); }; ### # Include all config files in /etc/syslog-ng/conf.d/ ### @include "/etc/syslog-ng/conf.d/*.conf"
... View more