# Copyright (c) 2010 Flowerfire, Inc. All Rights Reserved. forti_gate = { plugin_version = "2.2" # 2006-08-25 - GMF - 1.1beta - Modified to accept new devname parameter in OS 3.0 # 2006-09-25 - KBB - 1.2beta - Added support for 200A # 2006-11-28 - KBB - 1.3beta - Added support additional fields # 2007-09-11 - KBB - 1.3 - Renumbered per new beta policy # 2007-10-25 - KBB - 1.4 - Added support for additional fields raddr, laddr and app_type. New field # repeat commented out for now - value is always 1 in log sample. # 2008-10-03 - gas - 1.5 - added support for a (weired) varient that has a space before the hour in the time field, # - customer claims that it was a standard 60B device.... # 2010-05-12 - gas - 1.6 - changed the date/tiem setting from syslog to the plug-in. If we always have time stamps in the logs # (and the auto-detect has date= and time= so we must) we can alwys get it form the logs and this # enables no-syslog logs to be supported in this plug-in too. # 2010-10-05 - 1.7 - MSG - Edited info lines. # 2012-01-26 - 2.0 - GMF - Added gateway reports # 2012-01-26 - 2.0.1 - GMF - Removed highly unique "serial" from database fields (could restore if and make it non-normalized, since it's an integer...) # 2012-01-26 - 2.1 - GMF - Fixed problem with duration field being first; simplified URL field # 2012-03-29 - 2.1.1 - MSG - Added support for lines with a space after time= instead of a comma in the first parsing filter. # 2012-12-04 - 2.2 - GMF - Added many new fields (ThreadID:1280151) info.1.manufacturer = "Fortinet" info.1.device = "Fortigate Firewall" info.1.version.1 = "50A OS 2.8" info.1.version.2 = "50A OS 3.0" info.1.version.3 = "200A" info.1.version.4 = "50B" info.1.version.5 = "60B" info.1.version.6 = "300A" # The name of the log format log.format.format_label = "FortiGate Log Format" log.miscellaneous.log_data_type = "syslog_required" log.miscellaneous.log_format_type = "firewall" # The log is in this format if any of the first ten lines match this regular expression log.format.autodetect_expression = ` matches_regular_expression(volatile.log_data_line, "date=[0-9][0-9][0-9][0-9]-[0-9][0-9]-[0-9][0-9] time=[0-9][0-9]:[0-9][0-9]:[0-9][0-9] device_id=[^ ]+ log_id=[^ ]+ ") or matches_regular_expression(volatile.log_data_line, "date=[0-9][0-9][0-9][0-9]-[0-9][0-9]-[0-9][0-9]:? time=[0-9][0-9]:[0-9][0-9]:[0-9][0-9][, ]devname=[^ ]+[, ]device_id=[^ ]+[, ]log_id=[^ ]+[, ]") or # this adds support for a space before the hour in 60B format logs - gas matches_regular_expression(volatile.log_data_line, "date=[0-9][0-9][0-9][0-9]-[0-9][0-9]-[0-9][0-9] time=[0-9][0-9]: [0-9][0-9]:[0-9][0-9][, ]devname=[^ ]+[, ]device_id=[^ ]+[, ]log_id=[^ ]+[, ]") ` # All log field parsing will be done using the parsing filters log.format.parse_only_with_filters = "true" # Log fields log.fields = { url.type = "page" devname = "" device_id = "" log_id = "" type = "" subtype = "" cat = "" cat_desc = "" hostname = "" method = "" serial = "" user = "" group = "" pri = "" sn = "" duration = "" policyid = "" attack_id = "" src.type = "host" srcname = "" src_port = "" src_int = "" dst = "" dstname = "" dst_port = "" dst_int = "" tran_ip = "" tran_port = "" icmp_id = "" icmp_type = "" icmp_code = "" status = "" proto = "" service = "" vd = "" vpn = "" dir_disp = "" tran_disp = "" msg = "" sent = "" rcvd = "" sent_pkt = "" rcvd_pkt = "" action = "" reason = "" virus = "" file = "" ui = "" aven = "" fcni = "" fdni = "" ftp = "" http = "" idsdb = "" idsmn = "" idssn = "" imap = "" libav = "" pop3 = "" smtp = "" virdb = "" new_act = "" new_daddr = "" new_dintf = "" new_log = "" new_nat = "" new_saddr = "" new_schd = "" new_sintf = "" new_svr = "" old_act = "" old_daddr = "" old_dintf = "" old_log = "" old_nat = "" old_saddr = "" old_schd = "" old_sintf = "" old_svr = "" seq = "" app_type = "" #laddr = "" #raddr = "" #repeat = "" # devicedate = "" # devicetime = "" # 2012-12-04 - GMF - ThreadID:1280151 itime = "" dst_country = "" src_country = "" tran_sip = "" tran_sport = "" rule = "" identidx = "" profilegroup = "" shaper_drop_sent = "" shaper_drop_rcvd = "" perip_drop = "" shaper_sent_name = "" shaper_rcvd_name = "" perip_name = "" vpn_tunnel = "" app = "" app_cat = "" carrier_ep = "" subapp = "" subappcat = "" # Computed URL # url = "" } # log.fields # samples for fields introduced with 1.4 #2007-09-03 09:48:07 Local7.Info 192.168.0.1 date=2007-09-03 time=09:48:07 devname=FGT50B3G06500642 device_id=FGT50B3G06500827 log_id=0731103000 type=im subtype=im-all pri=information vd=root user="N/A" group="N/A" proto=Skype action=pass laddr=192.168.1.111 raddr=222.22.22.222 repeat=1 #2007-09-03 09:46:00 Local7.Notice 192.168.0.1 date=2007-09-03 time=09:45:59 devname=FGT50B3G06500642 device_id=FGT50B3G06500827 log_id=0021010001 type=traffic subtype=allowed pri=notice vd=root SN=32463 duration=180 user=N/A group=N/A policyid=3 proto=17 service=28986/udp app_type=Skype status=accept src=192.168.0.181 srcname=192.168.0.181 dst=68.38.130.4 dstname=68.38.130.4 src_int=internal dst_int=wan2 sent=61 rcvd=46 sent_pkt=1 rcvd_pkt=1 src_port=43764 dst_port=28986 vpn=N/A tran_ip=59.120.73.137 tran_port=43764 dir_disp=org tran_disp=snat # sample for fields introduced with 1.3beta #Jul 27 16:21:09 192.168.99.88 date=2005-07-27 time=20:23:59 device_id=FGT-602904406094 log_id=0104032127 type=event subtype=admin pri=notice vd=root user=admin ui=GUI(88.88.88.88) seq=1 old_sintf=internal old_dintf=wan1 old_saddr=Internal_All old_daddr=WAN1_All old_schd=Always old_svr=ANY old_act=accept old_nat=yes old_log=no new_sintf=internal new_dintf=wan1 new_saddr=Internal_All new_daddr=WAN1_All new_schd=Always new_svr=ANY new_act=accept new_nat=yes new_log=no msg="User admin changed a firewall policy from GUI(88.88.88.88)" # sample for first match (200A): #2006-09-14 09:30:27 Local7.Notice 99.99.99.99 date=2006-09-14 time=09:30:31,devname=FG200A2106401773,device_id=FG200A2106401773,log_id=0021010001,type=traffic,subtype=allowed,pri=notice,vd=root;SN=58554,duration=666,user=N/A,group=N/A,policyid=2,proto=6,service=443/tcp,status=accept,src=99.99.99.99,srcname=99.99.99.99,dst=99.99.99.99,dstname=99.99.99.99,src_int=wan1,dst_int=internal,sent=33358,rcvd=433845,sent_pkt=470,rcvd_pkt=670,src_port=53363,dst_port=443,vpn=N/A,tran_ip=99.99.99.99,tran_port=443,dir_disp=org,tran_disp=dnat # 300A #date=2009-09-10 time=23:58:43 devname=Fortigate-300A device_id=232321 log_id=001 type=traffic subtype=allowed pri=notice vd=root SN=56515 duration=130 user=N/A group=N/A rule=25 policyid=25 proto=6 service=8801/tcp app_type=N/A status=accept src=0.0.0.7 srcname=1.11.3.2 dst=5.2.13.1 dstname=5.7.6.6 src_int="port6" dst_int="port2" sent=1031 rcvd=8710 sent_pkt=9 rcvd_pkt=10 src_port=1616 dst_port=8801 vpn="N/A" tran_ip=1.7.1.2 tran_port=45488 dir_disp=org tran_disp=snat # Log Parsing Filters log.parsing_filters.parse = ` ## 2012-03-29 - 2.1.1 - MSG - Added support for lines with a space after time= instead of a comma if (matches_regular_expression(v.syslog_message, 'date=([^ ]*) time=([^, ]*),(.*)$')) then ( ## I am changing this to date and below to time - if this is no syslog, then we need to use this date/time value ## since it is always seems to be available, and syslog can only add a delay to the timestamp, why not always use this value? # set_collected_field('', 'devicedate', $1); set_collected_field('', 'date', $1); # this has changed (v1.5)to replace spaces in collected time field - gas # set_collected_field('', 'devicetime', $2); # set_collected_field('', 'devicetime', replace_all($2, ' ', '')); set_collected_field('', 'time', replace_all($2, ' ', '')); v.message = $3; # correct apparent bug if (matches_regular_expression(v.message, '(vd=[^,;]*);')) then ( v.message = replace_first(v.message, $1 . ';', $1 . ',') ); collect_listed_fields('', v.message, ',', '=', 'dport=dst_port|sport=src_port'); accept_collected_entry('', false); ); else if (matches_regular_expression(v.syslog_message, '(date=.*)$')) then ( v.message = $1; ## don't change the date to devicedate here, we are using this value for setting date and time # collect_listed_fields('', v.message, ' ', '=', 'time=devicetime|date=devicedate|dport=dst_port|sport=src_port|laddr=src|raddr=dst'); collect_listed_fields('', v.message, ' ', '=', 'dport=dst_port|sport=src_port|laddr=src|raddr=dst'); # this has been added (v1.5) to replace spaces in collected time field - gas time = replace_all(time, ' ', ''); accept_collected_entry('', false); ); ` # Database fields database.fields = { url = "" file_type = "" device_id = "" devname = "" type = "" subtype = "" pri = "" cat = "" cat_desc = "" hostname = "" method = "" # serial = "" user = "" group = "" policyid = "" src = "" location = "" srcname = "" src_port = "" src_int = "" dst = "" dstname = "" dst_port = "" dst_int = "" tran_ip = "" tran_port = "" icmp_id = "" icmp_type = "" icmp_code = "" status = "" proto = "" service = "" vd = "" vpn = "" dir_disp = "" tran_disp = "" msg = "" action = "" reason = "" virus = "" file = "" ui = "" aven = "" fcni = "" fdni = "" ftp = "" http = "" idsdb = "" idsmn = "" idssn = "" imap = "" libav = "" pop3 = "" smtp = "" virdb = "" new_act = "" new_daddr = "" new_dintf = "" new_log = "" new_nat = "" new_saddr = "" new_schd = "" new_sintf = "" new_svr = "" old_act = "" old_daddr = "" old_dintf = "" old_log = "" old_nat = "" old_saddr = "" old_schd = "" old_sintf = "" old_svr = "" seq = "" app_type = "" #laddr = "" #raddr = "" #repeat = "" # 2012-12-04 - GMF - ThreadID:1280151 # itime = "" dst_country = "" src_country = "" tran_sip = "" tran_sport = "" rule = "" identidx = "" profilegroup = "" shaper_drop_sent = "" shaper_drop_rcvd = "" perip_drop = "" shaper_sent_name = "" shaper_rcvd_name = "" perip_name = "" vpn_tunnel = "" app = "" app_cat = "" carrier_ep = "" subapp = "" subappcat = "" } # database.fields # Log Filters log.filters = { set_date_from_devicedate = { label = '$lang_admin.log_filters.mark_entry_label' comment = '$lang_admin.log_filters.mark_entry_comment' value = 'accesses = 1;' } # set_date_from_devicedate simplify_url = { label = "$lang_admin.log_filters.simplify_url_label" comment = "$lang_admin.log_filters.simplify_url_comment" value = "url = '(omitted)'" } # simplify_url mark_entry = { label = '$lang_admin.log_filters.mark_entry_label' comment = '$lang_admin.log_filters.mark_entry_comment' value = 'accesses = 1;' } # mark_entry } # log.filters database.numerical_fields = { accesses = { label = "$lang_stats.field_labels.accesses" default = true requires_log_field = false type = "int" display_format_type = "integer" entries_field = true } # accesses visitors = { label = "$lang_stats.field_labels.visitors" default = false requires_log_field = true log_field = "src" type = "unique" display_format_type = "integer" } # visitors sent = { label = "$lang_stats.field_labels.sent" default = true requires_log_field = true log_field = "sent" type = "int" integer_bits = 64 display_format_type = "bandwidth" } # sent rcvd = { label = "$lang_stats.field_labels.rcvd" default = true requires_log_field = true log_field = "rcvd" type = "int" integer_bits = 64 display_format_type = "bandwidth" } # rcvd sent_pkt = { label = "$lang_stats.field_labels.sent_pkt" default = false requires_log_field = false type = "int" display_format_type = "integer" } # sent_pkt rcvd_pkt = { label = "$lang_stats.field_labels.rcvd_pkt" default = false requires_log_field = false type = "int" display_format_type = "integer" } # rcvd_pkt duration = { label = "$lang_stats.field_labels.duration" default = false requires_log_field = false type = "int" display_format_type = "duration_milliseconds" } } # database.numerical_fields create_profile_wizard_options = { # How the reports should be grouped in the report menu report_groups = { date_time_group = "" content_group = { top_level_domain = true url = true file_type = true cat = true cat_desc = true } # content_group source_group = { src = true srcname = true src_port = true src_int = true hostname = true user = true group = true location = true src_country = true tran_sip = true tran_sport = true } # source_group destination_group = { dst = true dstname = true dst_port = true dst_int = true tran_ip = true tran_port = true dst_country = true } # destination_group policy_change_group = { new_act = true new_daddr = true new_dintf = true new_log = true new_nat = true new_saddr = true new_schd = true new_sintf = true new_svr = true old_act = true old_daddr = true old_dintf = true old_log = true old_nat = true old_saddr = true old_schd = true old_sintf = true old_svr = true seq = true } # policy_change_group other_group = { app_type = true logging_device = true syslog_priority = true device_id = true devname = true type = true subtype = true pri = true policyid = true icmp_id = true icmp_type = true icmp_code = true status = true proto = true service = true vd = true vpn = true method = true dir_disp = true tran_disp = true serial = true msg = true action = true reason = true virus = true file = true ui = true aven = true fcni = true fdni = true ftp = true http = true idsdb = true idsmn = true idssn = true imap = true libav = true pop3 = true smtp = true virdb = true rule = true identidx = true profilegroup = true shaper_drop_sent = true shaper_drop_rcvd = true perip_drop = true shaper_sent_name = true shaper_rcvd_name = true perip_name = true vpn_tunnel = true app = true app_cat = true carrier_ep = true subapp = true subappcat = true #repeat = true } # other_group } # report_groups snapons = { # Attach a top_level_domain snapon top_level_domain = { snapon = "top_level_domain" name = "top_level_domain" label = "$lang_admin.snapons.top_level_domain.label" parameters = { url_field.parameter_value = "hostname" field_name = { parameter_value = "$lang_admin.field_labels.top_level_domain" final_node_name = "top_level_domain" } } # parameters } # top_level_domain # Attach a gateway_reports snapon gateway_reports = { snapon = "gateway_reports" name = "gateway_reports" label = "$lang_admin.snapons.gateway_reports.label" parameters = { user_field.parameter_value = "user" have_client_ip.parameter_value = true client_ip_field.parameter_value = "src" have_category_field.parameter_value = false category_field.parameter_value = "cat_desc" host_field.parameter_value = "top_level_domain" page_views_field.parameter_value = "accesses" have_bytes_in_field.parameter_value = true bytes_in_field.parameter_value = "rcvd" have_bytes_out_field.parameter_value = true bytes_out_field.parameter_value = "sent" sort_by_field.parameter_value = "accesses" } # parameters } # gateway_reports # Add the standard reports add_standard_reports = { name = "add_standard_reports" label = "add_standard_reports" snapon = "add_standard_reports" } # add_standard_reports } # snapons } # create_profile_wizard_options } # forti_gate