beta_forti_gate = { # The name of the log format log.format.format_label = "FortiGate Log Format (BETA)" log.miscellaneous.log_data_type = "syslog_required" log.miscellaneous.log_format_type = "firewall" # The log is in this format if any of the first ten lines match this regular expression log.format.autodetect_regular_expression = "date=[0-9][0-9][0-9][0-9]-[0-9][0-9]-[0-9][0-9] time=[0-9][0-9]:[0-9][0-9]:[0-9][0-9] device_id=[^ ]+ log_id=[^ ]+ " # All log field parsing will be done using the parsing filters log.format.parse_only_with_filters = "true" # Entries are called accesses statistics.miscellaneous.entry_name = "accesses" # Log fields log.fields = { device_id = "" log_id = "" type = "" subtype = "" pri = "" sn = "" duration = "" policyid = "" attack_id = "" src.type = "host" srcname = "" src_port = "" src_int = "" dst = "" dstname = "" dst_port = "" dst_int = "" tran_ip = "" tran_port = "" icmp_id = "" icmp_type = "" icmp_code = "" status = "" proto = "" service = "" vd = "" vpn = "" dir_disp = "" tran_disp = "" msg = "" sent = "" rcvd = "" sent_pkt = "" rcvd_pkt = "" } # log.fields # Log Parsing Filters log.parsing_filters.parse = ` if (matches_regular_expression(v.syslog_message, '(device_id=.*)$')) then ( v.message = $1; collect_listed_fields('', v.message, ' ', '=', 'time=devicetime|date=devicedate'); accept_collected_entry('', false); ) ` # Database fields database.fields = { device_id = "" type = "" subtype = "" pri = "" duration = "" policyid = "" src = "" location = "" srcname = "" src_port = "" src_int = "" dst = "" dstname = "" dst_port = "" dst_int = "" tran_ip = "" tran_port = "" icmp_type = "" icmp_code = "" status = "" proto = "" service = "" vd = "" vpn = "" dir_disp = "" tran_disp = "" msg = "" } # database.fields # Log Filters log.filters = { mark_entry = { label = '$lang_admin.log_filters.mark_entry_label' comment = '$lang_admin.log_filters.mark_entry_comment' value = 'accesses = 1;' } # mark_entry } # log.filters database.numerical_fields = { accesses = { label = "$lang_stats.field_labels.accesses" default = true requires_log_field = false type = "int" display_format_type = "integer" entries_field = true } # accesses visitors = { label = "$lang_stats.field_labels.visitors" default = false requires_log_field = true log_field = "src" type = "unique" display_format_type = "integer" } # visitors sent = { label = "$lang_stats.field_labels.sent" default = true requires_log_field = true log_field = "sent" type = "float" display_format_type = "bandwidth" } # sent rcvd = { label = "$lang_stats.field_labels.rcvd" default = true requires_log_field = true log_field = "rcvd" type = "float" display_format_type = "bandwidth" } # rcvd sent_pkt = { label = "$lang_stats.field_labels.sent_pkt" default = false requires_log_field = false type = "int" display_format_type = "integer" } # sent_pkt rcvd_pkt = { label = "$lang_stats.field_labels.rcvd_pkt" default = false requires_log_field = false type = "int" display_format_type = "integer" } # rcvd_pkt duration = { label = "$lang_stats.field_labels.duration" default = false requires_log_field = false type = "int" display_format_type = "duration_milliseconds" } } # database.numerical_fields create_profile_wizard_options = { host_tracking = true # How the reports should be grouped in the report menu report_groups = { date_time_group = "" source_group = { src = true srcname = true src_port = true src_int = true } destination_group = { dst = true dstname = true dst_port = true dst_int = true tran_ip = true tran_port = true } other_group = { logging_device = true syslog_priority = true device_id = true type = true subtype = true pri = true policyid = true icmp_type = true icmp_code = true status = true proto = true service = true vd = "" vpn = "" dir_disp = "" tran_disp = "" msg = true } } # report_groups } # create_profile_wizard_options } # forti_gate_beta