Back to listing

Fortigate 6.x Content Pack for graylog3

Content Pack

pfitchie
free!

Published

29 Jan 16:22

Last Push

29 Jan 16:24

Marketplace Rating

Discussion

8 Comments

Your Rating

Please sign in to rate this add-on.

Comments

makstock 2 months ago

Hello All,

Please find below the working regular expression where it matches correctly for the extractor for this content pack.

^.+devname=\"([^\"]+)\",

Hope this helps you all :)

ropeguru 3 months ago

I am having an issue as the devname is not being captured by extractor because it has dashes in it. Can someone help with the regex update to match hostnames with dashes?

asd657262 4 months ago

I am unable to load the message. Can someone help me

arnovdveen 5 months ago

Hello, thanks for your great work. Till recently I pulled nice data, but due some reason (graylog update or fortigate firmware I guess) some extractors are broken. with errors as mentioned by @javigutii. I ran down all regex in the extractors and build a cleaner set where the previous issue is resolved.
updated extractors are published here: https://files.itssecured.nl/s/R7epyqqqtTcqfT9 (maybe the maintainer will use it to update the repository)
Best way (I found): note details current connector, delete it, create new connector, import extractors and change the input in the dashboard to the new source.

thefaxe 6 months ago

Hello, I switched the logformat on the Fortigate to CSV. Now the logs can be parsed. But all extractors do not work.

sanjikyo 7 months ago

Hi there
I import the content pack and the messages comes in from input , but the extractor and search doesn't see anything , my graylog version is 3.2.2 , maybe its not working with the version ...?
thank you in advance.

shoothub 8 months ago

This is usually problem with level field, because fortigate uses field level with string like Notice, Warning, and another sources like linux server syslog use numbers like 5,6 which colidate of course. So You have 2 option, either rename level in graylog parsing to another field, or move all traffic from fortigate to own index.

javigutii 9 months ago

Hello, the content pack seems to be OK, or at least it worked last week, now Im just getting a lot of Indexer Failures 130~K in 24 Hours with Error Message: {"type":"mapper_parsing_exception","reason":"failed to parse field [level] of type [long] in document with id '081aa080-4667-11ea-8eda-0050569b2f61'","caused_by":{"type":"illegal_argument_exception","reason":"For input string: \"\"notice\"\""}}

Do you have any idea where I can solve this problem? I dont know where to edit the parsers.

Thank you.

Please sign in to comment.

Back to listing