Agregate Fields from a Fortinet log

Hello to all,

I’m a french new user of Graylog and I work with Fortinet logs. Some fields of these logs are not good, for exemple, the field “date” result that :

2022-05-02,time=13:29:42,devname=

I have created a Dashboard to monitor and count all the user have failed to connect to our Fortigate VPN like that :

image3729×934 91 KB

So, what I want to do here is to agregate the field “DATE” and the field “temps” in the same field.

I have already try to create a Grok pattern but I can’t understand how it’s works, I have tried that :

%{DATE_US}|%{DATE_EU}%{TIME}

result that :

{
“DATE”: “2-05-02”,
“DATE_US”: “2-05-02”,
“MONTHNUM”: “2”,
“MONTHDAY”: “05”,
“YEAR”: “02”,
“DATE_EU”: null,
“TIME”: null,
“HOUR”: null,
“MINUTE”: null,
“SECOND”: null
}
But the time is null. Yet the time is well recovered with the “TIME” pattern.

(?!<[0-9])%{HOUR}:%{MINUTE}(?::%{SECOND})(?![0-9])

result that :

{
“TIME”: “14:45:45”,
“HOUR”: “14”,
“MINUTE”: “45”,
“SECOND”: “45”
}

So how I can group the two field ?
The final result I want is the field “DATE_TIME_FORTI” = 02.05.2022 17:31:26 for exemple.

Thank you very much for yout help

Wish you a good day

Best Regards,

Alexandre

to pick up 2022-05-02,time=13:29:42,devname= you need to account for all the things between the actual date and time… all this: ,time= if that ‘stuff’ is variable you could add in a %{GREEDYDATA:UNWANTED} but if you are sure it is fixed, it is better to add it in specifically to avoid the greedydata search.

%{DATE_EU},time=%{TIME}

You can’t put in the pipe in there because GROK will look for a pipe rather than a choice of DATE_US or DATE_EU

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.