I have a problem with the syslog messages from a Fortigate.
I´m using a bunch of extractors to split up the syslog message from the Fortigate into fields, which is working very good. But sometimes in the URL-Log of the Fortigate contains a random “=” & this is somehow creating another field with a random name. I cannot figure out how to stop this.
Could you please help me on this?
I also have Fortigate firewalls 60,100, and 200 series. So, I need to ask a couple question.
What kind of extractors are you using (GROK, REGX, etc…) ?
What version of Graylog do you have installed?
Can you show us how you made your extractors?
Have you tried tesing that message/s out from the extractors you made to see which one might be creating this issue?
Here is an example for Regular expression.
I´ve just tried to swap over from syslog format to cef format, but it has the same problem…
I do not even have any extractors running in the cef format & still getting this problem: