I’m currently forwarding Fortinet Fortigate, FortiClient, etc… logs to FortiAnalyzer and from FortiAnalyzer to Graylog in TCP CEF format.
It appears there’s an issue where if one the keys in the body has a two character sub-name (e.g ad.vd=) , it doesn’t get parsed properly and gets appended to the previous key?
Giving me fields like this:
start = Sep 12 2019 17:20:15 ad.
logver=N/A
Instead of this:
start = Sep 12 2019 17:20:15
ad.logver=N/A
This is then causing entries in /var/log/graylog-server/server.log like these
2019-09-18T16:52:32.515-04:00 WARN [MappedMessage] Could not transform CEF field [in] according to standard. Skipping.
java.lang.NumberFormatException: For input string: “40 ad.”
at java.lang.NumberFormatException.forInputString(NumberFormatException.java:65) ~[?:1.8.0_222]
at java.lang.Integer.parseInt(Integer.java:580) ~[?:1.8.0_222]
at java.lang.Integer.parseInt(Integer.java:615) ~[?:1.8.0_222]
at org.graylog.plugins.cef.parser.CEFMapping.convertInteger(CEFMapping.java:249) ~[graylog.jar:?]
at org.graylog.plugins.cef.parser.CEFMapping.convert(CEFMapping.java:314) ~[graylog.jar:?]
at org.graylog.plugins.cef.parser.MappedMessage.mapExtensions(MappedMessage.java:52) [graylog.jar:?]
at org.graylog.plugins.cef.parser.MappedMessage.(MappedMessage.java:37) [graylog.jar:?]
at org.graylog.plugins.cef.codec.CEFCodec.decodeCEF(CEFCodec.java:128) [graylog.jar:?]
at org.graylog.plugins.cef.codec.CEFCodec.decode(CEFCodec.java:117) [graylog.jar:?]
at org.graylog2.shared.buffers.processors.DecodingProcessor.processMessage(DecodingProcessor.java:150) [graylog.jar:?]
at org.graylog2.shared.buffers.processors.DecodingProcessor.onEvent(DecodingProcessor.java:91) [graylog.jar:?]
at org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:86) [graylog.jar:?]
at org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:45) [graylog.jar:?]
at com.lmax.disruptor.WorkProcessor.run(WorkProcessor.java:143) [graylog.jar:?]
at com.codahale.metrics.InstrumentedThreadFactory$InstrumentedRunnable.run(InstrumentedThreadFactory.java:66) [graylog.jar:?]
at java.lang.Thread.run(Thread.java:748) [?:1.8.0_222]
I’ve also opened a ticket with Fortinet. According to the docs they should be appending with FTNTFGT and not ad. I can’t find any documentation or references to regarding appending custom keys with “ad.”
Found in the FortiOS to CEF log field mapping guidelines
Following is an example of the header and one key-value pair for extension from the Event VPN log in CEF: #Feb 12 10:31:04 syslog-800c CEF:0|Fortinet|Fortigate|v5.6.0|37127|event:vpn negotiate
success|3|FTNTFGTlogid=0101037127
you might want to use the processing pipeline rules to parse the log messages and not use the CEF parser.
That SHOULD give the you power to work around that. As the CEF Parser is only working with messages that follow the rules while you can work around some glitches with the processing pipelines.
Thanks @jan. Would I just use a raw TCP input then?
Any chance you have any brief example of what such a pipeline rule would look like?
Still wondering about the question above? If that’s an option I might create a separate input and submit a pull request. Or create a plugin. I just haven’t had time to look into the code yet.
sorry did not have the time to look in detail into this. But the following issue is showing how you can parse broken trend micro with the processing rules:
that might give you already enough to work on your issue.
CEF Input basically means RAW INPUT with pre-built parsers.
In this case, your parsers aren’t handling your messages properly - so you step back to RAW and create your own - using a Pipeline processing rule. It gets easier the more you do it.
Some Grok and K/V parsing will handle that message no problem at all.
It’s taking fields like these and chopping it at the first space. It then is dropping non-keyed values until it hits the next keyed value, so the other keyed fields aren’t impacted.
That should make it visible that the function (kv_parser) is working like it should - but should learn that values can contain the trim character - that your workcase is actually working in some case. I cut not give a guarantee if that will ever work. But you never know.
Looks like someone already opened a request for the main issue of ad. In the field names. I searched all over many times but didn’t find these until now.
The issue still remains that Fortinet also sends values like N/A when the value should be an integer.