├── .gitignore ├── LICENSE ├── README.md ├── datasets └── 6.2 │ ├── FortiOS 6.2.0.csv │ └── FortiOS 6.2.2.csv ├── images ├── FortiUnicorn Fortinet-2-Elasticsearch.png ├── add_integration.png ├── common.png ├── create_policy.png ├── custom_udp_logs.png ├── dashboards │ ├── Firewall Health [Fortigate].PNG │ ├── IPS [Fortigate].PNG │ ├── Outbound Bytes Traffic [Fortigate].PNG │ └── Outbound Sessions Traffic [Fortigate].PNG ├── fortidragon.jpeg ├── header.png ├── integration_parameters.png ├── logo.jpeg ├── logo_with_name.jpg ├── logo_with_name_small.jpg ├── making_of │ ├── draft 1.jpeg │ ├── draft 2.jpeg │ ├── draft 3.jpeg │ ├── draft 4.jpeg │ ├── draft 5.jpeg │ ├── draft 6.jpeg │ ├── draft 7.jpeg │ └── draft 8.jpeg └── specific.png ├── index_templates ├── component_templates │ ├── auto_expand_replicas@settings.json │ ├── ecs-destination-transforms.json │ ├── ecs-event-modified.json │ ├── ecs-event-transforms.json │ ├── ecs-file-modified.json │ ├── ecs-log-modified.json │ ├── ecs-network-transforms.json │ ├── ecs-rule-transforms.json │ ├── ecs-session-transforms.json │ ├── ecs-source-modified.json │ ├── ecs-source-transforms.json │ ├── ecs-tls-modified.json │ ├── logs-fortinet.forticlient@ilm.json │ ├── logs-fortinet.fortiedr@ilm.json │ ├── logs-fortinet.fortiedr@mappings.json │ ├── logs-fortinet.fortigate.event@ilm.json │ ├── logs-fortinet.fortigate.traffic@ilm.json │ ├── logs-fortinet.fortigate.utm@ilm.json │ ├── logs-fortinet.fortigate@mappings.json │ ├── logs-fortinet.fortimail@ilm.json │ ├── refresh_interval@settings.json │ ├── strings_as_keyword@mappings.json │ ├── synthetic_source@mappings.json │ ├── total_fields_limit@settings.json │ └── transforms-fortinet.fortigate@mappings.json ├── ilm │ ├── logs-fortinet.forticlient.json │ ├── logs-fortinet.fortiedr.json │ ├── logs-fortinet.fortigate.event.json │ ├── logs-fortinet.fortigate.traffic.json │ ├── logs-fortinet.fortigate.utm.json │ └── logs-fortinet.fortimail.json └── index_templates │ ├── logs-fortinet.forticlient.json │ ├── logs-fortinet.fortiedr.json │ ├── logs-fortinet.fortigate.event.json │ ├── logs-fortinet.fortigate.traffic.json │ ├── logs-fortinet.fortigate.utm.json │ ├── logs-fortinet.fortimail.json │ └── transforms-fortinet.fortigate.traffic.json ├── ingest_pipelines ├── add_event_ingested.json ├── logs-fortinet.fortiadc.json ├── logs-fortinet.forticlient.json ├── logs-fortinet.fortiedr.json ├── logs-fortinet.fortigate.json ├── logs-fortinet.fortimail.json ├── logs-fortinet.fortiweb.json ├── transforms-fortinet.fortigate.traffic.forward.policy.json ├── transforms-fortinet.fortigate.traffic.private2private.json ├── transforms-fortinet.fortigate.traffic.private2public.json ├── transforms-fortinet.fortigate.traffic.public2private.json └── transforms-fortinet.fortigate.traffic.public2public.json ├── kibana ├── forticlient ELK 851.ndjson ├── fortiedr ELK 8111.ndjson ├── fortiedr ELK 8122.ndjson ├── fortiedr ELK 862.ndjson ├── fortigate ELK 8122.ndjson ├── fortigate ELK 8141.ndjson ├── fortigate ELK 823.ndjson ├── fortigate ELK 840.ndjson ├── fortigate ELK 851.ndjson ├── fortigate ELK 860.ndjson ├── fortigate ELK 871.ndjson ├── fortimail ELK 8142.ndjson ├── fortimail ELK 851.ndjson ├── fortiweb ELK 8132.ndjson ├── panw cortex ELK 8132.ndjson ├── panw panos ELK 8143.ndjson └── panw panos ELK 850.ndjson ├── load.sh ├── logstash ├── conf.d │ ├── syslog-fortinet-common_ecs-output.conf │ ├── syslog-fortinet-forticlient-input-kv.conf │ ├── syslog-fortinet-forticlient_2_ecs.conf │ ├── syslog-fortinet-fortiedr-input-kv.conf │ ├── syslog-fortinet-fortiedr_2_ecs.conf │ ├── syslog-fortinet-fortigate-input-kv.conf │ ├── syslog-fortinet-fortigate-input5424-kv.conf │ ├── syslog-fortinet-fortigate_2_ecsv2.conf │ ├── syslog-fortinet-fortimail-input-kv.conf │ ├── syslog-fortinet-fortimail_2_ecs.conf │ ├── syslog-fortinet-fortisandbox-input-kv.conf │ ├── syslog-fortinet-fortisandbox_2_ecs.conf │ ├── syslog-fortinet-fortiweb-input-kv.conf │ └── syslog-fortinet-fortiweb_2_ecs.conf └── pipelines.yml ├── transforms ├── transforms-fortinet.fortigate.traffic.forward.policy.external_1m.json ├── transforms-fortinet.fortigate.traffic.forward.policy.inbound_1m.json ├── transforms-fortinet.fortigate.traffic.forward.policy.internal_1m.json ├── transforms-fortinet.fortigate.traffic.forward.policy.outbound_1m.json ├── transforms-fortinet.fortigate.traffic.private2private_1m ├── transforms-fortinet.fortigate.traffic.private2public_1m ├── transforms-fortinet.fortigate.traffic.public2private_1m └── transforms-fortinet.fortigate.traffic.public2public_1m └── vector ├── fortigate.yaml ├── iana_number.csv ├── panos.yaml ├── vector.yaml ├── vector_monitoring.yaml └── victoria_monitoring.yaml /.gitignore: -------------------------------------------------------------------------------- 1 | ecs/ 2 | -------------------------------------------------------------------------------- /images/FortiUnicorn Fortinet-2-Elasticsearch.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/enotspe/fortinet-2-elasticsearch/ee14d60adf6014f2340a3ee6c3ab66144f4a7e51/images/FortiUnicorn Fortinet-2-Elasticsearch.png -------------------------------------------------------------------------------- /images/add_integration.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/enotspe/fortinet-2-elasticsearch/ee14d60adf6014f2340a3ee6c3ab66144f4a7e51/images/add_integration.png -------------------------------------------------------------------------------- /images/common.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/enotspe/fortinet-2-elasticsearch/ee14d60adf6014f2340a3ee6c3ab66144f4a7e51/images/common.png -------------------------------------------------------------------------------- /images/create_policy.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/enotspe/fortinet-2-elasticsearch/ee14d60adf6014f2340a3ee6c3ab66144f4a7e51/images/create_policy.png -------------------------------------------------------------------------------- /images/custom_udp_logs.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/enotspe/fortinet-2-elasticsearch/ee14d60adf6014f2340a3ee6c3ab66144f4a7e51/images/custom_udp_logs.png -------------------------------------------------------------------------------- /images/dashboards/Firewall Health [Fortigate].PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/enotspe/fortinet-2-elasticsearch/ee14d60adf6014f2340a3ee6c3ab66144f4a7e51/images/dashboards/Firewall Health [Fortigate].PNG -------------------------------------------------------------------------------- /images/dashboards/IPS [Fortigate].PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/enotspe/fortinet-2-elasticsearch/ee14d60adf6014f2340a3ee6c3ab66144f4a7e51/images/dashboards/IPS [Fortigate].PNG -------------------------------------------------------------------------------- /images/dashboards/Outbound Bytes Traffic [Fortigate].PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/enotspe/fortinet-2-elasticsearch/ee14d60adf6014f2340a3ee6c3ab66144f4a7e51/images/dashboards/Outbound Bytes Traffic [Fortigate].PNG -------------------------------------------------------------------------------- /images/dashboards/Outbound Sessions Traffic [Fortigate].PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/enotspe/fortinet-2-elasticsearch/ee14d60adf6014f2340a3ee6c3ab66144f4a7e51/images/dashboards/Outbound Sessions Traffic [Fortigate].PNG -------------------------------------------------------------------------------- /images/fortidragon.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/enotspe/fortinet-2-elasticsearch/ee14d60adf6014f2340a3ee6c3ab66144f4a7e51/images/fortidragon.jpeg -------------------------------------------------------------------------------- /images/header.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/enotspe/fortinet-2-elasticsearch/ee14d60adf6014f2340a3ee6c3ab66144f4a7e51/images/header.png -------------------------------------------------------------------------------- /images/integration_parameters.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/enotspe/fortinet-2-elasticsearch/ee14d60adf6014f2340a3ee6c3ab66144f4a7e51/images/integration_parameters.png -------------------------------------------------------------------------------- /images/logo.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/enotspe/fortinet-2-elasticsearch/ee14d60adf6014f2340a3ee6c3ab66144f4a7e51/images/logo.jpeg -------------------------------------------------------------------------------- /images/logo_with_name.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/enotspe/fortinet-2-elasticsearch/ee14d60adf6014f2340a3ee6c3ab66144f4a7e51/images/logo_with_name.jpg -------------------------------------------------------------------------------- /images/logo_with_name_small.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/enotspe/fortinet-2-elasticsearch/ee14d60adf6014f2340a3ee6c3ab66144f4a7e51/images/logo_with_name_small.jpg -------------------------------------------------------------------------------- /images/making_of/draft 1.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/enotspe/fortinet-2-elasticsearch/ee14d60adf6014f2340a3ee6c3ab66144f4a7e51/images/making_of/draft 1.jpeg -------------------------------------------------------------------------------- /images/making_of/draft 2.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/enotspe/fortinet-2-elasticsearch/ee14d60adf6014f2340a3ee6c3ab66144f4a7e51/images/making_of/draft 2.jpeg -------------------------------------------------------------------------------- /images/making_of/draft 3.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/enotspe/fortinet-2-elasticsearch/ee14d60adf6014f2340a3ee6c3ab66144f4a7e51/images/making_of/draft 3.jpeg -------------------------------------------------------------------------------- /images/making_of/draft 4.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/enotspe/fortinet-2-elasticsearch/ee14d60adf6014f2340a3ee6c3ab66144f4a7e51/images/making_of/draft 4.jpeg -------------------------------------------------------------------------------- /images/making_of/draft 5.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/enotspe/fortinet-2-elasticsearch/ee14d60adf6014f2340a3ee6c3ab66144f4a7e51/images/making_of/draft 5.jpeg -------------------------------------------------------------------------------- /images/making_of/draft 6.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/enotspe/fortinet-2-elasticsearch/ee14d60adf6014f2340a3ee6c3ab66144f4a7e51/images/making_of/draft 6.jpeg -------------------------------------------------------------------------------- /images/making_of/draft 7.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/enotspe/fortinet-2-elasticsearch/ee14d60adf6014f2340a3ee6c3ab66144f4a7e51/images/making_of/draft 7.jpeg -------------------------------------------------------------------------------- /images/making_of/draft 8.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/enotspe/fortinet-2-elasticsearch/ee14d60adf6014f2340a3ee6c3ab66144f4a7e51/images/making_of/draft 8.jpeg -------------------------------------------------------------------------------- /images/specific.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/enotspe/fortinet-2-elasticsearch/ee14d60adf6014f2340a3ee6c3ab66144f4a7e51/images/specific.png -------------------------------------------------------------------------------- /index_templates/component_templates/auto_expand_replicas@settings.json: -------------------------------------------------------------------------------- 1 | { 2 | "template": { 3 | "settings": { 4 | "index": { 5 | "auto_expand_replicas": "0-1" 6 | } 7 | } 8 | } 9 | } 10 | -------------------------------------------------------------------------------- /index_templates/component_templates/ecs-destination-transforms.json: -------------------------------------------------------------------------------- 1 | { 2 | "template": { 3 | "mappings": { 4 | "properties": { 5 | "destination": { 6 | "dynamic": true, 7 | "type": "object", 8 | "enabled": true, 9 | "properties": { 10 | "nat": { 11 | "type": "object", 12 | "properties": { 13 | "port": { 14 | "type": "long" 15 | }, 16 | "ip": { 17 | "type": "ip" 18 | } 19 | } 20 | }, 21 | "address": { 22 | "ignore_above": 1024, 23 | "type": "keyword" 24 | }, 25 | "top_level_domain": { 26 | "ignore_above": 1024, 27 | "type": "keyword" 28 | }, 29 | "ip": { 30 | "type": "ip" 31 | }, 32 | "locality": { 33 | "type": "keyword" 34 | }, 35 | "mac": { 36 | "ignore_above": 1024, 37 | "type": "keyword" 38 | }, 39 | "packets": { 40 | "dynamic": true, 41 | "type": "object", 42 | "enabled": true, 43 | "properties": { 44 | "stats": { 45 | "type": "object", 46 | "properties": { 47 | "avg": { 48 | "type": "double" 49 | }, 50 | "min": { 51 | "type": "double" 52 | }, 53 | "max": { 54 | "type": "double" 55 | }, 56 | "count": { 57 | "type": "double" 58 | }, 59 | "sum": { 60 | "type": "double" 61 | } 62 | } 63 | } 64 | } 65 | }, 66 | "geo": { 67 | "type": "object", 68 | "properties": { 69 | "continent_name": { 70 | "ignore_above": 1024, 71 | "type": "keyword" 72 | }, 73 | "region_iso_code": { 74 | "ignore_above": 1024, 75 | "type": "keyword" 76 | }, 77 | "city_name": { 78 | "ignore_above": 1024, 79 | "type": "keyword" 80 | }, 81 | "country_iso_code": { 82 | "ignore_above": 1024, 83 | "type": "keyword" 84 | }, 85 | "timezone": { 86 | "ignore_above": 1024, 87 | "type": "keyword" 88 | }, 89 | "country_name": { 90 | "ignore_above": 1024, 91 | "type": "keyword" 92 | }, 93 | "name": { 94 | "ignore_above": 1024, 95 | "type": "keyword" 96 | }, 97 | "continent_code": { 98 | "ignore_above": 1024, 99 | "type": "keyword" 100 | }, 101 | "location": { 102 | "type": "geo_point" 103 | }, 104 | "region_name": { 105 | "ignore_above": 1024, 106 | "type": "keyword" 107 | }, 108 | "postal_code": { 109 | "ignore_above": 1024, 110 | "type": "keyword" 111 | } 112 | } 113 | }, 114 | "as": { 115 | "type": "object", 116 | "properties": { 117 | "number": { 118 | "type": "long" 119 | }, 120 | "organization": { 121 | "type": "object", 122 | "properties": { 123 | "name": { 124 | "ignore_above": 1024, 125 | "type": "keyword", 126 | "fields": { 127 | "text": { 128 | "type": "match_only_text" 129 | } 130 | } 131 | } 132 | } 133 | } 134 | } 135 | }, 136 | "registered_domain": { 137 | "ignore_above": 1024, 138 | "type": "keyword" 139 | }, 140 | "port": { 141 | "type": "long" 142 | }, 143 | "bytes": { 144 | "dynamic": true, 145 | "type": "object", 146 | "enabled": true, 147 | "properties": { 148 | "stats": { 149 | "type": "object", 150 | "properties": { 151 | "avg": { 152 | "type": "double" 153 | }, 154 | "min": { 155 | "type": "double" 156 | }, 157 | "max": { 158 | "type": "double" 159 | }, 160 | "count": { 161 | "type": "double" 162 | }, 163 | "sum": { 164 | "type": "double" 165 | } 166 | } 167 | } 168 | } 169 | }, 170 | "domain": { 171 | "ignore_above": 1024, 172 | "type": "keyword" 173 | }, 174 | "subdomain": { 175 | "ignore_above": 1024, 176 | "type": "keyword" 177 | }, 178 | "user": { 179 | "type": "object", 180 | "properties": { 181 | "full_name": { 182 | "ignore_above": 1024, 183 | "type": "keyword", 184 | "fields": { 185 | "text": { 186 | "type": "match_only_text" 187 | } 188 | } 189 | }, 190 | "domain": { 191 | "ignore_above": 1024, 192 | "type": "keyword" 193 | }, 194 | "roles": { 195 | "ignore_above": 1024, 196 | "type": "keyword" 197 | }, 198 | "name": { 199 | "ignore_above": 1024, 200 | "type": "keyword", 201 | "fields": { 202 | "text": { 203 | "type": "match_only_text" 204 | } 205 | } 206 | }, 207 | "id": { 208 | "ignore_above": 1024, 209 | "type": "keyword" 210 | }, 211 | "email": { 212 | "ignore_above": 1024, 213 | "type": "keyword" 214 | }, 215 | "hash": { 216 | "ignore_above": 1024, 217 | "type": "keyword" 218 | }, 219 | "group": { 220 | "type": "object", 221 | "properties": { 222 | "domain": { 223 | "ignore_above": 1024, 224 | "type": "keyword" 225 | }, 226 | "name": { 227 | "ignore_above": 1024, 228 | "type": "keyword" 229 | }, 230 | "id": { 231 | "ignore_above": 1024, 232 | "type": "keyword" 233 | } 234 | } 235 | } 236 | } 237 | } 238 | } 239 | } 240 | } 241 | } 242 | } 243 | } 244 | -------------------------------------------------------------------------------- /index_templates/component_templates/ecs-event-modified.json: -------------------------------------------------------------------------------- 1 | { 2 | "template": { 3 | "mappings": { 4 | "properties": { 5 | "event": { 6 | "type": "object", 7 | "properties": { 8 | "reason": { 9 | "ignore_above": 1024, 10 | "type": "keyword" 11 | }, 12 | "code": { 13 | "ignore_above": 1024, 14 | "type": "keyword" 15 | }, 16 | "timezone": { 17 | "ignore_above": 1024, 18 | "type": "keyword" 19 | }, 20 | "type": { 21 | "ignore_above": 1024, 22 | "type": "keyword" 23 | }, 24 | "agent_id_status": { 25 | "ignore_above": 1024, 26 | "type": "keyword" 27 | }, 28 | "duration": { 29 | "type": "long" 30 | }, 31 | "reference": { 32 | "ignore_above": 1024, 33 | "type": "keyword" 34 | }, 35 | "ingested": { 36 | "type": "date" 37 | }, 38 | "provider": { 39 | "ignore_above": 1024, 40 | "type": "keyword" 41 | }, 42 | "action": { 43 | "ignore_above": 1024, 44 | "type": "keyword" 45 | }, 46 | "end": { 47 | "type": "date" 48 | }, 49 | "id": { 50 | "ignore_above": 1024, 51 | "type": "keyword" 52 | }, 53 | "outcome": { 54 | "ignore_above": 1024, 55 | "type": "keyword" 56 | }, 57 | "severity": { 58 | "type": "long" 59 | }, 60 | "original": { 61 | "eager_global_ordinals": false, 62 | "norms": false, 63 | "index": false, 64 | "store": false, 65 | "type": "keyword", 66 | "split_queries_on_whitespace": false, 67 | "doc_values": true 68 | }, 69 | "risk_score": { 70 | "type": "float" 71 | }, 72 | "created": { 73 | "type": "date" 74 | }, 75 | "kind": { 76 | "ignore_above": 1024, 77 | "type": "keyword" 78 | }, 79 | "module": { 80 | "ignore_above": 1024, 81 | "type": "keyword" 82 | }, 83 | "start": { 84 | "type": "date" 85 | }, 86 | "url": { 87 | "ignore_above": 1024, 88 | "type": "keyword" 89 | }, 90 | "sequence": { 91 | "type": "long" 92 | }, 93 | "risk_score_norm": { 94 | "type": "float" 95 | }, 96 | "category": { 97 | "ignore_above": 1024, 98 | "type": "keyword" 99 | }, 100 | "dataset": { 101 | "ignore_above": 1024, 102 | "type": "keyword" 103 | }, 104 | "hash": { 105 | "ignore_above": 1024, 106 | "type": "keyword" 107 | } 108 | } 109 | } 110 | } 111 | } 112 | } 113 | } 114 | -------------------------------------------------------------------------------- /index_templates/component_templates/ecs-event-transforms.json: -------------------------------------------------------------------------------- 1 | { 2 | "template": { 3 | "mappings": { 4 | "properties": { 5 | "event": { 6 | "type": "object", 7 | "properties": { 8 | "duration": { 9 | "dynamic": true, 10 | "type": "object", 11 | "enabled": true, 12 | "properties": { 13 | "stats": { 14 | "type": "object", 15 | "properties": { 16 | "avg": { 17 | "type": "double" 18 | }, 19 | "min": { 20 | "type": "double" 21 | }, 22 | "max": { 23 | "type": "double" 24 | }, 25 | "count": { 26 | "type": "double" 27 | }, 28 | "sum": { 29 | "type": "double" 30 | } 31 | } 32 | } 33 | } 34 | }, 35 | "risk_score": { 36 | "dynamic": true, 37 | "type": "object", 38 | "enabled": true, 39 | "properties": { 40 | "stats": { 41 | "type": "object", 42 | "properties": { 43 | "avg": { 44 | "type": "double" 45 | }, 46 | "min": { 47 | "type": "double" 48 | }, 49 | "max": { 50 | "type": "double" 51 | }, 52 | "count": { 53 | "type": "double" 54 | }, 55 | "sum": { 56 | "type": "double" 57 | } 58 | } 59 | } 60 | } 61 | } 62 | } 63 | } 64 | } 65 | } 66 | } 67 | } 68 | -------------------------------------------------------------------------------- /index_templates/component_templates/ecs-log-modified.json: -------------------------------------------------------------------------------- 1 | { 2 | "template": { 3 | "mappings": { 4 | "properties": { 5 | "log": { 6 | "type": "object", 7 | "properties": { 8 | "file": { 9 | "type": "object", 10 | "properties": { 11 | "path": { 12 | "ignore_above": 1024, 13 | "type": "keyword" 14 | } 15 | } 16 | }, 17 | "level": { 18 | "ignore_above": 1024, 19 | "type": "keyword" 20 | }, 21 | "logger": { 22 | "ignore_above": 1024, 23 | "type": "keyword" 24 | }, 25 | "origin": { 26 | "type": "object", 27 | "properties": { 28 | "file": { 29 | "type": "object", 30 | "properties": { 31 | "line": { 32 | "type": "long" 33 | }, 34 | "name": { 35 | "ignore_above": 1024, 36 | "type": "keyword" 37 | } 38 | } 39 | }, 40 | "function": { 41 | "ignore_above": 1024, 42 | "type": "keyword" 43 | } 44 | } 45 | }, 46 | "syslog": { 47 | "type": "object", 48 | "properties": { 49 | "severity": { 50 | "type": "object", 51 | "properties": { 52 | "code": { 53 | "type": "long" 54 | }, 55 | "name": { 56 | "ignore_above": 1024, 57 | "type": "keyword" 58 | } 59 | } 60 | }, 61 | "hostname": { 62 | "ignore_above": 1024, 63 | "type": "keyword" 64 | }, 65 | "appname": { 66 | "ignore_above": 1024, 67 | "type": "keyword" 68 | }, 69 | "procid": { 70 | "ignore_above": 1024, 71 | "type": "keyword" 72 | }, 73 | "msgid": { 74 | "ignore_above": 1024, 75 | "type": "keyword" 76 | }, 77 | "priority": { 78 | "type": "long" 79 | }, 80 | "facility": { 81 | "type": "object", 82 | "properties": { 83 | "code": { 84 | "type": "long" 85 | }, 86 | "name": { 87 | "ignore_above": 1024, 88 | "type": "keyword" 89 | } 90 | } 91 | }, 92 | "version": { 93 | "ignore_above": 1024, 94 | "type": "keyword" 95 | } 96 | } 97 | } 98 | } 99 | } 100 | } 101 | } 102 | } 103 | } 104 | -------------------------------------------------------------------------------- /index_templates/component_templates/ecs-network-transforms.json: -------------------------------------------------------------------------------- 1 | { 2 | "template": { 3 | "mappings": { 4 | "properties": { 5 | "network": { 6 | "type": "object", 7 | "properties": { 8 | "transport": { 9 | "ignore_above": 1024, 10 | "type": "keyword" 11 | }, 12 | "type": { 13 | "ignore_above": 1024, 14 | "type": "keyword" 15 | }, 16 | "inner": { 17 | "type": "object", 18 | "properties": { 19 | "vlan": { 20 | "type": "object", 21 | "properties": { 22 | "name": { 23 | "ignore_above": 1024, 24 | "type": "keyword" 25 | }, 26 | "id": { 27 | "ignore_above": 1024, 28 | "type": "keyword" 29 | } 30 | } 31 | } 32 | } 33 | }, 34 | "packets": { 35 | "dynamic": true, 36 | "type": "object", 37 | "enabled": true, 38 | "properties": { 39 | "stats": { 40 | "type": "object", 41 | "properties": { 42 | "avg": { 43 | "type": "double" 44 | }, 45 | "min": { 46 | "type": "double" 47 | }, 48 | "max": { 49 | "type": "double" 50 | }, 51 | "count": { 52 | "type": "double" 53 | }, 54 | "sum": { 55 | "type": "double" 56 | } 57 | } 58 | } 59 | } 60 | }, 61 | "community_id": { 62 | "ignore_above": 1024, 63 | "type": "keyword" 64 | }, 65 | "forwarded_ip": { 66 | "type": "ip" 67 | }, 68 | "protocol": { 69 | "ignore_above": 1024, 70 | "type": "keyword" 71 | }, 72 | "application": { 73 | "ignore_above": 1024, 74 | "type": "keyword" 75 | }, 76 | "vlan": { 77 | "type": "object", 78 | "properties": { 79 | "name": { 80 | "ignore_above": 1024, 81 | "type": "keyword" 82 | }, 83 | "id": { 84 | "ignore_above": 1024, 85 | "type": "keyword" 86 | } 87 | } 88 | }, 89 | "bytes": { 90 | "dynamic": true, 91 | "type": "object", 92 | "enabled": true, 93 | "properties": { 94 | "stats": { 95 | "type": "object", 96 | "properties": { 97 | "avg": { 98 | "type": "double" 99 | }, 100 | "min": { 101 | "type": "double" 102 | }, 103 | "max": { 104 | "type": "double" 105 | }, 106 | "count": { 107 | "type": "double" 108 | }, 109 | "sum": { 110 | "type": "double" 111 | } 112 | } 113 | } 114 | } 115 | }, 116 | "name": { 117 | "ignore_above": 1024, 118 | "type": "keyword" 119 | }, 120 | "protocol_category": { 121 | "type": "keyword" 122 | }, 123 | "iana_number": { 124 | "ignore_above": 1024, 125 | "type": "keyword" 126 | }, 127 | "direction": { 128 | "ignore_above": 1024, 129 | "type": "keyword" 130 | } 131 | } 132 | } 133 | } 134 | } 135 | } 136 | } 137 | -------------------------------------------------------------------------------- /index_templates/component_templates/ecs-rule-transforms.json: -------------------------------------------------------------------------------- 1 | { 2 | "template": { 3 | "mappings": { 4 | "properties": { 5 | "rule": { 6 | "type": "object", 7 | "properties": { 8 | "reference": { 9 | "ignore_above": 1024, 10 | "type": "keyword" 11 | }, 12 | "license": { 13 | "ignore_above": 1024, 14 | "type": "keyword" 15 | }, 16 | "author": { 17 | "ignore_above": 1024, 18 | "type": "keyword" 19 | }, 20 | "name": { 21 | "ignore_above": 1024, 22 | "type": "keyword" 23 | }, 24 | "ruleset": { 25 | "ignore_above": 1024, 26 | "type": "keyword" 27 | }, 28 | "description": { 29 | "ignore_above": 1024, 30 | "type": "keyword" 31 | }, 32 | "id": { 33 | "ignore_above": 1024, 34 | "type": "keyword" 35 | }, 36 | "category": { 37 | "ignore_above": 1024, 38 | "type": "keyword" 39 | }, 40 | "uuid": { 41 | "ignore_above": 1024, 42 | "type": "keyword" 43 | }, 44 | "version": { 45 | "ignore_above": 1024, 46 | "type": "keyword" 47 | }, 48 | "id-name": { 49 | "type": "keyword" 50 | } 51 | } 52 | } 53 | } 54 | } 55 | } 56 | } 57 | -------------------------------------------------------------------------------- /index_templates/component_templates/ecs-session-transforms.json: -------------------------------------------------------------------------------- 1 | { 2 | "template": { 3 | "mappings": { 4 | "properties": { 5 | "session": { 6 | "type": "object", 7 | "properties": { 8 | "id": { 9 | "dynamic": true, 10 | "type": "object", 11 | "enabled": true, 12 | "properties": { 13 | "value_count": { 14 | "type": "double" 15 | } 16 | } 17 | } 18 | } 19 | } 20 | } 21 | } 22 | } 23 | } 24 | -------------------------------------------------------------------------------- /index_templates/component_templates/ecs-source-modified.json: -------------------------------------------------------------------------------- 1 | { 2 | "template": { 3 | "mappings": { 4 | "properties": { 5 | "source": { 6 | "properties": { 7 | "nat": { 8 | "properties": { 9 | "port": { 10 | "type": "long" 11 | }, 12 | "ip": { 13 | "type": "ip" 14 | } 15 | } 16 | }, 17 | "address": { 18 | "ignore_above": 1024, 19 | "type": "keyword" 20 | }, 21 | "top_level_domain": { 22 | "ignore_above": 1024, 23 | "type": "keyword" 24 | }, 25 | "ip": { 26 | "type": "ip" 27 | }, 28 | "mac": { 29 | "ignore_above": 1024, 30 | "type": "keyword" 31 | }, 32 | "packets": { 33 | "type": "long" 34 | }, 35 | "geo": { 36 | "properties": { 37 | "continent_name": { 38 | "ignore_above": 1024, 39 | "type": "keyword" 40 | }, 41 | "region_iso_code": { 42 | "ignore_above": 1024, 43 | "type": "keyword" 44 | }, 45 | "city_name": { 46 | "ignore_above": 1024, 47 | "type": "keyword" 48 | }, 49 | "country_iso_code": { 50 | "ignore_above": 1024, 51 | "type": "keyword" 52 | }, 53 | "timezone": { 54 | "ignore_above": 1024, 55 | "type": "keyword" 56 | }, 57 | "country_name": { 58 | "ignore_above": 1024, 59 | "type": "keyword" 60 | }, 61 | "name": { 62 | "ignore_above": 1024, 63 | "type": "keyword" 64 | }, 65 | "continent_code": { 66 | "ignore_above": 1024, 67 | "type": "keyword" 68 | }, 69 | "location": { 70 | "type": "geo_point" 71 | }, 72 | "region_name": { 73 | "ignore_above": 1024, 74 | "type": "keyword" 75 | }, 76 | "postal_code": { 77 | "ignore_above": 1024, 78 | "type": "keyword" 79 | } 80 | } 81 | }, 82 | "as": { 83 | "properties": { 84 | "number": { 85 | "type": "long" 86 | }, 87 | "organization": { 88 | "properties": { 89 | "name": { 90 | "ignore_above": 1024, 91 | "fields": { 92 | "text": { 93 | "type": "match_only_text" 94 | } 95 | }, 96 | "type": "keyword" 97 | } 98 | } 99 | } 100 | } 101 | }, 102 | "registered_domain": { 103 | "ignore_above": 1024, 104 | "type": "keyword" 105 | }, 106 | "port": { 107 | "type": "long" 108 | }, 109 | "bytes": { 110 | "type": "long" 111 | }, 112 | "domain": { 113 | "ignore_above": 1024, 114 | "type": "keyword" 115 | }, 116 | "subdomain": { 117 | "ignore_above": 1024, 118 | "type": "keyword" 119 | }, 120 | "risk": { 121 | "properties": { 122 | "static_level": { 123 | "ignore_above": 1024, 124 | "type": "keyword" 125 | }, 126 | "static_score": { 127 | "type": "float" 128 | } 129 | } 130 | }, 131 | "user": { 132 | "properties": { 133 | "full_name": { 134 | "ignore_above": 1024, 135 | "fields": { 136 | "text": { 137 | "type": "match_only_text" 138 | } 139 | }, 140 | "type": "keyword" 141 | }, 142 | "domain": { 143 | "ignore_above": 1024, 144 | "type": "keyword" 145 | }, 146 | "roles": { 147 | "ignore_above": 1024, 148 | "type": "keyword" 149 | }, 150 | "name": { 151 | "ignore_above": 1024, 152 | "fields": { 153 | "text": { 154 | "type": "match_only_text" 155 | } 156 | }, 157 | "type": "keyword" 158 | }, 159 | "id": { 160 | "ignore_above": 1024, 161 | "type": "keyword" 162 | }, 163 | "email": { 164 | "ignore_above": 1024, 165 | "type": "keyword" 166 | }, 167 | "hash": { 168 | "ignore_above": 1024, 169 | "type": "keyword" 170 | }, 171 | "group": { 172 | "properties": { 173 | "domain": { 174 | "ignore_above": 1024, 175 | "type": "keyword" 176 | }, 177 | "name": { 178 | "ignore_above": 1024, 179 | "type": "keyword" 180 | }, 181 | "id": { 182 | "ignore_above": 1024, 183 | "type": "keyword" 184 | } 185 | } 186 | } 187 | } 188 | } 189 | } 190 | } 191 | } 192 | } 193 | } 194 | } 195 | -------------------------------------------------------------------------------- /index_templates/component_templates/ecs-source-transforms.json: -------------------------------------------------------------------------------- 1 | { 2 | "template": { 3 | "mappings": { 4 | "properties": { 5 | "source": { 6 | "type": "object", 7 | "properties": { 8 | "nat": { 9 | "type": "object", 10 | "properties": { 11 | "port": { 12 | "type": "long" 13 | }, 14 | "ip": { 15 | "type": "ip" 16 | } 17 | } 18 | }, 19 | "address": { 20 | "ignore_above": 1024, 21 | "type": "keyword" 22 | }, 23 | "top_level_domain": { 24 | "ignore_above": 1024, 25 | "type": "keyword" 26 | }, 27 | "ip": { 28 | "type": "ip" 29 | }, 30 | "locality": { 31 | "type": "keyword" 32 | }, 33 | "mac": { 34 | "ignore_above": 1024, 35 | "type": "keyword" 36 | }, 37 | "packets": { 38 | "dynamic": true, 39 | "type": "object", 40 | "enabled": true, 41 | "properties": { 42 | "stats": { 43 | "type": "object", 44 | "properties": { 45 | "avg": { 46 | "type": "double" 47 | }, 48 | "min": { 49 | "type": "double" 50 | }, 51 | "max": { 52 | "type": "double" 53 | }, 54 | "count": { 55 | "type": "double" 56 | }, 57 | "sum": { 58 | "type": "double" 59 | } 60 | } 61 | } 62 | } 63 | }, 64 | "geo": { 65 | "type": "object", 66 | "properties": { 67 | "continent_name": { 68 | "ignore_above": 1024, 69 | "type": "keyword" 70 | }, 71 | "region_iso_code": { 72 | "ignore_above": 1024, 73 | "type": "keyword" 74 | }, 75 | "city_name": { 76 | "ignore_above": 1024, 77 | "type": "keyword" 78 | }, 79 | "country_iso_code": { 80 | "ignore_above": 1024, 81 | "type": "keyword" 82 | }, 83 | "timezone": { 84 | "ignore_above": 1024, 85 | "type": "keyword" 86 | }, 87 | "country_name": { 88 | "ignore_above": 1024, 89 | "type": "keyword" 90 | }, 91 | "name": { 92 | "ignore_above": 1024, 93 | "type": "keyword" 94 | }, 95 | "continent_code": { 96 | "ignore_above": 1024, 97 | "type": "keyword" 98 | }, 99 | "location": { 100 | "type": "geo_point" 101 | }, 102 | "region_name": { 103 | "ignore_above": 1024, 104 | "type": "keyword" 105 | }, 106 | "postal_code": { 107 | "ignore_above": 1024, 108 | "type": "keyword" 109 | } 110 | } 111 | }, 112 | "as": { 113 | "type": "object", 114 | "properties": { 115 | "number": { 116 | "type": "long" 117 | }, 118 | "organization": { 119 | "type": "object", 120 | "properties": { 121 | "name": { 122 | "ignore_above": 1024, 123 | "type": "keyword", 124 | "fields": { 125 | "text": { 126 | "type": "match_only_text" 127 | } 128 | } 129 | } 130 | } 131 | } 132 | } 133 | }, 134 | "registered_domain": { 135 | "ignore_above": 1024, 136 | "type": "keyword" 137 | }, 138 | "port": { 139 | "type": "long" 140 | }, 141 | "bytes": { 142 | "dynamic": true, 143 | "type": "object", 144 | "enabled": true, 145 | "properties": { 146 | "stats": { 147 | "type": "object", 148 | "properties": { 149 | "avg": { 150 | "type": "double" 151 | }, 152 | "min": { 153 | "type": "double" 154 | }, 155 | "max": { 156 | "type": "double" 157 | }, 158 | "count": { 159 | "type": "double" 160 | }, 161 | "sum": { 162 | "type": "double" 163 | } 164 | } 165 | } 166 | } 167 | }, 168 | "domain": { 169 | "ignore_above": 1024, 170 | "type": "keyword" 171 | }, 172 | "subdomain": { 173 | "ignore_above": 1024, 174 | "type": "keyword" 175 | }, 176 | "risk": { 177 | "type": "object", 178 | "properties": { 179 | "static_level": { 180 | "type": "keyword" 181 | }, 182 | "static_score": { 183 | "type": "object", 184 | "properties": { 185 | "stats": { 186 | "type": "object", 187 | "properties": { 188 | "avg": { 189 | "type": "double" 190 | }, 191 | "min": { 192 | "type": "double" 193 | }, 194 | "max": { 195 | "type": "double" 196 | }, 197 | "count": { 198 | "type": "double" 199 | }, 200 | "sum": { 201 | "type": "double" 202 | } 203 | } 204 | } 205 | } 206 | } 207 | } 208 | }, 209 | "user": { 210 | "type": "object", 211 | "properties": { 212 | "full_name": { 213 | "ignore_above": 1024, 214 | "type": "keyword", 215 | "fields": { 216 | "text": { 217 | "type": "match_only_text" 218 | } 219 | } 220 | }, 221 | "domain": { 222 | "ignore_above": 1024, 223 | "type": "keyword" 224 | }, 225 | "roles": { 226 | "ignore_above": 1024, 227 | "type": "keyword" 228 | }, 229 | "name": { 230 | "ignore_above": 1024, 231 | "type": "keyword", 232 | "fields": { 233 | "text": { 234 | "type": "match_only_text" 235 | } 236 | } 237 | }, 238 | "id": { 239 | "ignore_above": 1024, 240 | "type": "keyword" 241 | }, 242 | "email": { 243 | "ignore_above": 1024, 244 | "type": "keyword" 245 | }, 246 | "hash": { 247 | "ignore_above": 1024, 248 | "type": "keyword" 249 | }, 250 | "group": { 251 | "type": "object", 252 | "properties": { 253 | "domain": { 254 | "ignore_above": 1024, 255 | "type": "keyword" 256 | }, 257 | "name": { 258 | "ignore_above": 1024, 259 | "type": "keyword" 260 | }, 261 | "id": { 262 | "ignore_above": 1024, 263 | "type": "keyword" 264 | } 265 | } 266 | } 267 | } 268 | } 269 | } 270 | } 271 | } 272 | } 273 | } 274 | } 275 | -------------------------------------------------------------------------------- /index_templates/component_templates/logs-fortinet.forticlient@ilm.json: -------------------------------------------------------------------------------- 1 | { 2 | "template": { 3 | "settings": { 4 | "index": { 5 | "lifecycle": { 6 | "name": "logs-fortinet.forticlient" 7 | } 8 | } 9 | } 10 | } 11 | } 12 | -------------------------------------------------------------------------------- /index_templates/component_templates/logs-fortinet.fortiedr@ilm.json: -------------------------------------------------------------------------------- 1 | { 2 | "template": { 3 | "settings": { 4 | "index": { 5 | "lifecycle": { 6 | "name": "logs-fortinet.fortiedr" 7 | } 8 | } 9 | } 10 | } 11 | } 12 | -------------------------------------------------------------------------------- /index_templates/component_templates/logs-fortinet.fortiedr@mappings.json: -------------------------------------------------------------------------------- 1 | { 2 | "template": { 3 | "mappings": { 4 | "properties": { 5 | "fedr": { 6 | "properties": { 7 | "DateandTime": { 8 | "format": "dd-MMM-yyyy, HH:mm:ss", 9 | "ignore_malformed": true, 10 | "type": "date" 11 | }, 12 | "SourceIP": { 13 | "ignore_malformed": true, 14 | "type": "ip" 15 | }, 16 | "FirstSeen": { 17 | "format": "dd-MMM-yyyy, HH:mm:ss", 18 | "ignore_malformed": true, 19 | "type": "date" 20 | }, 21 | "Count": { 22 | "ignore_malformed": true, 23 | "type": "long" 24 | }, 25 | "LastSeen": { 26 | "format": "dd-MMM-yyyy, HH:mm:ss", 27 | "ignore_malformed": true, 28 | "type": "date" 29 | }, 30 | "Date": { 31 | "format": "dd-MMM-yyyy, HH:mm:ss", 32 | "ignore_malformed": true, 33 | "type": "date" 34 | } 35 | } 36 | } 37 | } 38 | } 39 | } 40 | } 41 | -------------------------------------------------------------------------------- /index_templates/component_templates/logs-fortinet.fortigate.event@ilm.json: -------------------------------------------------------------------------------- 1 | { 2 | "template": { 3 | "settings": { 4 | "index": { 5 | "lifecycle": { 6 | "name": "logs-fortinet.fortigate.event" 7 | } 8 | } 9 | } 10 | } 11 | } 12 | -------------------------------------------------------------------------------- /index_templates/component_templates/logs-fortinet.fortigate.traffic@ilm.json: -------------------------------------------------------------------------------- 1 | { 2 | "template": { 3 | "settings": { 4 | "index": { 5 | "lifecycle": { 6 | "name": "logs-fortinet.fortigate.traffic" 7 | } 8 | } 9 | } 10 | } 11 | } 12 | -------------------------------------------------------------------------------- /index_templates/component_templates/logs-fortinet.fortigate.utm@ilm.json: -------------------------------------------------------------------------------- 1 | { 2 | "template": { 3 | "settings": { 4 | "index": { 5 | "lifecycle": { 6 | "name": "logs-fortinet.fortigate.utm" 7 | } 8 | } 9 | } 10 | } 11 | } 12 | -------------------------------------------------------------------------------- /index_templates/component_templates/logs-fortinet.fortimail@ilm.json: -------------------------------------------------------------------------------- 1 | { 2 | "template": { 3 | "settings": { 4 | "index": { 5 | "lifecycle": { 6 | "name": "logs-fortinet.fortimail" 7 | } 8 | } 9 | } 10 | } 11 | } 12 | -------------------------------------------------------------------------------- /index_templates/component_templates/refresh_interval@settings.json: -------------------------------------------------------------------------------- 1 | { 2 | "template": { 3 | "settings": { 4 | "index": { 5 | "refresh_interval": "30s" 6 | } 7 | } 8 | } 9 | } 10 | -------------------------------------------------------------------------------- /index_templates/component_templates/strings_as_keyword@mappings.json: -------------------------------------------------------------------------------- 1 | { 2 | "template": { 3 | "mappings": { 4 | "dynamic_templates": [ 5 | { 6 | "strings_as_keyword": { 7 | "mapping": { 8 | "type": "keyword" 9 | }, 10 | "match_mapping_type": "string" 11 | } 12 | } 13 | ] 14 | } 15 | } 16 | } 17 | -------------------------------------------------------------------------------- /index_templates/component_templates/synthetic_source@mappings.json: -------------------------------------------------------------------------------- 1 | { 2 | "template": { 3 | "mappings": { 4 | "_source": { 5 | "mode": "synthetic" 6 | } 7 | } 8 | } 9 | } 10 | -------------------------------------------------------------------------------- /index_templates/component_templates/total_fields_limit@settings.json: -------------------------------------------------------------------------------- 1 | { 2 | "template": { 3 | "settings": { 4 | "index": { 5 | "mapping": { 6 | "total_fields": { 7 | "limit": "1500" 8 | } 9 | } 10 | } 11 | } 12 | } 13 | } 14 | -------------------------------------------------------------------------------- /index_templates/ilm/logs-fortinet.forticlient.json: -------------------------------------------------------------------------------- 1 | { 2 | "policy" : { 3 | "phases" : { 4 | "warm" : { 5 | "min_age" : "0d", 6 | "actions" : { 7 | "readonly" : { }, 8 | "forcemerge" : { 9 | "max_num_segments" : 1 10 | }, 11 | "set_priority" : { 12 | "priority" : 50 13 | } 14 | } 15 | }, 16 | "hot" : { 17 | "min_age" : "0ms", 18 | "actions" : { 19 | "rollover" : { 20 | "max_primary_shard_size" : "50gb", 21 | "max_age" : "30d" 22 | } 23 | } 24 | }, 25 | "delete" : { 26 | "min_age" : "30d", 27 | "actions" : { 28 | "delete" : {} 29 | } 30 | } 31 | } 32 | } 33 | } 34 | -------------------------------------------------------------------------------- /index_templates/ilm/logs-fortinet.fortiedr.json: -------------------------------------------------------------------------------- 1 | { 2 | "policy" : { 3 | "phases" : { 4 | "warm" : { 5 | "min_age" : "0d", 6 | "actions" : { 7 | "readonly" : { }, 8 | "forcemerge" : { 9 | "max_num_segments" : 1 10 | }, 11 | "set_priority" : { 12 | "priority" : 50 13 | } 14 | } 15 | }, 16 | "hot" : { 17 | "min_age" : "0ms", 18 | "actions" : { 19 | "rollover" : { 20 | "max_primary_shard_size" : "50gb", 21 | "max_age" : "30d" 22 | } 23 | } 24 | }, 25 | "delete" : { 26 | "min_age" : "30d", 27 | "actions" : { 28 | "delete" : {} 29 | } 30 | } 31 | } 32 | } 33 | } 34 | -------------------------------------------------------------------------------- /index_templates/ilm/logs-fortinet.fortigate.event.json: -------------------------------------------------------------------------------- 1 | { 2 | "policy" : { 3 | "phases" : { 4 | "warm" : { 5 | "min_age" : "0d", 6 | "actions" : { 7 | "readonly" : { }, 8 | "forcemerge" : { 9 | "max_num_segments" : 1 10 | }, 11 | "set_priority" : { 12 | "priority" : 50 13 | } 14 | } 15 | }, 16 | "hot" : { 17 | "min_age" : "0ms", 18 | "actions" : { 19 | "rollover" : { 20 | "max_primary_shard_size" : "50gb", 21 | "max_age" : "30d" 22 | } 23 | } 24 | }, 25 | "delete" : { 26 | "min_age" : "90d", 27 | "actions" : { 28 | "delete" : {} 29 | } 30 | } 31 | } 32 | } 33 | } 34 | -------------------------------------------------------------------------------- /index_templates/ilm/logs-fortinet.fortigate.traffic.json: -------------------------------------------------------------------------------- 1 | { 2 | "policy" : { 3 | "phases" : { 4 | "warm" : { 5 | "min_age" : "0d", 6 | "actions" : { 7 | "readonly" : { }, 8 | "forcemerge" : { 9 | "max_num_segments" : 1 10 | }, 11 | "set_priority" : { 12 | "priority" : 50 13 | } 14 | } 15 | }, 16 | "hot" : { 17 | "min_age" : "0ms", 18 | "actions" : { 19 | "rollover" : { 20 | "max_primary_shard_size" : "50gb", 21 | "max_age" : "30d" 22 | } 23 | } 24 | }, 25 | "delete" : { 26 | "min_age" : "15d", 27 | "actions" : { 28 | "delete" : {} 29 | } 30 | } 31 | } 32 | } 33 | } 34 | -------------------------------------------------------------------------------- /index_templates/ilm/logs-fortinet.fortigate.utm.json: -------------------------------------------------------------------------------- 1 | { 2 | "policy" : { 3 | "phases" : { 4 | "warm" : { 5 | "min_age" : "0d", 6 | "actions" : { 7 | "readonly" : { }, 8 | "forcemerge" : { 9 | "max_num_segments" : 1 10 | }, 11 | "set_priority" : { 12 | "priority" : 50 13 | } 14 | } 15 | }, 16 | "hot" : { 17 | "min_age" : "0ms", 18 | "actions" : { 19 | "rollover" : { 20 | "max_primary_shard_size" : "50gb", 21 | "max_age" : "30d" 22 | } 23 | } 24 | }, 25 | "delete" : { 26 | "min_age" : "30d", 27 | "actions" : { 28 | "delete" : {} 29 | } 30 | } 31 | } 32 | } 33 | } 34 | -------------------------------------------------------------------------------- /index_templates/ilm/logs-fortinet.fortimail.json: -------------------------------------------------------------------------------- 1 | { 2 | "policy" : { 3 | "phases" : { 4 | "warm" : { 5 | "min_age" : "0d", 6 | "actions" : { 7 | "readonly" : { }, 8 | "forcemerge" : { 9 | "max_num_segments" : 1 10 | }, 11 | "set_priority" : { 12 | "priority" : 50 13 | } 14 | } 15 | }, 16 | "hot" : { 17 | "min_age" : "0ms", 18 | "actions" : { 19 | "rollover" : { 20 | "max_primary_shard_size" : "50gb", 21 | "max_age" : "30d" 22 | } 23 | } 24 | }, 25 | "delete" : { 26 | "min_age" : "30d", 27 | "actions" : { 28 | "delete" : {} 29 | } 30 | } 31 | } 32 | } 33 | } 34 | -------------------------------------------------------------------------------- /index_templates/index_templates/logs-fortinet.forticlient.json: -------------------------------------------------------------------------------- 1 | { 2 | "priority": 300, 3 | "index_patterns": [ 4 | "logs-fortinet.forticlient*" 5 | ], 6 | "data_stream": { 7 | 8 | }, 9 | "composed_of": [ 10 | "ecs-base", 11 | "ecs-data_stream", 12 | "ecs-organization", 13 | "ecs-ecs", 14 | "logs-fortinet.forticlient@ilm", 15 | "ecs-source", 16 | "ecs-destination", 17 | "ecs-observer", 18 | "ecs-file", 19 | "ecs-process", 20 | "ecs-agent", 21 | "ecs-host", 22 | "ecs-error", 23 | "ecs-network", 24 | "ecs-url", 25 | "ecs-rule", 26 | "ecs-event", 27 | "ecs-log", 28 | "ecs-vulnerability", 29 | "strings_as_keyword@mappings", 30 | "auto_expand_replicas@settings", 31 | "refresh_interval@settings", 32 | "total_fields_limit@settings" 33 | ] 34 | } 35 | -------------------------------------------------------------------------------- /index_templates/index_templates/logs-fortinet.fortiedr.json: -------------------------------------------------------------------------------- 1 | { 2 | "priority": 300, 3 | "index_patterns": [ 4 | "logs-fortinet.fortiedr*" 5 | ], 6 | "data_stream": { 7 | 8 | }, 9 | "composed_of": [ 10 | "ecs-base", 11 | "ecs-data_stream", 12 | "ecs-organization", 13 | "ecs-ecs", 14 | "logs-fortinet.fortiedr@ilm", 15 | "ecs-process", 16 | "ecs-host", 17 | "ecs-user", 18 | "ecs-agent", 19 | "ecs-observer", 20 | "ecs-event", 21 | "strings_as_keyword@mappings", 22 | "auto_expand_replicas@settings", 23 | "refresh_interval@settings", 24 | "ecs-destination", 25 | "ecs-source", 26 | "logs-fortinet.fortiedr@mappings" 27 | ] 28 | } 29 | -------------------------------------------------------------------------------- /index_templates/index_templates/logs-fortinet.fortigate.event.json: -------------------------------------------------------------------------------- 1 | { 2 | "priority": 200, 3 | "template": { 4 | "lifecycle": { 5 | "enabled": true, 6 | "data_retention": "180d" 7 | } 8 | }, 9 | "index_patterns": [ 10 | "logs-fortinet.fortigate.event*" 11 | ], 12 | "data_stream": { 13 | }, 14 | "composed_of": [ 15 | "ecs-base", 16 | "ecs-user", 17 | "ecs-user_agent", 18 | "ecs-observer", 19 | "ecs-destination", 20 | "ecs-source-modified", 21 | "ecs-network", 22 | "ecs-error", 23 | "ecs-url", 24 | "ecs-rule", 25 | "ecs-data_stream", 26 | "ecs-organization", 27 | "ecs-ecs", 28 | "ecs-host", 29 | "logs-fortinet.fortigate.event@ilm", 30 | "strings_as_keyword@mappings", 31 | "auto_expand_replicas@settings", 32 | "refresh_interval@settings", 33 | "logs-fortinet.fortigate@mappings", 34 | "ecs-log-modified", 35 | "ecs-event-modified", 36 | "ecs-file-modified", 37 | "synthetic_source@mappings" 38 | ] 39 | } 40 | -------------------------------------------------------------------------------- /index_templates/index_templates/logs-fortinet.fortigate.traffic.json: -------------------------------------------------------------------------------- 1 | { 2 | "priority": 200, 3 | "template": { 4 | "lifecycle": { 5 | "enabled": true, 6 | "data_retention": "180d" 7 | } 8 | }, 9 | "index_patterns": [ 10 | "logs-fortinet.fortigate.traffic*" 11 | ], 12 | "data_stream": { 13 | }, 14 | "composed_of": [ 15 | "ecs-base", 16 | "ecs-user", 17 | "ecs-observer", 18 | "ecs-destination", 19 | "ecs-source-modified", 20 | "ecs-network", 21 | "ecs-event-modified", 22 | "ecs-url", 23 | "ecs-log-modified", 24 | "ecs-rule", 25 | "ecs-data_stream", 26 | "ecs-organization", 27 | "ecs-ecs", 28 | "ecs-host", 29 | "logs-fortinet.fortigate.traffic@ilm", 30 | "strings_as_keyword@mappings", 31 | "logs-fortinet.fortigate@mappings", 32 | "auto_expand_replicas@settings", 33 | "refresh_interval@settings", 34 | "synthetic_source@mappings" 35 | ] 36 | } 37 | -------------------------------------------------------------------------------- /index_templates/index_templates/logs-fortinet.fortigate.utm.json: -------------------------------------------------------------------------------- 1 | { 2 | "priority": 200, 3 | "template": { 4 | "lifecycle": { 5 | "enabled": true, 6 | "data_retention": "180d" 7 | } 8 | }, 9 | "index_patterns": [ 10 | "logs-fortinet.fortigate.utm*" 11 | ], 12 | "data_stream": { 13 | }, 14 | "composed_of": [ 15 | "ecs-base", 16 | "ecs-user", 17 | "ecs-observer", 18 | "ecs-destination", 19 | "ecs-source-modified", 20 | "ecs-network", 21 | "ecs-url", 22 | "ecs-rule", 23 | "ecs-data_stream", 24 | "ecs-organization", 25 | "ecs-ecs", 26 | "ecs-host", 27 | "ecs-http", 28 | "ecs-user_agent", 29 | "ecs-dns", 30 | "ecs-file-modified", 31 | "ecs-error", 32 | "ecs-tls-modified", 33 | "logs-fortinet.fortigate.utm@ilm", 34 | "strings_as_keyword@mappings", 35 | "auto_expand_replicas@settings", 36 | "refresh_interval@settings", 37 | "logs-fortinet.fortigate@mappings", 38 | "ecs-event-modified", 39 | "ecs-log-modified", 40 | "synthetic_source@mappings" 41 | ] 42 | } 43 | -------------------------------------------------------------------------------- /index_templates/index_templates/logs-fortinet.fortimail.json: -------------------------------------------------------------------------------- 1 | { 2 | "priority": 300, 3 | "index_patterns": [ 4 | "logs-fortinet.fortimail*" 5 | ], 6 | "data_stream": { 7 | 8 | }, 9 | "composed_of": [ 10 | "ecs-base", 11 | "ecs-data_stream", 12 | "ecs-organization", 13 | "ecs-ecs", 14 | "logs-fortinet.fortimail@ilm", 15 | "ecs-source", 16 | "ecs-destination", 17 | "ecs-observer", 18 | "ecs-email", 19 | "strings_as_keyword@mappings", 20 | "auto_expand_replicas@settings", 21 | "refresh_interval@settings", 22 | "ecs-event", 23 | "total_fields_limit@settings", 24 | "ecs-log" 25 | ] 26 | } 27 | -------------------------------------------------------------------------------- /index_templates/index_templates/transforms-fortinet.fortigate.traffic.json: -------------------------------------------------------------------------------- 1 | { 2 | "index_patterns": [ 3 | "transforms-fortinet.fortigate.traffic*" 4 | ], 5 | "composed_of": [ 6 | "ecs-destination-transforms", 7 | "ecs-network-transforms", 8 | "ecs-source-transforms", 9 | "ecs-session-transforms", 10 | "ecs-data_stream", 11 | "ecs-event-transforms", 12 | "transforms-fortinet.fortigate@mappings", 13 | "ecs-base", 14 | "ecs-observer", 15 | "synthetic_source@mappings", 16 | "ecs-rule-transforms", 17 | "auto_expand_replicas@settings" 18 | ] 19 | } 20 | -------------------------------------------------------------------------------- /ingest_pipelines/add_event_ingested.json: -------------------------------------------------------------------------------- 1 | { 2 | "processors": [ 3 | { 4 | "set": { 5 | "field": "event.ingested", 6 | "value": "{{_ingest.timestamp}}" 7 | } 8 | } 9 | ] 10 | } 11 | -------------------------------------------------------------------------------- /ingest_pipelines/logs-fortinet.fortiadc.json: -------------------------------------------------------------------------------- 1 | { 2 | "processors": [ 3 | { 4 | "set": { 5 | "field": "event.ingested", 6 | "value": "{{_ingest.timestamp}}" 7 | } 8 | }, 9 | { 10 | "grok": { 11 | "field": "message", 12 | "patterns": [ 13 | "%{SYSLOG5424PRI}%{GREEDYDATA:message}" 14 | ], 15 | "pattern_definitions": { 16 | "SYSLOG5424PRI": "<%{NONNEGINT:log.syslog.priority:int}>" 17 | }, 18 | "trace_match": true, 19 | "ignore_failure": true 20 | } 21 | }, 22 | { 23 | "kv": { 24 | "field": "message", 25 | "field_split": ",", 26 | "value_split": "=", 27 | "target_field": "fadc", 28 | "strip_brackets": true, 29 | "ignore_failure": true 30 | } 31 | }, 32 | { 33 | "set": { 34 | "field": "observer.serial_number", 35 | "ignore_empty_value": true, 36 | "copy_from": "fadc.device_id" 37 | } 38 | }, 39 | { 40 | "set": { 41 | "field": "observer.hostname", 42 | "copy_from": "fadc.devname", 43 | "ignore_empty_value": true 44 | } 45 | }, 46 | { 47 | "set": { 48 | "field": "destination.ip", 49 | "copy_from": "fadc.dst", 50 | "ignore_empty_value": true 51 | } 52 | }, 53 | { 54 | "set": { 55 | "field": "destination.port", 56 | "copy_from": "fadc.dst_port", 57 | "ignore_empty_value": true 58 | } 59 | }, 60 | { 61 | "set": { 62 | "field": "rule.name", 63 | "copy_from": "fadc.policy", 64 | "ignore_empty_value": true 65 | } 66 | }, 67 | { 68 | "set": { 69 | "field": "network.iana_number", 70 | "copy_from": "fadc.proto", 71 | "ignore_empty_value": true 72 | } 73 | }, 74 | { 75 | "set": { 76 | "field": "log.syslog.severity.name", 77 | "copy_from": "fadc.pri", 78 | "ignore_empty_value": true 79 | } 80 | }, 81 | { 82 | "set": { 83 | "field": "source.ip", 84 | "copy_from": "fadc.src", 85 | "ignore_empty_value": true 86 | } 87 | }, 88 | { 89 | "set": { 90 | "field": "source.port", 91 | "copy_from": "fadc.src_port", 92 | "ignore_empty_value": true 93 | } 94 | }, 95 | { 96 | "set": { 97 | "field": "dns.resolved_ip", 98 | "copy_from": "fadc.resip", 99 | "ignore_empty_value": true 100 | } 101 | }, 102 | { 103 | "set": { 104 | "field": "dns.question.name", 105 | "copy_from": "fadc.fqdn", 106 | "ignore_empty_value": true 107 | } 108 | }, 109 | { 110 | "registered_domain": { 111 | "field": "dns.question.name", 112 | "target_field": "dns.question" 113 | } 114 | }, 115 | { 116 | "geoip": { 117 | "field": "source.ip", 118 | "target_field": "source.geo", 119 | "ignore_missing": true 120 | } 121 | }, 122 | { 123 | "geoip": { 124 | "field": "destination.ip", 125 | "target_field": "source.geo", 126 | "ignore_missing": true 127 | } 128 | }, 129 | { 130 | "set": { 131 | "field": "_ingest.new_dataset", 132 | "value": "{{data_stream.dataset}}.{{fadc.type}}.{{fadc.subtype}}" 133 | } 134 | }, 135 | { 136 | "reroute": { 137 | "dataset": [ 138 | "{{_ingest.new_dataset}}" 139 | ] 140 | } 141 | } 142 | ] 143 | } 144 | -------------------------------------------------------------------------------- /ingest_pipelines/logs-fortinet.forticlient.json: -------------------------------------------------------------------------------- 1 | { 2 | "processors": [ 3 | { 4 | "set": { 5 | "field": "event.ingested", 6 | "value": "{{_ingest.timestamp}}", 7 | "ignore_failure": true 8 | } 9 | }, 10 | { 11 | "remove": { 12 | "field": [ 13 | "host", 14 | "cloud", 15 | "agent" 16 | ], 17 | "ignore_missing": true, 18 | "ignore_failure": true 19 | } 20 | }, 21 | { 22 | "grok": { 23 | "field": "message", 24 | "patterns": [ 25 | "%{SYSLOG5424PRI}%{GREEDYDATA:message}" 26 | ], 27 | "pattern_definitions": { 28 | "SYSLOG5424PRI": "<%{NONNEGINT:log.syslog.priority:int}>" 29 | }, 30 | "trace_match": true, 31 | "ignore_failure": true 32 | } 33 | }, 34 | { 35 | "kv": { 36 | "field": "message", 37 | "field_split": "\\s+(?=(?:[^\"]*\"[^\"]*\")*[^\"]*$)", 38 | "value_split": "=", 39 | "target_field": "fct", 40 | "strip_brackets": true, 41 | "ignore_failure": true 42 | } 43 | }, 44 | { 45 | "set": { 46 | "field": "event.created", 47 | "ignore_failure": true, 48 | "copy_from": "@timestamp" 49 | } 50 | }, 51 | { 52 | "date": { 53 | "field": "fct.timestamp", 54 | "formats": [ 55 | "UNIX" 56 | ] 57 | } 58 | }, 59 | { 60 | "set": { 61 | "field": "observer.serial_number", 62 | "copy_from": "fct.emsserial", 63 | "ignore_empty_value": true 64 | } 65 | }, 66 | { 67 | "set": { 68 | "field": "observer.hostname", 69 | "copy_from": "fct.emshostname", 70 | "ignore_empty_value": true 71 | } 72 | }, 73 | { 74 | "set": { 75 | "field": "observer.hostname", 76 | "copy_from": "fct.devname", 77 | "ignore_empty_value": true 78 | } 79 | }, 80 | { 81 | "set": { 82 | "field": "agent.version", 83 | "copy_from": "fct.fctver", 84 | "ignore_empty_value": true 85 | } 86 | }, 87 | { 88 | "set": { 89 | "field": "agent.serial_number", 90 | "copy_from": "fct.fctsn", 91 | "ignore_empty_value": true 92 | } 93 | }, 94 | { 95 | "set": { 96 | "field": "host.ip", 97 | "copy_from": "fct.deviceip", 98 | "ignore_empty_value": true 99 | } 100 | }, 101 | { 102 | "set": { 103 | "field": "host.mac", 104 | "copy_from": "fct.devicemac", 105 | "ignore_empty_value": true 106 | } 107 | }, 108 | { 109 | "set": { 110 | "field": "error.code", 111 | "copy_from": "fct.error_code", 112 | "ignore_empty_value": true 113 | } 114 | }, 115 | { 116 | "set": { 117 | "field": "host.hostname", 118 | "copy_from": "fct.hostname", 119 | "ignore_empty_value": true 120 | } 121 | }, 122 | { 123 | "set": { 124 | "field": "host.domain", 125 | "copy_from": "fct.pcdomain", 126 | "ignore_empty_value": true 127 | } 128 | }, 129 | { 130 | "set": { 131 | "field": "host.os.full", 132 | "copy_from": "fct.os", 133 | "ignore_empty_value": true 134 | } 135 | }, 136 | { 137 | "set": { 138 | "field": "host.user.name", 139 | "copy_from": "fct.user", 140 | "ignore_empty_value": true 141 | } 142 | }, 143 | { 144 | "set": { 145 | "field": "network.direction", 146 | "copy_from": "fct.direction", 147 | "ignore_empty_value": true 148 | } 149 | }, 150 | { 151 | "set": { 152 | "field": "destination.address", 153 | "copy_from": "fct.dstip", 154 | "ignore_empty_value": true 155 | } 156 | }, 157 | { 158 | "set": { 159 | "field": "destination.port", 160 | "copy_from": "fct.dstport", 161 | "ignore_empty_value": true 162 | } 163 | }, 164 | { 165 | "set": { 166 | "field": "network.iana_number", 167 | "copy_from": "fct.proto", 168 | "ignore_empty_value": true 169 | } 170 | }, 171 | { 172 | "set": { 173 | "field": "destination.bytes", 174 | "copy_from": "fct.rcvdbyte", 175 | "ignore_empty_value": true 176 | } 177 | }, 178 | { 179 | "set": { 180 | "field": "destination.domain", 181 | "copy_from": "fct.remotename", 182 | "ignore_empty_value": true 183 | } 184 | }, 185 | { 186 | "set": { 187 | "field": "url.domain", 188 | "copy_from": "fct.remotename", 189 | "ignore_empty_value": true 190 | } 191 | }, 192 | { 193 | "set": { 194 | "field": "source.bytes", 195 | "copy_from": "fct.sentbyte", 196 | "ignore_empty_value": true 197 | } 198 | }, 199 | { 200 | "set": { 201 | "field": "network.protocol", 202 | "copy_from": "fct.service", 203 | "ignore_empty_value": true 204 | } 205 | }, 206 | { 207 | "set": { 208 | "field": "source.address", 209 | "copy_from": "fct.srcip", 210 | "ignore_empty_value": true 211 | } 212 | }, 213 | { 214 | "set": { 215 | "field": "source.port", 216 | "copy_from": "fct.srcport", 217 | "ignore_empty_value": true 218 | } 219 | }, 220 | { 221 | "set": { 222 | "field": "url.full", 223 | "copy_from": "fct.url", 224 | "ignore_empty_value": true 225 | } 226 | }, 227 | { 228 | "set": { 229 | "field": "rule.name", 230 | "copy_from": "fct.usingpolicy", 231 | "ignore_empty_value": true 232 | } 233 | }, 234 | { 235 | "set": { 236 | "field": "file.path", 237 | "copy_from": "fct.file", 238 | "ignore_empty_value": true 239 | } 240 | }, 241 | { 242 | "set": { 243 | "field": "process.executable", 244 | "copy_from": "fct.srcname", 245 | "ignore_empty_value": true 246 | } 247 | }, 248 | { 249 | "set": { 250 | "field": "event.id", 251 | "copy_from": "fct.id", 252 | "ignore_empty_value": true 253 | } 254 | }, 255 | { 256 | "set": { 257 | "field": "log.level", 258 | "copy_from": "fct.level", 259 | "ignore_empty_value": true 260 | } 261 | }, 262 | { 263 | "set": { 264 | "field": "event.timezone", 265 | "copy_from": "fct.tz", 266 | "ignore_empty_value": true 267 | } 268 | }, 269 | { 270 | "set": { 271 | "field": "vulnerability.severity", 272 | "copy_from": "fct.vulnseverity", 273 | "ignore_empty_value": true 274 | } 275 | }, 276 | { 277 | "set": { 278 | "field": "vulnerability.category", 279 | "copy_from": "fct.vulncat", 280 | "ignore_empty_value": true 281 | } 282 | }, 283 | { 284 | "set": { 285 | "field": "vulnerability.id", 286 | "copy_from": "fct.vulnid", 287 | "ignore_empty_value": true 288 | } 289 | }, 290 | { 291 | "set": { 292 | "field": "vulnerability.reference", 293 | "copy_from": "fct.vulnref", 294 | "ignore_empty_value": true 295 | } 296 | }, 297 | { 298 | "set": { 299 | "field": "vulnerability.description", 300 | "copy_from": "fct.vulnname", 301 | "ignore_empty_value": true 302 | } 303 | }, 304 | { 305 | "set": { 306 | "field": "process.executable", 307 | "copy_from": "fct.processname", 308 | "ignore_empty_value": true 309 | } 310 | }, 311 | { 312 | "set": { 313 | "field": "session.id", 314 | "copy_from": "fct.sessionid", 315 | "ignore_empty_value": true 316 | } 317 | }, 318 | { 319 | "grok": { 320 | "field": "source.address", 321 | "patterns": [ 322 | "%{IP:source.ip}" 323 | ], 324 | "trace_match": true, 325 | "ignore_missing": true, 326 | "ignore_failure": true 327 | } 328 | }, 329 | { 330 | "grok": { 331 | "field": "destination.address", 332 | "patterns": [ 333 | "%{IP:destination.ip}" 334 | ], 335 | "trace_match": true, 336 | "ignore_missing": true, 337 | "ignore_failure": true 338 | } 339 | }, 340 | { 341 | "registered_domain": { 342 | "field": "url.domain", 343 | "target_field": "url" 344 | } 345 | }, 346 | { 347 | "append": { 348 | "field": "related.ip", 349 | "value": [ 350 | "{{source.ip}}", 351 | "{{destination.ip}}", 352 | "{{host.ip}}" 353 | ] 354 | } 355 | }, 356 | { 357 | "append": { 358 | "field": "related.user", 359 | "value": [ 360 | "{{host.user.name}}" 361 | ] 362 | } 363 | }, 364 | { 365 | "set": { 366 | "field": "_ingest.new_dataset", 367 | "value": "{{data_stream.dataset}}.{{fct.type}}" 368 | } 369 | }, 370 | { 371 | "reroute": { 372 | "dataset": [ 373 | "{{_ingest.new_dataset}}" 374 | ] 375 | } 376 | } 377 | ] 378 | } 379 | -------------------------------------------------------------------------------- /ingest_pipelines/logs-fortinet.fortiedr.json: -------------------------------------------------------------------------------- 1 | { 2 | "processors": [ 3 | { 4 | "set": { 5 | "field": "event.ingested", 6 | "value": "{{_ingest.timestamp}}" 7 | } 8 | }, 9 | { 10 | "remove": { 11 | "field": [ 12 | "agent", 13 | "cloud", 14 | "host" 15 | ], 16 | "ignore_missing": true 17 | } 18 | }, 19 | { 20 | "kv": { 21 | "field": "message", 22 | "field_split": ";", 23 | "value_split": ":", 24 | "target_field": "fedr", 25 | "trim_value": " ", 26 | "ignore_failure": true 27 | } 28 | }, 29 | { 30 | "script": { 31 | "source": " Map eventData = ctx['fedr'];\n Map updatedEventData = new HashMap();\n for (String key: eventData.keySet()) {\n updatedEventData[key.replace(\" \",\"\") ] = eventData[key]\n }\n ctx['fedr'] = updatedEventData", 32 | "ignore_failure": true 33 | } 34 | }, 35 | { 36 | "lowercase": { 37 | "field": "fedr.MessageType", 38 | "target_field": "_ingest.MessageType" 39 | } 40 | }, 41 | { 42 | "gsub": { 43 | "field": "_ingest.MessageType", 44 | "pattern": "\\s", 45 | "replacement": "_" 46 | } 47 | }, 48 | { 49 | "grok": { 50 | "field": "fedr.Destination", 51 | "patterns": [ 52 | "%{IP:[destination][ip]}" 53 | ], 54 | "ignore_missing": true, 55 | "ignore_failure": true 56 | } 57 | }, 58 | { 59 | "grok": { 60 | "field": "fedr.SourceIP", 61 | "patterns": [ 62 | "%{IP:[source][ip]}" 63 | ], 64 | "ignore_missing": true, 65 | "ignore_failure": true 66 | } 67 | }, 68 | { 69 | "set": { 70 | "field": "host.ip", 71 | "copy_from": "source.ip", 72 | "ignore_empty_value": true 73 | } 74 | }, 75 | { 76 | "split": { 77 | "field": "fedr.RulesList", 78 | "separator": ",", 79 | "ignore_missing": true 80 | } 81 | }, 82 | { 83 | "split": { 84 | "field": "fedr.MACAddress", 85 | "separator": ",", 86 | "ignore_missing": true 87 | } 88 | }, 89 | { 90 | "split": { 91 | "field": "fedr.MITREtechniques", 92 | "separator": ",", 93 | "ignore_missing": true 94 | } 95 | }, 96 | { 97 | "split": { 98 | "field": "fedr.Target", 99 | "separator": ",", 100 | "ignore_missing": true 101 | } 102 | }, 103 | { 104 | "split": { 105 | "field": "fedr.Commandline", 106 | "separator": ",", 107 | "ignore_missing": true 108 | } 109 | }, 110 | { 111 | "trim": { 112 | "field": "fedr.RulesList", 113 | "ignore_missing": true 114 | } 115 | }, 116 | { 117 | "trim": { 118 | "field": "fedr.MACAddress", 119 | "ignore_missing": true 120 | } 121 | }, 122 | { 123 | "trim": { 124 | "field": "fedr.MITREtechniques", 125 | "ignore_missing": true 126 | } 127 | }, 128 | { 129 | "trim": { 130 | "field": "fedr.Target", 131 | "ignore_missing": true 132 | } 133 | }, 134 | { 135 | "trim": { 136 | "field": "fedr.Commandline", 137 | "ignore_missing": true 138 | } 139 | }, 140 | { 141 | "set": { 142 | "field": "process.hash.md5", 143 | "copy_from": "fedr.ProcessHash", 144 | "ignore_empty_value": true 145 | } 146 | }, 147 | { 148 | "set": { 149 | "field": "process.name", 150 | "copy_from": "fedr.ProcessName", 151 | "ignore_empty_value": true 152 | } 153 | }, 154 | { 155 | "set": { 156 | "field": "process.executable", 157 | "copy_from": "fedr.ProcessPath", 158 | "ignore_empty_value": true 159 | } 160 | }, 161 | { 162 | "set": { 163 | "field": "process.type", 164 | "copy_from": "fedr.ProcessType", 165 | "ignore_empty_value": true 166 | } 167 | }, 168 | { 169 | "set": { 170 | "field": "host.name", 171 | "copy_from": "fedr.DeviceName", 172 | "ignore_empty_value": true 173 | } 174 | }, 175 | { 176 | "set": { 177 | "field": "host.mac", 178 | "copy_from": "fedr.MACAddress", 179 | "ignore_empty_value": true 180 | } 181 | }, 182 | { 183 | "set": { 184 | "field": "host.user.name", 185 | "copy_from": "fedr.Users", 186 | "ignore_empty_value": true 187 | } 188 | }, 189 | { 190 | "set": { 191 | "field": "organization.name", 192 | "copy_from": "fedr.Organization", 193 | "ignore_empty_value": true 194 | } 195 | }, 196 | { 197 | "set": { 198 | "field": "organization.id", 199 | "copy_from": "fedr.OrganizationID", 200 | "ignore_empty_value": true 201 | } 202 | }, 203 | { 204 | "set": { 205 | "field": "rule.name", 206 | "copy_from": "fedr.RulesList", 207 | "ignore_empty_value": true 208 | } 209 | }, 210 | { 211 | "grok": { 212 | "field": "fedr.Description", 213 | "patterns": [ 214 | "Event %{NUMBER:fedr.EventID} was %{WORD:fedr.Action}", 215 | "%{DATA:fedr.Action} to %{QUOTEDSTRING:fedr.Classification} for event %{NUMBER:fedr.EventID}", 216 | "Collector \\[%{DATA}\\] state was %{WORD:fedr.Action} to %{QUOTEDSTRING:fedr.DeviceState}", 217 | "Collector \\[%{DATA}\\] was %{WORD:fedr.Action} and added to the system", 218 | "Application \\[%{DATA:fedr.AppicationName}\\] version \\[%{DATA:fedr.AppicationVersion}\\] from vendor \\[%{DATA:fedr.AppicationVendor}\\] was marked as %{WORD:fedr.Action}", 219 | "Exception from event %{NUMBER:fedr.EventID} on %{DATA} by \\[%{DATA}\\] was %{WORD:fedr.Action}", 220 | "Exception from event ID %{NUMBER:fedr.EventID} was created for Collector group\\(s\\) \\[%{DATA:fedr.ComponentGroup}\\] to destination/s \\[%{DATA:fedr.Destination}\\] and user/s \\[%{DATA:fedr.Users}\\] with the following comment%{GREEDYDATA:fedr.comment}", 221 | "Collector \\[%{DATA:fedr.ComponentName}\\] was %{WORD:fedr.Action} from Collector group \\[%{DATA:fedr.oldComponentGroup}\\] to collector group \\[%{DATA:fedr.ComponentGroup}\\]", 222 | "Collector \\[%{DATA}\\] was %{WORD:fedr.Action}" 223 | ], 224 | "ignore_missing": true, 225 | "tag": "_grokparsefailure_Description", 226 | "ignore_failure": true 227 | } 228 | }, 229 | { 230 | "set": { 231 | "field": "_ingest.new_dataset", 232 | "value": "{{data_stream.dataset}}.{{_ingest.MessageType}}" 233 | } 234 | }, 235 | { 236 | "reroute": { 237 | "dataset": [ 238 | "{{_ingest.new_dataset}}" 239 | ] 240 | } 241 | } 242 | ] 243 | } 244 | -------------------------------------------------------------------------------- /ingest_pipelines/logs-fortinet.fortimail.json: -------------------------------------------------------------------------------- 1 | { 2 | "processors": [ 3 | { 4 | "set": { 5 | "field": "event.ingested", 6 | "value": "{{_ingest.timestamp}}" 7 | } 8 | }, 9 | { 10 | "remove": { 11 | "field": [ 12 | "host", 13 | "cloud", 14 | "agent" 15 | ], 16 | "ignore_missing": true, 17 | "ignore_failure": true 18 | } 19 | }, 20 | { 21 | "grok": { 22 | "field": "message", 23 | "patterns": [ 24 | "%{SYSLOG5424PRI}%{GREEDYDATA:message}" 25 | ], 26 | "pattern_definitions": { 27 | "SYSLOG5424PRI": "<%{NONNEGINT:log.syslog.priority:int}>" 28 | }, 29 | "trace_match": true, 30 | "ignore_failure": true 31 | } 32 | }, 33 | { 34 | "kv": { 35 | "field": "message", 36 | "field_split": "\\s+(?=(?:[^\"]*\"[^\"]*\")*[^\"]*$)", 37 | "value_split": "\\=(?=(?:[^\"]*\"[^\"]*\")*[^\"]*$)", 38 | "target_field": "fml", 39 | "strip_brackets": true, 40 | "ignore_failure": true 41 | } 42 | }, 43 | { 44 | "kv": { 45 | "field": "fml.msg", 46 | "field_split": ",\\s(?![^\\[\\]()]*[\\]\\)])", 47 | "value_split": "=", 48 | "target_field": "fml", 49 | "strip_brackets": true, 50 | "if": "ctx?.fml?.subtype == 'smtp'", 51 | "ignore_failure": true 52 | } 53 | }, 54 | { 55 | "set": { 56 | "field": "event.timezone", 57 | "ignore_empty_value": true, 58 | "copy_from": "fml.tz" 59 | } 60 | }, 61 | { 62 | "set": { 63 | "field": "observer.serial_number", 64 | "copy_from": "fml.device_id", 65 | "ignore_empty_value": true 66 | } 67 | }, 68 | { 69 | "grok": { 70 | "ignore_failure": true, 71 | "field": "fml.dst_ip", 72 | "patterns": [ 73 | "%{IP:destination.ip}" 74 | ], 75 | "trace_match": true, 76 | "ignore_missing": true 77 | } 78 | }, 79 | { 80 | "grok": { 81 | "field": "fml.client_ip", 82 | "patterns": [ 83 | "%{IP:source.ip}" 84 | ], 85 | "trace_match": true, 86 | "ignore_missing": true, 87 | "ignore_failure": true 88 | } 89 | }, 90 | { 91 | "set": { 92 | "field": "source.domain", 93 | "copy_from": "fml.client_name", 94 | "ignore_empty_value": true 95 | } 96 | }, 97 | { 98 | "set": { 99 | "field": "email.from.address", 100 | "copy_from": "fml.hfrom", 101 | "ignore_empty_value": true 102 | } 103 | }, 104 | { 105 | "set": { 106 | "field": "email.sender.address", 107 | "copy_from": "fml.from", 108 | "ignore_empty_value": true 109 | } 110 | }, 111 | { 112 | "set": { 113 | "field": "email.to.address", 114 | "copy_from": "fml.to", 115 | "ignore_empty_value": true 116 | } 117 | }, 118 | { 119 | "set": { 120 | "field": "email.subject", 121 | "copy_from": "fml.subject", 122 | "ignore_empty_value": true 123 | } 124 | }, 125 | { 126 | "set": { 127 | "field": "email.x_mailer", 128 | "copy_from": "fml.mailer", 129 | "ignore_empty_value": true 130 | } 131 | }, 132 | { 133 | "set": { 134 | "field": "email.direction", 135 | "copy_from": "fml.direction", 136 | "ignore_empty_value": true 137 | } 138 | }, 139 | { 140 | "set": { 141 | "field": "email.message_id", 142 | "copy_from": "fml.message_id", 143 | "ignore_empty_value": true 144 | } 145 | }, 146 | { 147 | "set": { 148 | "field": "email.local_id", 149 | "copy_from": "fml.session_id", 150 | "ignore_empty_value": true 151 | } 152 | }, 153 | { 154 | "split": { 155 | "field": "fml.disposition", 156 | "separator": ";", 157 | "ignore_missing": true 158 | } 159 | }, 160 | { 161 | "append": { 162 | "field": "related.ip", 163 | "value": [ 164 | "{{source.ip}}", 165 | "{{destination.ip}}" 166 | ] 167 | } 168 | }, 169 | { 170 | "set": { 171 | "field": "_ingest.new_dataset", 172 | "value": "{{data_stream.dataset}}.{{fml.type}}" 173 | } 174 | }, 175 | { 176 | "reroute": { 177 | "dataset": [ 178 | "{{_ingest.new_dataset}}" 179 | ] 180 | } 181 | } 182 | ] 183 | } 184 | -------------------------------------------------------------------------------- /ingest_pipelines/logs-fortinet.fortiweb.json: -------------------------------------------------------------------------------- 1 | { 2 | "processors": [ 3 | { 4 | "set": { 5 | "field": "event.ingested", 6 | "value": "{{_ingest.timestamp}}" 7 | } 8 | }, 9 | { 10 | "remove": { 11 | "field": [ 12 | "host", 13 | "cloud", 14 | "agent" 15 | ], 16 | "ignore_missing": true 17 | } 18 | }, 19 | { 20 | "grok": { 21 | "field": "message", 22 | "patterns": [ 23 | "%{SYSLOG5424PRI}%{GREEDYDATA:_ingest.message}" 24 | ], 25 | "pattern_definitions": { 26 | "SYSLOG5424PRI": "<%{NONNEGINT:log.syslog.priority:int}>" 27 | }, 28 | "ignore_missing": true 29 | } 30 | }, 31 | { 32 | "json": { 33 | "field": "_ingest.message", 34 | "target_field": "fwb", 35 | "ignore_failure": true 36 | } 37 | }, 38 | { 39 | "set": { 40 | "field": "observer.serial_number", 41 | "copy_from": "fwb.device_id", 42 | "ignore_empty_value": true 43 | } 44 | }, 45 | { 46 | "set": { 47 | "field": "destination.ip", 48 | "copy_from": "fwb.dst", 49 | "ignore_empty_value": true 50 | } 51 | }, 52 | { 53 | "set": { 54 | "field": "destination.port", 55 | "copy_from": "fwb.dst_port", 56 | "ignore_empty_value": true 57 | } 58 | }, 59 | { 60 | "convert": { 61 | "field": "fwb.http_response_bytes", 62 | "type": "long", 63 | "target_field": "http.response.bytes", 64 | "ignore_missing": true, 65 | "ignore_failure": true 66 | } 67 | }, 68 | { 69 | "convert": { 70 | "field": "fwb.http_request_bytes", 71 | "type": "long", 72 | "target_field": "http.request.bytes", 73 | "ignore_missing": true, 74 | "ignore_failure": true 75 | } 76 | }, 77 | { 78 | "convert": { 79 | "field": "fwb.http_response_time", 80 | "type": "long", 81 | "target_field": "http.response.duration", 82 | "ignore_missing": true, 83 | "ignore_failure": true 84 | } 85 | }, 86 | { 87 | "convert": { 88 | "field": "fwb.http_request_time", 89 | "type": "long", 90 | "target_field": "http.request.duration", 91 | "ignore_missing": true, 92 | "ignore_failure": true 93 | } 94 | }, 95 | { 96 | "set": { 97 | "field": "network.transport", 98 | "copy_from": "fwb.proto", 99 | "ignore_empty_value": true 100 | } 101 | }, 102 | { 103 | "set": { 104 | "field": "network.protocol", 105 | "copy_from": "fwb.service", 106 | "ignore_empty_value": true 107 | } 108 | }, 109 | { 110 | "set": { 111 | "field": "source.ip", 112 | "copy_from": "fwb.src", 113 | "ignore_empty_value": true 114 | } 115 | }, 116 | { 117 | "set": { 118 | "field": "source.port", 119 | "copy_from": "fwb.src_port", 120 | "ignore_empty_value": true 121 | } 122 | }, 123 | { 124 | "set": { 125 | "field": "user.name", 126 | "copy_from": "fwb.user_name", 127 | "ignore_empty_value": true 128 | } 129 | }, 130 | { 131 | "set": { 132 | "field": "user_agent.original", 133 | "ignore_empty_value": true, 134 | "copy_from": "fwb.http_agent" 135 | } 136 | }, 137 | { 138 | "set": { 139 | "field": "http.request.method", 140 | "ignore_empty_value": true, 141 | "copy_from": "fwb.http_method" 142 | } 143 | }, 144 | { 145 | "set": { 146 | "field": "http.request.referrer", 147 | "ignore_empty_value": true, 148 | "copy_from": "fwb.http_refer" 149 | } 150 | }, 151 | { 152 | "set": { 153 | "field": "http.response.status_code", 154 | "ignore_empty_value": true, 155 | "copy_from": "fwb.http_retcode" 156 | } 157 | }, 158 | { 159 | "set": { 160 | "field": "http.version", 161 | "ignore_empty_value": true, 162 | "copy_from": "fwb.http_version" 163 | } 164 | }, 165 | { 166 | "set": { 167 | "field": "destination.address", 168 | "ignore_empty_value": true, 169 | "copy_from": "fwb.http_host" 170 | } 171 | }, 172 | { 173 | "set": { 174 | "field": "destination.domain", 175 | "ignore_empty_value": true, 176 | "copy_from": "fwb.http_host" 177 | } 178 | }, 179 | { 180 | "set": { 181 | "field": "url.domain", 182 | "copy_from": "fwb.http_host", 183 | "ignore_empty_value": true 184 | } 185 | }, 186 | { 187 | "set": { 188 | "field": "http.request.id", 189 | "ignore_empty_value": true, 190 | "copy_from": "fwb.http_session_id" 191 | } 192 | }, 193 | { 194 | "set": { 195 | "field": "url.original", 196 | "ignore_empty_value": true, 197 | "copy_from": "fwb.http_url" 198 | } 199 | }, 200 | { 201 | "set": { 202 | "field": "x509.subject.common_name", 203 | "ignore_empty_value": true, 204 | "copy_from": "fwb.x509_cert_subject" 205 | } 206 | }, 207 | { 208 | "set": { 209 | "field": "tls.cipher", 210 | "ignore_empty_value": true, 211 | "copy_from": "fwb.cipher_suite" 212 | } 213 | }, 214 | { 215 | "set": { 216 | "field": "rule.name", 217 | "ignore_empty_value": true, 218 | "copy_from": "fwb.policy" 219 | } 220 | }, 221 | { 222 | "set": { 223 | "field": "event.code", 224 | "ignore_empty_value": true, 225 | "copy_from": "fwb.log_id" 226 | } 227 | }, 228 | { 229 | "user_agent": { 230 | "field": "user_agent.original", 231 | "extract_device_type": true, 232 | "ignore_missing": true 233 | } 234 | }, 235 | { 236 | "geoip": { 237 | "field": "source.ip", 238 | "target_field": "source.geo", 239 | "ignore_missing": true 240 | } 241 | }, 242 | { 243 | "geoip": { 244 | "field": "destination.ip", 245 | "target_field": "destination.geo", 246 | "ignore_missing": true 247 | } 248 | }, 249 | { 250 | "network_direction": { 251 | "internal_networks_field": "internal_networks" 252 | } 253 | }, 254 | { 255 | "append": { 256 | "field": "related.ip", 257 | "value": [ 258 | "{{source.ip}}", 259 | "{{destination.ip}}" 260 | ] 261 | } 262 | }, 263 | { 264 | "registered_domain": { 265 | "field": "url.domain", 266 | "target_field": "url" 267 | } 268 | }, 269 | { 270 | "user_agent": { 271 | "field": "user_agent.original", 272 | "extract_device_type": true, 273 | "ignore_missing": true 274 | } 275 | }, 276 | { 277 | "append": { 278 | "field": "related.user", 279 | "value": [ 280 | "{{user.name}}" 281 | ] 282 | } 283 | }, 284 | 285 | { 286 | "set": { 287 | "field": "_ingest.new_dataset", 288 | "value": "{{data_stream.dataset}}.{{fwb.type}}" 289 | } 290 | }, 291 | { 292 | "reroute": { 293 | "dataset": [ 294 | "{{_ingest.new_dataset}}" 295 | ] 296 | } 297 | } 298 | ] 299 | } 300 | -------------------------------------------------------------------------------- /ingest_pipelines/transforms-fortinet.fortigate.traffic.forward.policy.json: -------------------------------------------------------------------------------- 1 | { 2 | "processors": [ 3 | { 4 | "set": { 5 | "field": "data_stream.type", 6 | "value": "transforms" 7 | } 8 | }, 9 | { 10 | "set": { 11 | "field": "data_stream.dataset", 12 | "value": "fortinet.fortigate.traffic.forward" 13 | } 14 | }, 15 | { 16 | "set": { 17 | "field": "fgt.type", 18 | "value": "traffic" 19 | } 20 | }, 21 | { 22 | "set": { 23 | "field": "fgt.subtype", 24 | "value": "forward" 25 | } 26 | }, 27 | { 28 | "set": { 29 | "field": "fgt.policytype", 30 | "value": "policy" 31 | } 32 | }, 33 | 34 | { 35 | "network_direction": { 36 | "internal_networks": [ 37 | "private", 38 | "loopback", 39 | "link_local_unicast", 40 | "link_local_multicast" 41 | ] 42 | } 43 | }, 44 | { 45 | "geoip": { 46 | "field": "source.ip", 47 | "target_field": "source.geo", 48 | "ignore_missing": true 49 | } 50 | }, 51 | { 52 | "geoip": { 53 | "field": "source.nat.ip", 54 | "target_field": "source.nat.geo", 55 | "ignore_missing": true 56 | } 57 | }, 58 | { 59 | "geoip": { 60 | "field": "destination.ip", 61 | "target_field": "destination.geo", 62 | "ignore_missing": true 63 | } 64 | }, 65 | { 66 | "geoip": { 67 | "field": "destination.nat.ip", 68 | "target_field": "destination.nat.geo", 69 | "ignore_missing": true 70 | } 71 | }, 72 | 73 | { 74 | "append": { 75 | "field": "related.ip", 76 | "value": [ 77 | "{{source.ip}}", 78 | "{{source.nat.ip}}", 79 | "{{destination.ip}}", 80 | "{{destination.nat.ip}}" 81 | ] 82 | } 83 | }, 84 | { 85 | "append": { 86 | "field": "related.user", 87 | "value": [ 88 | "{{source.user.name}}", 89 | "{{destination.user.name}}" 90 | ] 91 | } 92 | }, 93 | { 94 | "date_index_name": { 95 | "field": "@timestamp", 96 | "date_rounding": "M", 97 | "index_name_prefix": "{{{_index}}}" 98 | } 99 | } 100 | ] 101 | } 102 | -------------------------------------------------------------------------------- /ingest_pipelines/transforms-fortinet.fortigate.traffic.private2private.json: -------------------------------------------------------------------------------- 1 | { 2 | "processors": [ 3 | { 4 | "set": { 5 | "field": "data_stream.type", 6 | "value": "transforms" 7 | } 8 | }, 9 | { 10 | "set": { 11 | "field": "data_stream.dataset", 12 | "value": "fortinet.fortigate.traffic" 13 | } 14 | }, 15 | { 16 | "set": { 17 | "field": "fgt.type", 18 | "value": "traffic" 19 | } 20 | }, 21 | { 22 | "set": { 23 | "field": "fgt.subtype", 24 | "value": "forward" 25 | } 26 | }, 27 | { 28 | "set": { 29 | "field": "fgt.policytype", 30 | "value": "policy" 31 | } 32 | }, 33 | { 34 | "set": { 35 | "field": "source.locality", 36 | "value": "private" 37 | } 38 | }, 39 | { 40 | "set": { 41 | "field": "destination.locality", 42 | "value": "private" 43 | } 44 | }, 45 | { 46 | "date_index_name": { 47 | "field": "@timestamp", 48 | "date_rounding": "w", 49 | "index_name_prefix": "{{{_index}}}" 50 | } 51 | } 52 | ] 53 | } 54 | -------------------------------------------------------------------------------- /ingest_pipelines/transforms-fortinet.fortigate.traffic.private2public.json: -------------------------------------------------------------------------------- 1 | { 2 | "processors": [ 3 | { 4 | "set": { 5 | "field": "data_stream.type", 6 | "value": "transforms" 7 | } 8 | }, 9 | { 10 | "set": { 11 | "field": "data_stream.dataset", 12 | "value": "fortinet.fortigate.traffic" 13 | } 14 | }, 15 | { 16 | "set": { 17 | "field": "fgt.type", 18 | "value": "traffic" 19 | } 20 | }, 21 | { 22 | "set": { 23 | "field": "fgt.subtype", 24 | "value": "forward" 25 | } 26 | }, 27 | { 28 | "set": { 29 | "field": "fgt.policytype", 30 | "value": "policy" 31 | } 32 | }, 33 | { 34 | "set": { 35 | "field": "source.locality", 36 | "value": "private" 37 | } 38 | }, 39 | { 40 | "set": { 41 | "field": "destination.locality", 42 | "value": "public" 43 | } 44 | }, 45 | { 46 | "geoip": { 47 | "field": "destination.ip", 48 | "target_field": "destination.geo", 49 | "ignore_missing": true 50 | } 51 | }, 52 | { 53 | "date_index_name": { 54 | "field": "@timestamp", 55 | "date_rounding": "w", 56 | "index_name_prefix": "{{{_index}}}" 57 | } 58 | } 59 | ] 60 | } 61 | -------------------------------------------------------------------------------- /ingest_pipelines/transforms-fortinet.fortigate.traffic.public2private.json: -------------------------------------------------------------------------------- 1 | { 2 | "processors": [ 3 | { 4 | "set": { 5 | "field": "data_stream.type", 6 | "value": "transforms" 7 | } 8 | }, 9 | { 10 | "set": { 11 | "field": "data_stream.dataset", 12 | "value": "fortinet.fortigate.traffic" 13 | } 14 | }, 15 | { 16 | "set": { 17 | "field": "fgt.type", 18 | "value": "traffic" 19 | } 20 | }, 21 | { 22 | "set": { 23 | "field": "fgt.subtype", 24 | "value": "forward" 25 | } 26 | }, 27 | { 28 | "set": { 29 | "field": "fgt.policytype", 30 | "value": "policy" 31 | } 32 | }, 33 | { 34 | "set": { 35 | "field": "source.locality", 36 | "value": "public" 37 | } 38 | }, 39 | { 40 | "set": { 41 | "field": "destination.locality", 42 | "value": "private" 43 | } 44 | }, 45 | { 46 | "geoip": { 47 | "field": "source.ip", 48 | "target_field": "source.geo", 49 | "ignore_missing": true 50 | } 51 | }, 52 | { 53 | "date_index_name": { 54 | "field": "@timestamp", 55 | "date_rounding": "w", 56 | "index_name_prefix": "{{{_index}}}" 57 | } 58 | } 59 | ] 60 | } 61 | -------------------------------------------------------------------------------- /ingest_pipelines/transforms-fortinet.fortigate.traffic.public2public.json: -------------------------------------------------------------------------------- 1 | { 2 | "processors": [ 3 | { 4 | "set": { 5 | "field": "data_stream.type", 6 | "value": "transforms" 7 | } 8 | }, 9 | { 10 | "set": { 11 | "field": "data_stream.dataset", 12 | "value": "fortinet.fortigate.traffic" 13 | } 14 | }, 15 | { 16 | "set": { 17 | "field": "fgt.type", 18 | "value": "traffic" 19 | } 20 | }, 21 | { 22 | "set": { 23 | "field": "fgt.subtype", 24 | "value": "forward" 25 | } 26 | }, 27 | { 28 | "set": { 29 | "field": "fgt.policytype", 30 | "value": "policy" 31 | } 32 | }, 33 | { 34 | "set": { 35 | "field": "source.locality", 36 | "value": "public" 37 | } 38 | }, 39 | { 40 | "set": { 41 | "field": "destination.locality", 42 | "value": "public" 43 | } 44 | }, 45 | { 46 | "geoip": { 47 | "field": "source.ip", 48 | "target_field": "source.geo", 49 | "ignore_missing": true 50 | } 51 | }, 52 | { 53 | "geoip": { 54 | "field": "destination.ip", 55 | "target_field": "destination.geo", 56 | "ignore_missing": true 57 | } 58 | }, 59 | { 60 | "date_index_name": { 61 | "field": "@timestamp", 62 | "date_rounding": "w", 63 | "index_name_prefix": "{{{_index}}}" 64 | } 65 | } 66 | ] 67 | } 68 | -------------------------------------------------------------------------------- /logstash/conf.d/syslog-fortinet-forticlient-input-kv.conf: -------------------------------------------------------------------------------- 1 | input { 2 | 3 | udp { 4 | port => 5150 5 | # 6 | add_field => {"[data_stream][type]" => "logs"} 7 | add_field => {"[data_stream][dataset]" => "fortinet.forticlient"} 8 | add_field => {"[data_stream][namespace]" => "default"} 9 | # 10 | source_ip_fieldname => "[observer][ip]" 11 | add_field => { "[logstash][hostname]" => "${HOSTNAME:no_logstash_hostname}" } 12 | tags => [ "fortianalyzer" ] 13 | } 14 | 15 | 16 | } 17 | filter { 18 | mutate { 19 | add_field => ["[event][created]", "%{@timestamp}"] # event.created: when the event is created by logstash 20 | } 21 | 22 | grok { 23 | match => ["[event][original]", "%{SYSLOG5424PRI}%{GREEDYDATA:[@metadata][message]}"] 24 | #overwrite => ["message"] 25 | tag_on_failure => ["fortinet_grok_failure"] 26 | } 27 | 28 | if "fortinet_grok_failure" not in [tags] { 29 | kv { 30 | source => "[@metadata][message]" 31 | value_split => "=" 32 | field_split => " " 33 | whitespace => strict 34 | target => "fct" 35 | } 36 | 37 | # forti* without tz: fortiweb, fortimail, forticlient, fortigate 6.0, and any log comming from fortianalyzer 38 | # if ![tz] or "fortianalyzer" in [tags] { 39 | if ![fct][tz] { 40 | mutate{ 41 | replace => {"[fct][tz]" => "-0500" } 42 | add_tag => [ "setting_default_timezone" ] 43 | } 44 | } 45 | 46 | #tz="-0500" needs to be converted to tz="-05:00" for ruby on common_ecs pipeline 47 | mutate { 48 | replace => {"[@metadata][timestamp]" => "%{[fct][date]} %{[fct][time]} %{[fct][tz]}"} 49 | } 50 | 51 | # date=2022-08-23 time=16:19:48 # original log 52 | # 2022-08-23 16:19:48 -0500 #"%{date} %{time} %{tz}" 53 | # yyyy-MM-dd HH:mm:ss Z 54 | date { 55 | match => ["[@metadata][timestamp]", "yyyy-MM-dd HH:mm:ss Z" ] 56 | target => "@timestamp" 57 | #remove_field => [ "date","time" ] 58 | } 59 | 60 | } 61 | 62 | } 63 | output { 64 | 65 | pipeline{ 66 | send_to => "syslog-fortinet-forticlient_2_ecs" 67 | } 68 | 69 | } 70 | -------------------------------------------------------------------------------- /logstash/conf.d/syslog-fortinet-forticlient_2_ecs.conf: -------------------------------------------------------------------------------- 1 | input { 2 | pipeline { 3 | address => "syslog-fortinet-forticlient_2_ecs" 4 | } 5 | } 6 | filter { 7 | #remove event.original for saving disk space 8 | #mutate{ remove_field => ["[event][original]"] } 9 | 10 | #validea "N/A" on ip fields 11 | #if [assigned]=="N/A" { mutate { remove_field => ["assigned"] } } 12 | 13 | # browsetime can cause parsing errors 14 | #if [browsetime] { mutate { remove_field => ["browsetime"] } } 15 | 16 | #ecs translation 17 | mutate { 18 | 19 | copy => { 20 | "[fct][emsserial]" => "[observer][serial_number]" 21 | "[fct][emshostname]" => "[observer][hostname]" 22 | "[fct][fctver]" => "[agent][version]" 23 | "[fct][deviceip]" => "[host][ip]" 24 | "[fct][devicemac]" => "[host][mac]" 25 | "[fct][error_code]" => "[error][code]" 26 | "[fct][hostname]" => "[host][hostname]" 27 | "[fct][pcdomain]" => "[host][domain]" 28 | "[fct][os]" => "[host][os][full]" 29 | "[fct][user]" => "[host][user][name]" 30 | "[fct][direction]"=> "[network][direction]" 31 | "[fct][dstip]"=> "[destination][address]" 32 | "[fct][dstport]"=> "[destination][port]" 33 | "[fct][proto]"=> "[network][iana_number]" 34 | "[fct][rcvdbyte]"=> "[destination][bytes]" 35 | "[fct][remotename]"=> "[destination][domain]" 36 | "[fct][sentbyte]"=> "[source][bytes]" 37 | "[fct][service]"=> "[network][protocol]" 38 | "[fct][srcip]"=> "[source][address]" 39 | "[fct][srcport]"=> "[source][port]" 40 | "[fct][url]"=> "[url][full]" 41 | "[fct][usingpolicy]"=> "[rule][name]" 42 | "[fct][msg]"=> "[message]" 43 | "[fct][file]"=> "[file][path]" 44 | "[fct][srcname]"=> "[process][executable]" 45 | "[fct][id]"=> "[event][id]" 46 | "[fct][level]"=> "[log][level]" 47 | "[fct][tz]"=> "[event][timezone]" 48 | "[fct][fctsn]"=> "[agent][id]" 49 | "[fct][vulnseverity]"=> "[vulnerability][severity]" 50 | "[fct][vulncat]"=> "[vulnerability][category]" 51 | "[fct][vulnid]"=> "[vulnerability][id]" 52 | "[fct][vulnref]"=> "[vulnerability][reference]" 53 | "[fct][vulnname]"=> "[vulnerability][description]" 54 | } 55 | 56 | copy => { 57 | "[fct][processname]"=> "[process][executable]" 58 | } 59 | 60 | } 61 | 62 | grok { 63 | match => { "[source][address]" => "%{IP:[source][ip]}" } 64 | } 65 | 66 | 67 | grok { 68 | match => { "[destination][address]" => "%{IP:[destination][ip]}" } 69 | } 70 | 71 | } 72 | output { 73 | pipeline { 74 | send_to => "syslog-fortinet-common_ecs-output" 75 | } 76 | } 77 | -------------------------------------------------------------------------------- /logstash/conf.d/syslog-fortinet-fortiedr-input-kv.conf: -------------------------------------------------------------------------------- 1 | input { 2 | 3 | udp { 4 | port => 10140 5 | # 6 | add_field => {"[data_stream][type]" => "logs"} 7 | add_field => {"[data_stream][dataset]" => "fortinet.fortiedr"} 8 | add_field => {"[data_stream][namespace]" => "default"} 9 | # 10 | source_ip_fieldname => "[observer][ip]" 11 | add_field => { "[logstash][hostname]" => "${HOSTNAME:no_logstash_hostname}" } 12 | # tags => [ "fortianalyzer" ] 13 | } 14 | 15 | 16 | } 17 | filter { 18 | 19 | 20 | mutate { 21 | add_field => ["[event][created]", "%{@timestamp}"] # event.created: when the event is created by logstash 22 | } 23 | 24 | grok { 25 | match => ["[event][original]", "%{SYSLOG5424BASE} +%{GREEDYDATA:[@metadata][message]}"] 26 | #overwrite => ["message"] 27 | tag_on_failure => ["_grokparsefailure_SYSLOG5424"] 28 | remove_field => [ "message" ] 29 | } 30 | 31 | kv { 32 | source => "[@metadata][message]" 33 | value_split => ":" 34 | field_split => ";" 35 | trim_value => " " 36 | remove_char_key => " " 37 | #whitespace => strict 38 | target => "fedr" 39 | } 40 | 41 | mutate{ 42 | replace => {"[event][timezone]" => "-0500" } 43 | add_tag => [ "setting_default_timezone" ] 44 | } 45 | 46 | # 2022-12-11T05:05:56Z # original log 47 | # ISO8601 48 | date { 49 | match => ["[timestamp]", "ISO8601" ] 50 | target => "@timestamp" 51 | } 52 | 53 | 54 | } 55 | output { 56 | 57 | pipeline{ 58 | send_to => "syslog-fortinet-fortiedr_2_ecs" 59 | } 60 | 61 | } 62 | -------------------------------------------------------------------------------- /logstash/conf.d/syslog-fortinet-fortiedr_2_ecs.conf: -------------------------------------------------------------------------------- 1 | input { 2 | pipeline { 3 | address => "syslog-fortinet-fortiedr_2_ecs" 4 | } 5 | } 6 | 7 | filter { 8 | 9 | mutate { 10 | rename => { 11 | "[host][hostname]" => "[observer][name]" 12 | "[process][name]" => "[agent][name]" 13 | } 14 | } 15 | 16 | mutate { 17 | split => { 18 | "[fedr][RulesList]" => "," 19 | "[fedr][MACAddress]" => "," 20 | } 21 | 22 | copy => { 23 | "[fedr][ProcessHash]" => "[process][hash][md5]" 24 | "[fedr][ProcessName]" => "[process][name]" 25 | "[fedr][ProcessPath]" => "[process][executable]" 26 | "[fedr][ProcessType]" => "[process][type]" 27 | "[fedr][SourceIP]" => "[host][ip]" 28 | "[fedr][DeviceName]" => "[host][name]" 29 | "[fedr][MACAddress]" => "[host][mac]" 30 | "[fedr][OperatingSystem]" => "[host][os][name]" 31 | "[fedr][Organization]" => "[organization][name]" 32 | "[fedr][OrganizationID]" => "[organization][id]" 33 | "[fedr][Users]" => "[host][user][name]" 34 | "[fedr][RulesList]" => "[rule][name]" 35 | } 36 | 37 | } 38 | 39 | mutate { 40 | 41 | copy => { 42 | 43 | "[fedr][SourceIP]" => "[source][ip]" 44 | 45 | } 46 | 47 | } 48 | 49 | # Event 33414090 was unhandled 50 | # Classification was changed to "Likely Safe" for event 34944715 51 | # Collector [LPDSRIO01-07640] state was changed to "disconnected (expired)" 52 | # Collector [LPDNPIU01-07659] was registered and added to the system 53 | # Application [Firefox] version [99.0.1] from vendor [Mozilla Corporation] was marked as resolved 54 | # Exception from event 35819741 on 03-Feb-2023, 13:56:12 by [suprateam] was updated 55 | # Exception from event ID 35819741 was created for Collector group(s) [ESTACIONES - Oficinas Lima] to destination/s [all] and user/s [all] with the following comment -------------------------------------------- suprateam, at 03-Feb-2023, 13:57:37: EXCEPCIÓN DE BLOQUEO PARA USO DE TOKEN DIGITAL 56 | # Collector [LPCPPAC01-08158] was moved from Collector group [Sin Antivirus] to collector group [ESTACIONES - Planta Pacasmayo] 57 | # Collector [DESKTOP-93SLK99] was uninstalled 58 | 59 | if [fedr][Description] { 60 | grok { 61 | match => { 62 | "[fedr][Description]" => [ 63 | "Event %{NUMBER:[fedr][EventID]} was %{WORD:[fedr][Action]}", 64 | "%{DATA:[fedr][Action]} to %{QUOTEDSTRING:[fedr][Classification]} for event %{NUMBER:[fedr][EventID]}", 65 | "Collector \[%{DATA}\] state was %{WORD:[fedr][Action]} to %{QUOTEDSTRING:[fedr][DeviceState]}", 66 | "Collector \[%{DATA}\] was %{WORD:[fedr][Action]} and added to the system", 67 | "Application \[%{DATA:[fedr][AppicationName]}\] version \[%{DATA:[fedr][AppicationVersion]}\] from vendor \[%{DATA:[fedr][AppicationVendor]}\] was marked as %{WORD:[fedr][Action]}", 68 | "Exception from event %{NUMBER:[fedr][EventID]} on %{DATA} by \[%{DATA}\] was %{WORD:[fedr][Action]}", 69 | "Exception from event ID %{NUMBER:[fedr][EventID]} was created for Collector group\(s\) \[%{DATA:[fedr][ComponentGroup]}\] to destination/s \[%{DATA:[fedr][Destination]}\] and user/s \[%{DATA:[fedr][Users]}\] with the following comment%{GREEDYDATA:[fedr][comment]}", 70 | "Collector \[%{DATA:[fedr][ComponentName]}\] was %{WORD:[fedr][Action]} from Collector group \[%{DATA:[fedr][oldComponentGroup]}\] to collector group \[%{DATA:[fedr][ComponentGroup]}\]", 71 | "Collector \[%{DATA}\] was %{WORD:[fedr][Action]}" 72 | ] 73 | } 74 | tag_on_failure => ["_grokparsefailure_Description"] 75 | } 76 | } 77 | 78 | mutate { 79 | gsub => [ 80 | # replace all forward slashes with underscore 81 | "[fedr][Classification]", "\"", "" 82 | ] 83 | } 84 | 85 | mutate { 86 | gsub => [ 87 | # replace all forward slashes with underscore 88 | "[fedr][DeviceState]", "\"", "" 89 | ] 90 | } 91 | 92 | if [fedr][Destination] { 93 | grok { 94 | match => { "[fedr][Destination]" => "%{IP:[destination][ip]}" } 95 | tag_on_failure => ["_grokparsefailure_Destination"] 96 | } 97 | } 98 | 99 | } 100 | 101 | output { 102 | pipeline { 103 | send_to => "syslog-fortinet-common_ecs-output" 104 | } 105 | } 106 | -------------------------------------------------------------------------------- /logstash/conf.d/syslog-fortinet-fortigate-input-kv.conf: -------------------------------------------------------------------------------- 1 | 2 | input { 3 | 4 | ### Fortigate syslog config 5 | #config log syslogd setting 6 | # set status enable 7 | # set server "logstash_IP" 8 | # set port 5140 9 | #end 10 | 11 | udp { 12 | port => 5140 13 | # codec => plain { charset => "ASCII" } 14 | buffer_size => 131072 15 | # 16 | add_field => {"[data_stream][type]" => "logs"} 17 | add_field => {"[data_stream][dataset]" => "fortinet.fortigate"} 18 | add_field => {"[data_stream][namespace]" => "default"} 19 | # 20 | source_ip_fieldname => "[observer][ip]" 21 | add_field => { "[logstash][hostname]" => "${HOSTNAME:no_logstash_hostname}" } 22 | #tags => [ "fortianalyzer" ] 23 | } 24 | 25 | } 26 | filter { 27 | mutate { 28 | add_field => ["[event][created]", "%{@timestamp}"] # event.created: when the event is created by logstash 29 | } 30 | 31 | grok { 32 | match => ["[event][original]", "%{SYSLOG5424PRI:syslog_index}%{GREEDYDATA:[@metadata][message]}"] 33 | #overwrite => ["message"] 34 | tag_on_failure => ["fortinet_grok_failure"] 35 | remove_field => [ "syslog_index" ] 36 | ecs_compatibility => disabled 37 | } 38 | 39 | kv { 40 | source => "[@metadata][message]" 41 | value_split => "=" 42 | field_split => " " 43 | whitespace => strict 44 | target => "fgt" 45 | } 46 | 47 | # 6.2 has tz 48 | # forti* without tz: fortiweb, fortimail, forticlient, fortigate 6.0, and any log comming from fortianalyzer 49 | if ![fgt][tz] or "fortianalyzer" in [tags] { 50 | mutate{ 51 | replace => {"[fgt][tz]" => "-0500" } 52 | add_tag => [ "setting_default_timezone" ] 53 | } 54 | } 55 | 56 | #tz="-0500" needs to be converted to tz="-05:00" for ruby on common_ecs pipeline 57 | mutate { 58 | replace => {"[@metadata][timestamp]" => "%{[fgt][date]} %{[fgt][time]} %{[fgt][tz]}"} 59 | } 60 | 61 | # date=2022-08-23 time=16:19:48 eventtime=1661289588106771292 tz="-0500" # original log 62 | # 2022-08-23 16:19:48 -0500 #"%{date} %{time} %{tz}" 63 | # yyyy-MM-dd HH:mm:ss Z 64 | date { 65 | match => ["[@metadata][timestamp]", "yyyy-MM-dd HH:mm:ss Z" ] 66 | target => "@timestamp" 67 | #remove_field => [ "date","time" ] 68 | } 69 | 70 | } 71 | output { 72 | 73 | pipeline{ 74 | send_to => "syslog-fortinet-fortigate_2_ecsv2" 75 | } 76 | 77 | } 78 | -------------------------------------------------------------------------------- /logstash/conf.d/syslog-fortinet-fortigate-input5424-kv.conf: -------------------------------------------------------------------------------- 1 | input { 2 | 3 | ### Fortios v7.0+ 4 | ### Fortigate syslog config 5 | #config log syslogd setting 6 | # set status enable 7 | # set server "logstash_IP" 8 | # set port 5140 9 | # set format rfc5424 10 | #end 11 | 12 | ### For SDWAN Dashboard 13 | #config health-check 14 | # edit "Google" 15 | # set server "8.8.8.8" "8.8.4.4" 16 | # set sla-fail-log-period 10 17 | # set sla-pass-log-period 30 18 | # set members 0 19 | # config sla 20 | # edit 1 21 | # set latency-threshold 100 22 | # set jitter-threshold 10 23 | # set packetloss-threshold 5 24 | # next 25 | # end 26 | # next 27 | #end 28 | 29 | ### extended logging on webfilter 30 | # https://docs.fortinet.com/document/fortigate/6.2.4/fortios-log-message-reference/496081/enabling-extended-logging 31 | #config webfilter profile 32 | # edit "test-webfilter" 33 | # set extended-log enable 34 | # set web-extended-all-action-log enable 35 | # next 36 | #end 37 | 38 | udp { 39 | port => 5141 40 | buffer_size => 131072 41 | # 42 | add_field => {"[data_stream][type]" => "logs"} 43 | add_field => {"[data_stream][dataset]" => "fortinet.fortigate"} 44 | add_field => {"[data_stream][namespace]" => "default"} 45 | # 46 | source_ip_fieldname => "[observer][ip]" 47 | add_field => { "[logstash][hostname]" => "${HOSTNAME:no_logstash_hostname}" } 48 | #tags => [ "fortianalyzer" ] 49 | } 50 | 51 | } 52 | 53 | filter { 54 | mutate { 55 | add_field => ["[event][created]", "%{@timestamp}"] # event.created: when the event is created by logstash 56 | } 57 | 58 | grok { 59 | match => ["[event][original]", "%{SYSLOG5424BASE} +%{GREEDYDATA:[@metadata][message]}"] 60 | #overwrite => ["message"] 61 | tag_on_failure => ["fortinet_grok_failure"] 62 | remove_field => [ "message" ] 63 | } 64 | 65 | kv { 66 | source => "[@metadata][message]" 67 | #value_split => "=" 68 | #field_split => " " 69 | whitespace => strict 70 | target => "fgt" 71 | } 72 | 73 | 74 | # 2022-12-11T05:05:56Z # original log 75 | # ISO8601 76 | date { 77 | match => ["[timestamp]", "ISO8601" ] 78 | target => "@timestamp" 79 | } 80 | 81 | } 82 | 83 | output { 84 | 85 | pipeline{ 86 | send_to => "syslog-fortinet-fortigate_2_ecsv2" 87 | } 88 | 89 | } 90 | -------------------------------------------------------------------------------- /logstash/conf.d/syslog-fortinet-fortimail-input-kv.conf: -------------------------------------------------------------------------------- 1 | input { 2 | 3 | udp { 4 | port => 5149 5 | # 6 | add_field => {"[data_stream][type]" => "logs"} 7 | add_field => {"[data_stream][dataset]" => "fortinet.fortimail"} 8 | add_field => {"[data_stream][namespace]" => "default"} 9 | # 10 | source_ip_fieldname => "[observer][ip]" 11 | add_field => { "[logstash][hostname]" => "${HOSTNAME:no_logstash_hostname}" } 12 | #tags => [ "fortianalyzer" ] 13 | } 14 | 15 | 16 | } 17 | filter { 18 | mutate { 19 | add_field => ["[event][created]", "%{@timestamp}"] # event.created: when the event is created by logstash 20 | } 21 | 22 | grok { 23 | match => ["[event][original]", "%{SYSLOG5424PRI}%{GREEDYDATA:[@metadata][message]}"] 24 | #overwrite => ["message"] 25 | tag_on_failure => ["fortinet_grok_failure"] 26 | # ecs_compatibility => disabled 27 | } 28 | 29 | 30 | if "fortinet_grok_failure" not in [tags] { 31 | kv { 32 | source => "[@metadata][message]" 33 | value_split => "=" 34 | field_split => " " 35 | whitespace => strict 36 | target => "fml" 37 | } 38 | 39 | # forti* without tz: fortiweb, fortimail, forticlient, fortigate 6.0, and any log comming from fortianalyzer 40 | if ![tz] or "fortianalyzer" in [tags] { 41 | mutate{ 42 | replace => {"[fml][tz]" => "-0500" } 43 | add_tag => [ "setting_default_timezone" ] 44 | } 45 | } 46 | 47 | #tz="-0500" needs to be converted to tz="-05:00" for ruby on common_ecs pipeline 48 | mutate { 49 | replace => {"[@metadata][timestamp]" => "%{[fml][date]} %{[fml][time]} %{[fml][tz]}"} 50 | } 51 | 52 | # date=2022-08-22 time=12:35:42.060 #original log 53 | # 2022-08-22 12:45:41.135 -0500 #"%{date} %{time} %{tz}" 54 | # yyyy-MM-dd HH:mm:ss.SSS Z 55 | date { 56 | match => ["[@metadata][timestamp]", "yyyy-MM-dd HH:mm:ss.SSS Z"] 57 | target => "@timestamp" 58 | #remove_field => [ "date","time" ] 59 | } 60 | 61 | } 62 | 63 | } 64 | output { 65 | 66 | pipeline{ 67 | send_to => "syslog-fortinet-fortimail_2_ecs" 68 | } 69 | 70 | } 71 | -------------------------------------------------------------------------------- /logstash/conf.d/syslog-fortinet-fortimail_2_ecs.conf: -------------------------------------------------------------------------------- 1 | input { 2 | pipeline { 3 | address => "syslog-fortinet-fortimail_2_ecs" 4 | } 5 | } 6 | 7 | ilter { 8 | 9 | mutate { 10 | copy => { 11 | "[fml][tz]"=> "[event][timezone]" 12 | "[fml][device_id]" => "[observer][serial_number]" 13 | "[fml][client_name]" => "[source][domain]" 14 | "[fml][hfrom]" => "[email][from][adress]" 15 | "[fml][from]" => "[email][sender][adress]" 16 | "[fml][to]" => "[email][to][adress]" 17 | "[fml][subject]" => "[email][subject]" 18 | "[fml][mailer]" => "[email][x_mailer]" 19 | "[fml][direction]" => "[email][direction]" 20 | "[fml][message_id]" => "[email][message_id]" 21 | "[fml][session_id]" => "[email][local_id]" 22 | "[fml][msg]" => "[message]" 23 | } 24 | } 25 | 26 | 27 | if [fml][dst_ip] { 28 | grok { 29 | match => { "[fml][dst_ip]" => "%{IP:[destination][ip]}" } 30 | tag_on_failure => ["_grokparsefailure_dst_ip"] 31 | } 32 | } 33 | 34 | if [fml][client_ip] { 35 | grok { 36 | match => { "[fml][client_ip]" => "%{IP:[source][ip]}" } 37 | tag_on_failure => ["_grokparsefailure_client_ip"] 38 | } 39 | } 40 | #fml.type 41 | if [fml][type] { 42 | mutate { replace => { "[data_stream][dataset]" => "%{[data_stream][dataset]}.%{[fml][type]}" } } 43 | } 44 | } 45 | 46 | output { 47 | pipeline { 48 | send_to => "syslog-fortinet-common_ecs-output" 49 | } 50 | } 51 | -------------------------------------------------------------------------------- /logstash/conf.d/syslog-fortinet-fortisandbox-input-kv.conf: -------------------------------------------------------------------------------- 1 | input { 2 | 3 | ### WARNING, use at your own risk. I don't have any Fortisandbox anymore, I did this pipeline long ago, so many fields and log format may have changed. 4 | 5 | udp { 6 | port => 5148 7 | codec => plain { charset => "ASCII" } 8 | # 9 | add_field => {"[data_stream][type]" => "logs"} 10 | add_field => {"[data_stream][dataset]" => "fortinet.fortisandbox"} 11 | add_field => {"[data_stream][namespace]" => "default"} 12 | # 13 | source_ip_fieldname => "[observer][ip]" 14 | add_field => { "[logstash][hostname]" => "${HOSTNAME:no_logstash_hostname}" } 15 | #tags => [ "fortianalyzer" ] 16 | } 17 | 18 | } 19 | 20 | filter { 21 | mutate { 22 | add_field => ["[event][created]", "%{@timestamp}"] # event.created: when the event is created by logstash 23 | } 24 | 25 | grok { 26 | match => ["[event][original]", "%{SYSLOG5424PRI:syslog_index}%{GREEDYDATA:[@metadata][message]}"] 27 | #overwrite => ["message"] 28 | tag_on_failure => ["fortinet_grok_failure"] 29 | remove_field => [ "syslog_index" ] 30 | ecs_compatibility => disabled 31 | } 32 | if "fortinet_grok_failure" not in [tags] { 33 | kv { 34 | source => "[@metadata][message]" 35 | value_split => "=" 36 | field_split => " " 37 | whitespace => strict 38 | #target => "fsa" 39 | } 40 | 41 | # 6.2 has tz 42 | # forti* without tz: fortiweb, fortimail, forticlient, fortigate 6.0, and any log comming from fortianalyzer 43 | if ![tz] or "fortianalyzer" in [tags] { 44 | mutate{ 45 | replace => {"[tz]" => "-0500" } 46 | add_tag => [ "setting_default_timezone" ] 47 | } 48 | } 49 | 50 | #tz="-0500" needs to be converted to tz="-05:00" for ruby on common_ecs pipeline 51 | mutate { 52 | replace => {"[@metadata][timestamp]" => "%{date}T%{time}Z"} 53 | } 54 | 55 | # 56 | date { 57 | match => ["[@metadata][timestamp]", "ISO8601"] 58 | target => "@timestamp" 59 | timezone => "America/Lima" 60 | remove_field => [ "date","time" ] 61 | } 62 | 63 | } 64 | 65 | } 66 | 67 | 68 | filter { 69 | mutate { 70 | add_field => ["[event][created]", "%{@timestamp}"] # event.created: when the event is created by logstash 71 | } 72 | 73 | grok { 74 | match => ["[event][original]", "%{SYSLOG5424PRI:syslog_index}%{GREEDYDATA:[@metadata][message]}"] 75 | #overwrite => ["message"] 76 | tag_on_failure => ["fortinet_grok_failure"] 77 | remove_field => [ "syslog_index" ] 78 | ecs_compatibility => disabled 79 | } 80 | if "fortinet_grok_failure" not in [tags] { 81 | kv { 82 | source => "[@metadata][message]" 83 | value_split => "=" 84 | field_split => " " 85 | whitespace => strict 86 | #target => "fortios" 87 | } 88 | 89 | if "fortianalyzer" in [tags] { 90 | mutate{ 91 | update => {"[tz]" => "-05:00" } 92 | replace => {"[@metadata][timestamp]" => "%{date} %{time} %{tz}"} 93 | } 94 | } 95 | if [data_stream][dataset]=="fortinet.fortigate" { 96 | # 6.2 97 | #tz="-0500" needs to be converted to tz="-05:00" for ruby on common_ecs pipeline 98 | if [tz] { 99 | mutate { 100 | replace => {"[@metadata][timestamp]" => "%{date} %{time} %{tz}"} 101 | } 102 | } 103 | 104 | 105 | } 106 | else if [data_stream][dataset]=="fortinet.fortisandbox" { 107 | # type=event 108 | if [tzone] { 109 | # ruby { 110 | # code => "event.set('[tz_fsa]', event.get('[tzone]').to_i / 3600 *100 )" # for tzone=-18000 returns tz_sdx=-500, and it should be -0500 111 | # } 112 | # 113 | mutate { 114 | # replace => {"[@metadata][timestamp]" => "%{date} %{time} %{tz_fsa}"} 115 | # replace => {"[@metadata][timestamp]" => "%{date} %{time}"} 116 | replace => {"[@metadata][timestamp]" => "%{date}T%{time}Z" } 117 | add_field => {"[event][timezone]" => "-0500" } 118 | } 119 | } 120 | # 121 | # # type=alert 122 | else { 123 | mutate{ 124 | replace => {"[@metadata][timestamp]" => "%{date}T%{time}Z" } 125 | add_field => {"[event][timezone]" => "-0500" } 126 | } 127 | } 128 | } 129 | 130 | # forti* without tz: fortiweb, fortimail, forticlient, fortigate 6.0, and any log comming from fortianalyzer 131 | if ![@metadata][timestamp] { 132 | mutate{ 133 | add_field => {"[tz]" => "-0500" } 134 | add_field => {"[event][timezone]" => "America/Lima" } 135 | add_tag => [ "setting_default_timezone" ] 136 | add_field => {"[@metadata][timestamp]" => "%{date} %{time} %{[event][timezone]}"} 137 | } 138 | } 139 | 140 | # not sure if timezone should be set. Check yourself 141 | date { 142 | match => ["[@metadata][timestamp]", "yyyy-MM-dd HH:mm:ss Z" , "yyyy-MM-dd HH:mm:ss ZZ", "yyyy-MM-dd HH:mm:ss ZZZ", "yyyy-MM-dd HH:mm:ss.SSS ZZZ", "yyyy-MM-dd HH:mm:ss", "ISO8601"] 143 | target => "@timestamp" 144 | timezone => "America/Lima" 145 | tag_on_failure => ["_dateparsefailure_%{[@metadata][timestamp]}"] 146 | remove_field => [ "date","time" ] 147 | } 148 | 149 | } 150 | 151 | } 152 | output { 153 | 154 | pipeline{ 155 | send_to => "syslog-fortinet-fortisandbox_2_ecs" 156 | } 157 | 158 | } 159 | -------------------------------------------------------------------------------- /logstash/conf.d/syslog-fortinet-fortisandbox_2_ecs.conf: -------------------------------------------------------------------------------- 1 | input { 2 | pipeline { 3 | address => "syslog-fortinet-fortisandbox_2_ecs" 4 | } 5 | } 6 | filter { 7 | 8 | #remove event.original for saving disk space 9 | #mutate{ remove_field => ["[event][original]"] } 10 | 11 | #validea "N/A" on ip fields 12 | 13 | if [cip]=="N/A" { mutate { remove_field => ["cip"] } } 14 | if [dstip]=="N/A" { mutate { remove_field => ["dstip"] } } 15 | if [ip]=="N/A" { mutate { remove_field => ["ip"] } } 16 | if [sip]=="N/A" { mutate { remove_field => ["sip"] } } 17 | if [srcip]=="N/A" { mutate { remove_field => ["srcip"] } } 18 | if [trueclient]=="N/A" { mutate { remove_field => ["trueclient"] } } 19 | 20 | #rename fortisandbox fields that overlap with ECS. 21 | mutate { 22 | #rename => { "error" => "[fsa][error]" } 23 | #rename => { "host" => "[fsa][host]" } 24 | rename => { "os" => "[fsa][os]" } 25 | #rename => { "service" => "[fsa][service]" } 26 | #rename => { "url" => "[fsa][url]" } 27 | #rename => { "user" => "[fsa][user]" } 28 | } 29 | 30 | 31 | #ecs translation 32 | mutate { 33 | 34 | #add_field => { "[ecs][version]" => "1.6.0" } 35 | 36 | rename => { 37 | "syslog5424_pri" => "[log][syslog][priority]" 38 | "[dstip]"=> "[destination][ip]" 39 | "[dstport]"=> "[destination][port]" 40 | "[error]"=> "[error][message]" 41 | "[action]"=> "[event][action]" 42 | "[logid]"=> "[event][code]" 43 | "[rsrc]"=> "[event][provider]" 44 | "[sharename]"=> "[file][directory]" 45 | "[ftype]"=> "[file][extension]" 46 | "[md5]"=> "[file][hash][md5]" 47 | "[sha1]"=> "[file][hash][sha1]" 48 | "[sha256]"=> "[file][hash][sha256]" 49 | "[fname]"=> "[file][name]" 50 | "[filepath]"=> "[file][path]" 51 | "[sizebin]"=> "[file][size]" 52 | "[host]"=> "[host][name]" 53 | "[proto]"=> "[network][protocol]" 54 | "[ip]"=> "[network][type]" 55 | "[devid]"=> "[observer][serial_number]" 56 | "[devhost]"=> "[observer][name]" 57 | "[pid]"=> "[process][pid]" 58 | "[cip]"=> "[source][ip]" 59 | "[cport]"=> "[source][port]" 60 | "[suser]"=> "[source][user][name]" 61 | "[hostname]"=> "[url][domain]" 62 | "[url]"=> "[url][original]" 63 | "[user]"=> "[user][name]" 64 | "[level]"=> "[log][level]" 65 | } 66 | 67 | rename => { 68 | "[device_id]"=> "[observer][serial_number]" 69 | "[devname]"=> "[observer][name]" 70 | "[sip]"=> "[destination][ip]" 71 | "[sport]"=> "[destination][port]" 72 | "[scaned]"=> "[event][end]" 73 | "[service]"=> "[network][protocol]" 74 | "[srcip]"=> "[source][ip]" 75 | "[srcport]"=> "[source][port]" 76 | "[susr]"=> "[source][user][name]" 77 | "[sid]"=> "[source][user][id]" 78 | } 79 | 80 | rename =>{ 81 | "[unauthuser]"=> "[source][user][name]" 82 | } 83 | 84 | } 85 | 86 | 87 | #convert scanstart, scanend, stime, etime 88 | if [scanstart] { 89 | date { 90 | match => [ "scanstart", "UNIX" ] 91 | timezone => "%{[event][timezone]}" 92 | target => "[event][start]" 93 | tag_on_failure => ["_dateparsefailure_scanstart"] 94 | remove_field => [ "scanstart" ] 95 | } 96 | } 97 | if [stime] { 98 | date { 99 | match => [ "stime", "UNIX" ] 100 | timezone => "%{[event][timezone]}" 101 | target => "[event][start]" 102 | tag_on_failure => ["_dateparsefailure_stime"] 103 | remove_field => [ "stime" ] 104 | } 105 | } 106 | if [scanend] { 107 | date { 108 | match => [ "scanend", "UNIX" ] 109 | timezone => "%{[event][timezone]}" 110 | target => "[event][end]" 111 | tag_on_failure => ["_dateparsefailure_scanend"] 112 | remove_field => [ "scanend" ] 113 | } 114 | } 115 | if [etime] { 116 | date { 117 | match => [ "etime", "UNIX" ] 118 | timezone => "%{[event][timezone]}" 119 | target => "[event][end]" 120 | tag_on_failure => ["_dateparsefailure_etime"] 121 | remove_field => [ "etime" ] 122 | } 123 | } 124 | } 125 | output { 126 | pipeline { 127 | send_to => "syslog-fortinet-common_ecs-output" 128 | } 129 | } 130 | -------------------------------------------------------------------------------- /logstash/conf.d/syslog-fortinet-fortiweb-input-kv.conf: -------------------------------------------------------------------------------- 1 | input { 2 | 3 | udp { 4 | port => 5147 5 | codec => plain { charset => "ASCII" } 6 | # 7 | add_field => {"[data_stream][type]" => "logs"} 8 | add_field => {"[data_stream][dataset]" => "fortinet.fortiweb"} 9 | add_field => {"[data_stream][namespace]" => "default"} 10 | # 11 | source_ip_fieldname => "[observer][ip]" 12 | add_field => { "[logstash][hostname]" => "${HOSTNAME:no_logstash_hostname}" } 13 | #tags => [ "fortianalyzer" ] 14 | } 15 | } 16 | 17 | filter { 18 | mutate { 19 | add_field => ["[event][created]", "%{@timestamp}"] # event.created: when the event is created by logstash 20 | } 21 | 22 | grok { 23 | match => ["[event][original]", "%{SYSLOG5424PRI:syslog_index}%{GREEDYDATA:[@metadata][message]}"] 24 | #overwrite => ["message"] 25 | tag_on_failure => ["fortinet_grok_failure"] 26 | remove_field => [ "syslog_index" ] 27 | ecs_compatibility => disabled 28 | } 29 | if "fortinet_grok_failure" not in [tags] { 30 | kv { 31 | source => "[@metadata][message]" 32 | value_split => "=" 33 | field_split => " " 34 | whitespace => strict 35 | #target => "fwb" 36 | } 37 | 38 | # forti* without tz: fortiweb, fortimail, forticlient, fortigate 6.0, and any log comming from fortianalyzer 39 | # date=2022-08-23 time=15:40:22 timezone="(GMT-5:00)Bogota,Lima,Quito" timezone_dayst="GMTa+5" # original log 40 | # just add tz manually. too much trouble to parte "timezone" 41 | 42 | if ![tz] or "fortianalyzer" in [tags] { 43 | mutate{ 44 | replace => {"[tz]" => "-0500" } 45 | add_tag => [ "setting_default_timezone" ] 46 | } 47 | } 48 | 49 | #tz="-0500" needs to be converted to tz="-05:00" for ruby on common_ecs pipeline 50 | 51 | mutate { 52 | replace => {"[@metadata][timestamp]" => "%{date} %{time} %{tz}"} 53 | } 54 | 55 | # date=2022-08-23 time=15:40:22 timezone="(GMT-5:00)Bogota,Lima,Quito" timezone_dayst="GMTa+5" # original log 56 | # 2022-08-23 15:40:22 -0500 #"%{date} %{time} %{tz}" 57 | # yyyy-MM-dd HH:mm:ss Z 58 | date { 59 | match => ["[@metadata][timestamp]", "yyyy-MM-dd HH:mm:ss Z" ] 60 | target => "@timestamp" 61 | remove_field => [ "date","time" ] 62 | } 63 | 64 | } 65 | 66 | } 67 | output { 68 | 69 | pipeline{ 70 | send_to => "syslog-fortinet-fortiweb_2_ecs" 71 | } 72 | 73 | } 74 | -------------------------------------------------------------------------------- /logstash/conf.d/syslog-fortinet-fortiweb_2_ecs.conf: -------------------------------------------------------------------------------- 1 | input { 2 | pipeline { 3 | address => "syslog-fortinet-fortiweb_2_ecs" 4 | } 5 | } 6 | 7 | filter { 8 | #remove event.original for saving disk space 9 | #mutate{ remove_field => ["[event][original]"] } 10 | 11 | #validate "N/A" on ip fields 12 | if [dst]=="N/A" { mutate { remove_field => ["dst"] } } 13 | if [src]=="N/A" { mutate { remove_field => ["src"] } } 14 | 15 | 16 | 17 | #ecs translation 18 | 19 | mutate { 20 | 21 | #add_field => { "[ecs][version]" => "1.6.0" } 22 | rename => { 23 | "syslog5424_pri" => "[log][syslog][priority]" 24 | "[device_id]"=> "[observer][serial_number]" 25 | "[log_id]"=> "[event][code]" 26 | "[msg_id]"=> "[event][sequence]" 27 | "[msg]"=> "[message]" 28 | "[policy]"=> "[rule][ruleset]" 29 | "[action]"=> "[event][action]" 30 | "[cipher_suite]"=> "[tls][cipher]" 31 | "[dst]"=> "[destination][ip]" 32 | "[http_agent]"=> "[user_agent][original]" 33 | "[http_host]"=> "[url][domain]" 34 | "[http_method]"=> "[http][request][method]" 35 | "[http_refer]"=> "[http][request][referrer]" 36 | "[http_request_bytes]"=> "[http][request][bytes]" 37 | "[http_request_time]"=> "[http][request][duration]" 38 | "[http_response_bytes]"=> "[http][response][bytes]" 39 | "[http_response_time]"=> "[http][response][duration]" 40 | "[http_retcode]"=> "[http][response][status_code]" 41 | "[http_url]"=> "[url][path]" 42 | "[http_version]"=> "[http][version]" 43 | "[proto]"=> "[network][transport]" 44 | "[reason]"=> "[event][reason]" 45 | "[service]"=> "[network][protocol]" 46 | "[signature_cve_id]"=> "[vulnerability][id]" 47 | "[src]"=> "[source][ip]" 48 | "[src_port]"=> "[source][port]" 49 | "[threat_level]"=> "[vulnerability][severity]" 50 | "[user]"=> "[user][name]" 51 | "[tz]"=> "[event][timezone]" 52 | } 53 | 54 | # rename => { 55 | # "[user_name]"=> "[user][name]" 56 | # } 57 | } 58 | 59 | if [type]=="attack" { 60 | mutate { 61 | copy => { 62 | "[signature_id]"=> "[rule][id]" 63 | "[message]"=> "[rule][description]" 64 | } 65 | 66 | rename => { 67 | "[signature_id]"=> "[vulnerability][id]" 68 | "[main_type]"=> "[rule][category]" 69 | "[sub_type]"=> "[rule][name]" 70 | "[signature_subclass]"=> "[rule][description]" 71 | } 72 | 73 | } 74 | translate { 75 | # FORTIWEB ATTACK EVENT ID MAPPING : tested for FORTIWEB 6.2.2 76 | source => "[event][code]" 77 | target => "[event][description]" 78 | dictionary => { 79 | "20000001"=>"Allow Method" 80 | "20000002"=>"Protected Hostnames" 81 | "20000003"=>"Page Access" 82 | "20000004"=>"Start Pages" 83 | "20000005"=>"Parameter Validation" 84 | "20000006"=>"Black IP List" 85 | "20000007"=>"URL Access" 86 | "20000008"=>"Signature Detection" 87 | "20000009"=>"Custom Signature Detection" 88 | "20000010"=>"Brute Force Login" 89 | "20000011"=>"Hidden Fields" 90 | "20000012"=>"Site Publish" 91 | "20000013"=>"HTTP Parsing Error" 92 | "20000014"=>"DoS Protection" 93 | "20000015"=>"SYN Flood Protection" 94 | "20000016"=>"HTTPS Connection Failure" 95 | "20000017"=>"File Upload Restriction" 96 | "20000018"=>"GEO IP" 97 | "20000021"=>"Custom Access" 98 | "20000022"=>"IP Reputation" 99 | "20000023"=>"Padding Oracle" 100 | "20000024"=>"CSRF Protection" 101 | "20000025"=>"Quarantined IPs" 102 | "20000026"=>"HTTP Protocol Constraints" 103 | "20000027"=>"Credential Stuffing Defense" 104 | "20000028"=>"User Tracking" 105 | "20000029"=>"XML Validation Violation" 106 | "20000030"=>"Cookie Security" 107 | "20000031"=>"FTP Command Restriction" 108 | "20000033"=>"Timeout Session" 109 | "20000035"=>"FTP File Security" 110 | "20000036"=>"FTPS Connection Failure" 111 | "20000037"=>"Machine Learning" 112 | "20000038"=>"Openapi Validation Violation" 113 | "20000039"=>"WebSocket Security" 114 | "20000040"=>"MiTB AJAX Security" 115 | "20000041"=>"Bot Detection" 116 | "20000042"=>"CORS Check Security" 117 | "20000043"=>"JSON Validation Security" 118 | } 119 | #fallback => "I'm a teapot" 120 | } 121 | } 122 | 123 | } 124 | 125 | 126 | output { 127 | pipeline { 128 | send_to => "syslog-fortinet-common_ecs-output" 129 | } 130 | 131 | } 132 | -------------------------------------------------------------------------------- /logstash/pipelines.yml: -------------------------------------------------------------------------------- 1 | # This file is where you define your pipelines. You can define multiple. 2 | # For more information on multiple pipelines, see the documentation: 3 | # https://www.elastic.co/guide/en/logstash/current/multiple-pipelines.html 4 | 5 | - pipeline.id: syslog-fortinet-fortigate-input-kv 6 | path.config: "/etc/logstash/conf.d/syslog-fortinet-fortigate-input-kv.conf" 7 | - pipeline.id: syslog-fortinet-fortigate-input5424-kv 8 | path.config: "/etc/logstash/conf.d/syslog-fortinet-fortigate-input5424-kv.conf" 9 | - pipeline.id: syslog-fortinet-fortimail-input-kv 10 | path.config: "/etc/logstash/conf.d/syslog-fortinet-fortimail-input-kv.conf" 11 | - pipeline.id: syslog-fortinet-fortiweb-input-kv 12 | path.config: "/etc/logstash/conf.d/syslog-fortinet-fortiweb-input-kv.conf" 13 | - pipeline.id: syslog-fortinet-forticlient-input-kv 14 | path.config: "/etc/logstash/conf.d/syslog-fortinet-forticlient-input-kv.conf" 15 | - pipeline.id: syslog-fortinet-fortisandbox-input-kv 16 | path.config: "/etc/logstash/conf.d/syslog-fortinet-fortisandbox-input-kv.conf" 17 | - pipeline.id: syslog-fortinet-fortiedr-input-kv 18 | path.config: "/etc/logstash/conf.d/syslog-fortinet-fortiedr-input-kv.conf" 19 | - pipeline.id: syslog-fortinet-fortigate_2_ecs 20 | path.config: "/etc/logstash/conf.d/syslog-fortinet-fortigate_2_ecs.conf" 21 | - pipeline.id: syslog-fortinet-fortigate_2_ecsv2 22 | path.config: "/etc/logstash/conf.d/syslog-fortinet-fortigate_2_ecsv2.conf" 23 | - pipeline.id: syslog-fortinet-fortiweb_2_ecs 24 | path.config: "/etc/logstash/conf.d/syslog-fortinet-fortiweb_2_ecs.conf" 25 | - pipeline.id: syslog-fortinet-fortimail_2_ecs 26 | path.config: "/etc/logstash/conf.d/syslog-fortinet-fortimail_2_ecs.conf" 27 | - pipeline.id: syslog-fortinet-forticlient_2_ecs 28 | path.config: "/etc/logstash/conf.d/syslog-fortinet-forticlient_2_ecs.conf" 29 | - pipeline.id: syslog-fortinet-fortisandbox_2_ecs 30 | path.config: "/etc/logstash/conf.d/syslog-fortinet-fortisandbox_2_ecs.conf" 31 | - pipeline.id: syslog-fortinet-fortiedr_2_ecs 32 | path.config: "/etc/logstash/conf.d/syslog-fortinet-fortiedr_2_ecs.conf" 33 | - pipeline.id: syslog-fortinet-common_ecs-output 34 | path.config: "/etc/logstash/conf.d/syslog-fortinet-common_ecs-output.conf" 35 | -------------------------------------------------------------------------------- /transforms/transforms-fortinet.fortigate.traffic.forward.policy.external_1m.json: -------------------------------------------------------------------------------- 1 | { 2 | 3 | "source": { 4 | "index": [ 5 | "logs-fortinet.fortigate.traffic.forward*" 6 | ], 7 | "query": { 8 | "bool": { 9 | "filter": [ 10 | { 11 | "bool": { 12 | "should": [ 13 | { 14 | "range": { 15 | "@timestamp": { 16 | "gte": "now-5m/m", 17 | "lte": "now/m" 18 | } 19 | } 20 | } 21 | ], 22 | "minimum_should_match": 1 23 | } 24 | }, 25 | { 26 | "bool": { 27 | "should": [ 28 | { 29 | "term": { 30 | "fgt.policytype": "policy" 31 | } 32 | } 33 | ], 34 | "minimum_should_match": 1 35 | } 36 | }, 37 | { 38 | "bool": { 39 | "should": [ 40 | { 41 | "term": { 42 | "network.direction": "external" 43 | } 44 | } 45 | ], 46 | "minimum_should_match": 1 47 | } 48 | }, 49 | { 50 | "bool": { 51 | "must_not": { 52 | "bool": { 53 | "should": [ 54 | { 55 | "term": { 56 | "fgt.logid": "0000000020" 57 | } 58 | } 59 | ], 60 | "minimum_should_match": 1 61 | } 62 | } 63 | } 64 | } 65 | ] 66 | } 67 | } 68 | }, 69 | "dest": { 70 | "index": "transforms-fortinet.fortigate.traffic.forward.policy.external-1m-", 71 | "pipeline": "transforms-fortinet.fortigate.traffic.forward.policy" 72 | }, 73 | "frequency": "1m", 74 | "sync": { 75 | "time": { 76 | "field": "@timestamp", 77 | "delay": "1m" 78 | } 79 | }, 80 | "pivot": { 81 | "group_by": { 82 | "@timestamp": { 83 | "date_histogram": { 84 | "field": "@timestamp", 85 | "calendar_interval": "minute" 86 | } 87 | }, 88 | "source.ip": { 89 | "terms": { 90 | "field": "source.ip", 91 | "missing_bucket": true 92 | } 93 | }, 94 | "source.nat.ip": { 95 | "terms": { 96 | "field": "source.nat.ip", 97 | "missing_bucket": true 98 | } 99 | }, 100 | "source.user.name": { 101 | "terms": { 102 | "field": "source.user.name", 103 | "missing_bucket": true 104 | } 105 | }, 106 | "source.user.group.name": { 107 | "terms": { 108 | "field": "source.user.group.name", 109 | "missing_bucket": true 110 | } 111 | }, 112 | "fgt.srcinetsvc": { 113 | "terms": { 114 | "field": "fgt.srcinetsvc", 115 | "missing_bucket": true 116 | } 117 | }, 118 | "fgt.srcreputation": { 119 | "terms": { 120 | "field": "fgt.srcreputation", 121 | "missing_bucket": true 122 | } 123 | }, 124 | "source.risk.static_level": { 125 | "terms": { 126 | "field": "source.risk.static_level", 127 | "missing_bucket": true 128 | } 129 | }, 130 | "observer.ingress.interface.name": { 131 | "terms": { 132 | "field": "observer.ingress.interface.name", 133 | "missing_bucket": true 134 | } 135 | }, 136 | "destination.ip": { 137 | "terms": { 138 | "field": "destination.ip", 139 | "missing_bucket": true 140 | } 141 | }, 142 | "destination.port": { 143 | "terms": { 144 | "field": "destination.port", 145 | "missing_bucket": true 146 | } 147 | }, 148 | "destination.nat.ip": { 149 | "terms": { 150 | "field": "destination.nat.ip", 151 | "missing_bucket": true 152 | } 153 | }, 154 | "destination.nat.port": { 155 | "terms": { 156 | "field": "destination.nat.port", 157 | "missing_bucket": true 158 | } 159 | }, 160 | "fgt.dstinetsvc": { 161 | "terms": { 162 | "field": "fgt.dstinetsvc", 163 | "missing_bucket": true 164 | } 165 | }, 166 | "fgt.dstreputation": { 167 | "terms": { 168 | "field": "fgt.dstreputation", 169 | "missing_bucket": true 170 | } 171 | }, 172 | "observer.egress.interface.name": { 173 | "terms": { 174 | "field": "observer.egress.interface.name", 175 | "missing_bucket": true 176 | } 177 | }, 178 | "rule.id-name": { 179 | "terms": { 180 | "field": "rule.id-name", 181 | "missing_bucket": true 182 | } 183 | }, 184 | "network.iana_number": { 185 | "terms": { 186 | "field": "network.iana_number", 187 | "missing_bucket": true 188 | } 189 | }, 190 | "network.protocol": { 191 | "terms": { 192 | "field": "network.protocol", 193 | "missing_bucket": true 194 | } 195 | }, 196 | "network.application": { 197 | "terms": { 198 | "field": "network.application", 199 | "missing_bucket": true 200 | } 201 | }, 202 | "fgt.appcat": { 203 | "terms": { 204 | "field": "fgt.appcat", 205 | "missing_bucket": true 206 | } 207 | }, 208 | "fgt.action": { 209 | "terms": { 210 | "field": "fgt.action", 211 | "missing_bucket": true 212 | } 213 | }, 214 | "fgt.utmaction": { 215 | "terms": { 216 | "field": "fgt.utmaction", 217 | "missing_bucket": true 218 | } 219 | }, 220 | "observer.hostname": { 221 | "terms": { 222 | "field": "observer.hostname", 223 | "missing_bucket": true 224 | } 225 | }, 226 | "fgt.vd": { 227 | "terms": { 228 | "field": "fgt.vd", 229 | "missing_bucket": true 230 | } 231 | } 232 | }, 233 | "aggregations": { 234 | "session.id.value_count": { 235 | "value_count": { 236 | "field": "session.id" 237 | } 238 | }, 239 | "source.risk.static_score.stats": { 240 | "stats": { 241 | "field": "source.risk.static_score" 242 | } 243 | }, 244 | "network.bytes.stats": { 245 | "stats": { 246 | "field": "network.bytes" 247 | } 248 | }, 249 | "source.bytes.stats": { 250 | "stats": { 251 | "field": "source.bytes" 252 | } 253 | }, 254 | "destination.bytes.stats": { 255 | "stats": { 256 | "field": "destination.bytes" 257 | } 258 | }, 259 | "network.packets.stats": { 260 | "stats": { 261 | "field": "network.packets" 262 | } 263 | }, 264 | "source.packets.stats": { 265 | "stats": { 266 | "field": "source.packets" 267 | } 268 | }, 269 | "destination.packets.stats": { 270 | "stats": { 271 | "field": "destination.packets" 272 | } 273 | }, 274 | "event.duration.stats": { 275 | "stats": { 276 | "field": "event.duration" 277 | } 278 | }, 279 | "fgt.countapp.stats": { 280 | "stats": { 281 | "field": "fgt.countapp" 282 | } 283 | }, 284 | "fgt.countweb.stats": { 285 | "stats": { 286 | "field": "fgt.countweb" 287 | } 288 | }, 289 | "fgt.countips.stats": { 290 | "stats": { 291 | "field": "fgt.countips" 292 | } 293 | }, 294 | "fgt.countav.stats": { 295 | "stats": { 296 | "field": "fgt.countav" 297 | } 298 | }, 299 | "fgt.countssl.stats": { 300 | "stats": { 301 | "field": "fgt.countssl" 302 | } 303 | }, 304 | "fgt.countcifs.stats": { 305 | "stats": { 306 | "field": "fgt.countcifs" 307 | } 308 | }, 309 | "fgt.countdlp.stats": { 310 | "stats": { 311 | "field": "fgt.countdlp" 312 | } 313 | }, 314 | "fgt.countdns.stats": { 315 | "stats": { 316 | "field": "fgt.countdns" 317 | } 318 | }, 319 | "fgt.countemail.stats": { 320 | "stats": { 321 | "field": "fgt.countemail" 322 | } 323 | }, 324 | "fgt.countwaf.stats": { 325 | "stats": { 326 | "field": "fgt.countwaf" 327 | } 328 | }, 329 | "fgt.countff.stats": { 330 | "stats": { 331 | "field": "fgt.countff" 332 | } 333 | }, 334 | "fgt.countssh.stats": { 335 | "stats": { 336 | "field": "fgt.countssh" 337 | } 338 | } 339 | } 340 | }, 341 | "settings": { 342 | "max_page_search_size": 5000 343 | } 344 | } 345 | -------------------------------------------------------------------------------- /transforms/transforms-fortinet.fortigate.traffic.forward.policy.inbound_1m.json: -------------------------------------------------------------------------------- 1 | { 2 | 3 | "source": { 4 | "index": [ 5 | "logs-fortinet.fortigate.traffic.forward*" 6 | ], 7 | "query": { 8 | "bool": { 9 | "filter": [ 10 | { 11 | "bool": { 12 | "should": [ 13 | { 14 | "range": { 15 | "@timestamp": { 16 | "gte": "now-5m/m", 17 | "lte": "now/m" 18 | } 19 | } 20 | } 21 | ], 22 | "minimum_should_match": 1 23 | } 24 | }, 25 | { 26 | "bool": { 27 | "should": [ 28 | { 29 | "term": { 30 | "fgt.policytype": "policy" 31 | } 32 | } 33 | ], 34 | "minimum_should_match": 1 35 | } 36 | }, 37 | { 38 | "bool": { 39 | "should": [ 40 | { 41 | "term": { 42 | "network.direction": "inbound" 43 | } 44 | } 45 | ], 46 | "minimum_should_match": 1 47 | } 48 | }, 49 | { 50 | "bool": { 51 | "must_not": { 52 | "bool": { 53 | "should": [ 54 | { 55 | "term": { 56 | "fgt.logid": "0000000020" 57 | } 58 | } 59 | ], 60 | "minimum_should_match": 1 61 | } 62 | } 63 | } 64 | } 65 | ] 66 | } 67 | } 68 | }, 69 | "dest": { 70 | "index": "transforms-fortinet.fortigate.traffic.forward.policy.inbound-1m-", 71 | "pipeline": "transforms-fortinet.fortigate.traffic.forward.policy" 72 | }, 73 | "frequency": "1m", 74 | "sync": { 75 | "time": { 76 | "field": "@timestamp", 77 | "delay": "1m" 78 | } 79 | }, 80 | "pivot": { 81 | "group_by": { 82 | "@timestamp": { 83 | "date_histogram": { 84 | "field": "@timestamp", 85 | "calendar_interval": "minute" 86 | } 87 | }, 88 | "source.ip": { 89 | "terms": { 90 | "field": "source.ip", 91 | "missing_bucket": true 92 | } 93 | }, 94 | "source.nat.ip": { 95 | "terms": { 96 | "field": "source.nat.ip", 97 | "missing_bucket": true 98 | } 99 | }, 100 | "source.user.name": { 101 | "terms": { 102 | "field": "source.user.name", 103 | "missing_bucket": true 104 | } 105 | }, 106 | "source.user.group.name": { 107 | "terms": { 108 | "field": "source.user.group.name", 109 | "missing_bucket": true 110 | } 111 | }, 112 | "fgt.srcinetsvc": { 113 | "terms": { 114 | "field": "fgt.srcinetsvc", 115 | "missing_bucket": true 116 | } 117 | }, 118 | "fgt.srcreputation": { 119 | "terms": { 120 | "field": "fgt.srcreputation", 121 | "missing_bucket": true 122 | } 123 | }, 124 | "source.risk.static_level": { 125 | "terms": { 126 | "field": "source.risk.static_level", 127 | "missing_bucket": true 128 | } 129 | }, 130 | "observer.ingress.interface.name": { 131 | "terms": { 132 | "field": "observer.ingress.interface.name", 133 | "missing_bucket": true 134 | } 135 | }, 136 | "destination.ip": { 137 | "terms": { 138 | "field": "destination.ip", 139 | "missing_bucket": true 140 | } 141 | }, 142 | "destination.port": { 143 | "terms": { 144 | "field": "destination.port", 145 | "missing_bucket": true 146 | } 147 | }, 148 | "destination.nat.ip": { 149 | "terms": { 150 | "field": "destination.nat.ip", 151 | "missing_bucket": true 152 | } 153 | }, 154 | "destination.nat.port": { 155 | "terms": { 156 | "field": "destination.nat.port", 157 | "missing_bucket": true 158 | } 159 | }, 160 | "fgt.dstinetsvc": { 161 | "terms": { 162 | "field": "fgt.dstinetsvc", 163 | "missing_bucket": true 164 | } 165 | }, 166 | "fgt.dstreputation": { 167 | "terms": { 168 | "field": "fgt.dstreputation", 169 | "missing_bucket": true 170 | } 171 | }, 172 | "observer.egress.interface.name": { 173 | "terms": { 174 | "field": "observer.egress.interface.name", 175 | "missing_bucket": true 176 | } 177 | }, 178 | "rule.id-name": { 179 | "terms": { 180 | "field": "rule.id-name", 181 | "missing_bucket": true 182 | } 183 | }, 184 | "network.iana_number": { 185 | "terms": { 186 | "field": "network.iana_number", 187 | "missing_bucket": true 188 | } 189 | }, 190 | "network.protocol": { 191 | "terms": { 192 | "field": "network.protocol", 193 | "missing_bucket": true 194 | } 195 | }, 196 | "network.application": { 197 | "terms": { 198 | "field": "network.application", 199 | "missing_bucket": true 200 | } 201 | }, 202 | "fgt.appcat": { 203 | "terms": { 204 | "field": "fgt.appcat", 205 | "missing_bucket": true 206 | } 207 | }, 208 | "fgt.action": { 209 | "terms": { 210 | "field": "fgt.action", 211 | "missing_bucket": true 212 | } 213 | }, 214 | "fgt.utmaction": { 215 | "terms": { 216 | "field": "fgt.utmaction", 217 | "missing_bucket": true 218 | } 219 | }, 220 | "observer.hostname": { 221 | "terms": { 222 | "field": "observer.hostname", 223 | "missing_bucket": true 224 | } 225 | }, 226 | "fgt.vd": { 227 | "terms": { 228 | "field": "fgt.vd", 229 | "missing_bucket": true 230 | } 231 | } 232 | }, 233 | "aggregations": { 234 | "session.id.value_count": { 235 | "value_count": { 236 | "field": "session.id" 237 | } 238 | }, 239 | "source.risk.static_score.stats": { 240 | "stats": { 241 | "field": "source.risk.static_score" 242 | } 243 | }, 244 | "network.bytes.stats": { 245 | "stats": { 246 | "field": "network.bytes" 247 | } 248 | }, 249 | "source.bytes.stats": { 250 | "stats": { 251 | "field": "source.bytes" 252 | } 253 | }, 254 | "destination.bytes.stats": { 255 | "stats": { 256 | "field": "destination.bytes" 257 | } 258 | }, 259 | "network.packets.stats": { 260 | "stats": { 261 | "field": "network.packets" 262 | } 263 | }, 264 | "source.packets.stats": { 265 | "stats": { 266 | "field": "source.packets" 267 | } 268 | }, 269 | "destination.packets.stats": { 270 | "stats": { 271 | "field": "destination.packets" 272 | } 273 | }, 274 | "event.duration.stats": { 275 | "stats": { 276 | "field": "event.duration" 277 | } 278 | }, 279 | "fgt.countapp.stats": { 280 | "stats": { 281 | "field": "fgt.countapp" 282 | } 283 | }, 284 | "fgt.countweb.stats": { 285 | "stats": { 286 | "field": "fgt.countweb" 287 | } 288 | }, 289 | "fgt.countips.stats": { 290 | "stats": { 291 | "field": "fgt.countips" 292 | } 293 | }, 294 | "fgt.countav.stats": { 295 | "stats": { 296 | "field": "fgt.countav" 297 | } 298 | }, 299 | "fgt.countssl.stats": { 300 | "stats": { 301 | "field": "fgt.countssl" 302 | } 303 | }, 304 | "fgt.countcifs.stats": { 305 | "stats": { 306 | "field": "fgt.countcifs" 307 | } 308 | }, 309 | "fgt.countdlp.stats": { 310 | "stats": { 311 | "field": "fgt.countdlp" 312 | } 313 | }, 314 | "fgt.countdns.stats": { 315 | "stats": { 316 | "field": "fgt.countdns" 317 | } 318 | }, 319 | "fgt.countemail.stats": { 320 | "stats": { 321 | "field": "fgt.countemail" 322 | } 323 | }, 324 | "fgt.countwaf.stats": { 325 | "stats": { 326 | "field": "fgt.countwaf" 327 | } 328 | }, 329 | "fgt.countff.stats": { 330 | "stats": { 331 | "field": "fgt.countff" 332 | } 333 | }, 334 | "fgt.countssh.stats": { 335 | "stats": { 336 | "field": "fgt.countssh" 337 | } 338 | } 339 | } 340 | }, 341 | "settings": { 342 | "max_page_search_size": 5000 343 | } 344 | } 345 | -------------------------------------------------------------------------------- /transforms/transforms-fortinet.fortigate.traffic.forward.policy.internal_1m.json: -------------------------------------------------------------------------------- 1 | { 2 | 3 | "source": { 4 | "index": [ 5 | "logs-fortinet.fortigate.traffic.forward*" 6 | ], 7 | "query": { 8 | "bool": { 9 | "filter": [ 10 | { 11 | "bool": { 12 | "should": [ 13 | { 14 | "range": { 15 | "@timestamp": { 16 | "gte": "now-5m/m", 17 | "lte": "now/m" 18 | } 19 | } 20 | } 21 | ], 22 | "minimum_should_match": 1 23 | } 24 | }, 25 | { 26 | "bool": { 27 | "should": [ 28 | { 29 | "term": { 30 | "fgt.policytype": "policy" 31 | } 32 | } 33 | ], 34 | "minimum_should_match": 1 35 | } 36 | }, 37 | { 38 | "bool": { 39 | "should": [ 40 | { 41 | "term": { 42 | "network.direction": "internal" 43 | } 44 | } 45 | ], 46 | "minimum_should_match": 1 47 | } 48 | }, 49 | { 50 | "bool": { 51 | "must_not": { 52 | "bool": { 53 | "should": [ 54 | { 55 | "term": { 56 | "fgt.logid": "0000000020" 57 | } 58 | } 59 | ], 60 | "minimum_should_match": 1 61 | } 62 | } 63 | } 64 | } 65 | ] 66 | } 67 | } 68 | }, 69 | "dest": { 70 | "index": "transforms-fortinet.fortigate.traffic.forward.policy.internal-1m-", 71 | "pipeline": "transforms-fortinet.fortigate.traffic.forward.policy" 72 | }, 73 | "frequency": "1m", 74 | "sync": { 75 | "time": { 76 | "field": "@timestamp", 77 | "delay": "1m" 78 | } 79 | }, 80 | "pivot": { 81 | "group_by": { 82 | "@timestamp": { 83 | "date_histogram": { 84 | "field": "@timestamp", 85 | "calendar_interval": "minute" 86 | } 87 | }, 88 | "source.ip": { 89 | "terms": { 90 | "field": "source.ip", 91 | "missing_bucket": true 92 | } 93 | }, 94 | "source.nat.ip": { 95 | "terms": { 96 | "field": "source.nat.ip", 97 | "missing_bucket": true 98 | } 99 | }, 100 | "source.user.name": { 101 | "terms": { 102 | "field": "source.user.name", 103 | "missing_bucket": true 104 | } 105 | }, 106 | "source.user.group.name": { 107 | "terms": { 108 | "field": "source.user.group.name", 109 | "missing_bucket": true 110 | } 111 | }, 112 | "fgt.srcinetsvc": { 113 | "terms": { 114 | "field": "fgt.srcinetsvc", 115 | "missing_bucket": true 116 | } 117 | }, 118 | "fgt.srcreputation": { 119 | "terms": { 120 | "field": "fgt.srcreputation", 121 | "missing_bucket": true 122 | } 123 | }, 124 | "source.risk.static_level": { 125 | "terms": { 126 | "field": "source.risk.static_level", 127 | "missing_bucket": true 128 | } 129 | }, 130 | "observer.ingress.interface.name": { 131 | "terms": { 132 | "field": "observer.ingress.interface.name", 133 | "missing_bucket": true 134 | } 135 | }, 136 | "destination.ip": { 137 | "terms": { 138 | "field": "destination.ip", 139 | "missing_bucket": true 140 | } 141 | }, 142 | "destination.port": { 143 | "terms": { 144 | "field": "destination.port", 145 | "missing_bucket": true 146 | } 147 | }, 148 | "destination.nat.ip": { 149 | "terms": { 150 | "field": "destination.nat.ip", 151 | "missing_bucket": true 152 | } 153 | }, 154 | "destination.nat.port": { 155 | "terms": { 156 | "field": "destination.nat.port", 157 | "missing_bucket": true 158 | } 159 | }, 160 | "fgt.dstinetsvc": { 161 | "terms": { 162 | "field": "fgt.dstinetsvc", 163 | "missing_bucket": true 164 | } 165 | }, 166 | "fgt.dstreputation": { 167 | "terms": { 168 | "field": "fgt.dstreputation", 169 | "missing_bucket": true 170 | } 171 | }, 172 | "observer.egress.interface.name": { 173 | "terms": { 174 | "field": "observer.egress.interface.name", 175 | "missing_bucket": true 176 | } 177 | }, 178 | "rule.id-name": { 179 | "terms": { 180 | "field": "rule.id-name", 181 | "missing_bucket": true 182 | } 183 | }, 184 | "network.iana_number": { 185 | "terms": { 186 | "field": "network.iana_number", 187 | "missing_bucket": true 188 | } 189 | }, 190 | "network.protocol": { 191 | "terms": { 192 | "field": "network.protocol", 193 | "missing_bucket": true 194 | } 195 | }, 196 | "network.application": { 197 | "terms": { 198 | "field": "network.application", 199 | "missing_bucket": true 200 | } 201 | }, 202 | "fgt.appcat": { 203 | "terms": { 204 | "field": "fgt.appcat", 205 | "missing_bucket": true 206 | } 207 | }, 208 | "fgt.action": { 209 | "terms": { 210 | "field": "fgt.action", 211 | "missing_bucket": true 212 | } 213 | }, 214 | "fgt.utmaction": { 215 | "terms": { 216 | "field": "fgt.utmaction", 217 | "missing_bucket": true 218 | } 219 | }, 220 | "observer.hostname": { 221 | "terms": { 222 | "field": "observer.hostname", 223 | "missing_bucket": true 224 | } 225 | }, 226 | "fgt.vd": { 227 | "terms": { 228 | "field": "fgt.vd", 229 | "missing_bucket": true 230 | } 231 | } 232 | }, 233 | "aggregations": { 234 | "session.id.value_count": { 235 | "value_count": { 236 | "field": "session.id" 237 | } 238 | }, 239 | "source.risk.static_score.stats": { 240 | "stats": { 241 | "field": "source.risk.static_score" 242 | } 243 | }, 244 | "network.bytes.stats": { 245 | "stats": { 246 | "field": "network.bytes" 247 | } 248 | }, 249 | "source.bytes.stats": { 250 | "stats": { 251 | "field": "source.bytes" 252 | } 253 | }, 254 | "destination.bytes.stats": { 255 | "stats": { 256 | "field": "destination.bytes" 257 | } 258 | }, 259 | "network.packets.stats": { 260 | "stats": { 261 | "field": "network.packets" 262 | } 263 | }, 264 | "source.packets.stats": { 265 | "stats": { 266 | "field": "source.packets" 267 | } 268 | }, 269 | "destination.packets.stats": { 270 | "stats": { 271 | "field": "destination.packets" 272 | } 273 | }, 274 | "event.duration.stats": { 275 | "stats": { 276 | "field": "event.duration" 277 | } 278 | }, 279 | "fgt.countapp.stats": { 280 | "stats": { 281 | "field": "fgt.countapp" 282 | } 283 | }, 284 | "fgt.countweb.stats": { 285 | "stats": { 286 | "field": "fgt.countweb" 287 | } 288 | }, 289 | "fgt.countips.stats": { 290 | "stats": { 291 | "field": "fgt.countips" 292 | } 293 | }, 294 | "fgt.countav.stats": { 295 | "stats": { 296 | "field": "fgt.countav" 297 | } 298 | }, 299 | "fgt.countssl.stats": { 300 | "stats": { 301 | "field": "fgt.countssl" 302 | } 303 | }, 304 | "fgt.countcifs.stats": { 305 | "stats": { 306 | "field": "fgt.countcifs" 307 | } 308 | }, 309 | "fgt.countdlp.stats": { 310 | "stats": { 311 | "field": "fgt.countdlp" 312 | } 313 | }, 314 | "fgt.countdns.stats": { 315 | "stats": { 316 | "field": "fgt.countdns" 317 | } 318 | }, 319 | "fgt.countemail.stats": { 320 | "stats": { 321 | "field": "fgt.countemail" 322 | } 323 | }, 324 | "fgt.countwaf.stats": { 325 | "stats": { 326 | "field": "fgt.countwaf" 327 | } 328 | }, 329 | "fgt.countff.stats": { 330 | "stats": { 331 | "field": "fgt.countff" 332 | } 333 | }, 334 | "fgt.countssh.stats": { 335 | "stats": { 336 | "field": "fgt.countssh" 337 | } 338 | } 339 | } 340 | }, 341 | "settings": { 342 | "max_page_search_size": 5000 343 | } 344 | } 345 | -------------------------------------------------------------------------------- /transforms/transforms-fortinet.fortigate.traffic.forward.policy.outbound_1m.json: -------------------------------------------------------------------------------- 1 | { 2 | 3 | "source": { 4 | "index": [ 5 | "logs-fortinet.fortigate.traffic.forward*" 6 | ], 7 | "query": { 8 | "bool": { 9 | "filter": [ 10 | { 11 | "bool": { 12 | "should": [ 13 | { 14 | "range": { 15 | "@timestamp": { 16 | "gte": "now-5m/m", 17 | "lte": "now/m" 18 | } 19 | } 20 | } 21 | ], 22 | "minimum_should_match": 1 23 | } 24 | }, 25 | { 26 | "bool": { 27 | "should": [ 28 | { 29 | "term": { 30 | "fgt.policytype": "policy" 31 | } 32 | } 33 | ], 34 | "minimum_should_match": 1 35 | } 36 | }, 37 | { 38 | "bool": { 39 | "should": [ 40 | { 41 | "term": { 42 | "network.direction": "outbound" 43 | } 44 | } 45 | ], 46 | "minimum_should_match": 1 47 | } 48 | }, 49 | { 50 | "bool": { 51 | "must_not": { 52 | "bool": { 53 | "should": [ 54 | { 55 | "term": { 56 | "fgt.logid": "0000000020" 57 | } 58 | } 59 | ], 60 | "minimum_should_match": 1 61 | } 62 | } 63 | } 64 | } 65 | ] 66 | } 67 | } 68 | }, 69 | "dest": { 70 | "index": "transforms-fortinet.fortigate.traffic.forward.policy.outbound-1m-", 71 | "pipeline": "transforms-fortinet.fortigate.traffic.forward.policy" 72 | }, 73 | "frequency": "1m", 74 | "sync": { 75 | "time": { 76 | "field": "@timestamp", 77 | "delay": "1m" 78 | } 79 | }, 80 | "pivot": { 81 | "group_by": { 82 | "@timestamp": { 83 | "date_histogram": { 84 | "field": "@timestamp", 85 | "calendar_interval": "minute" 86 | } 87 | }, 88 | "source.ip": { 89 | "terms": { 90 | "field": "source.ip", 91 | "missing_bucket": true 92 | } 93 | }, 94 | "source.nat.ip": { 95 | "terms": { 96 | "field": "source.nat.ip", 97 | "missing_bucket": true 98 | } 99 | }, 100 | "source.user.name": { 101 | "terms": { 102 | "field": "source.user.name", 103 | "missing_bucket": true 104 | } 105 | }, 106 | "source.user.group.name": { 107 | "terms": { 108 | "field": "source.user.group.name", 109 | "missing_bucket": true 110 | } 111 | }, 112 | "fgt.srcinetsvc": { 113 | "terms": { 114 | "field": "fgt.srcinetsvc", 115 | "missing_bucket": true 116 | } 117 | }, 118 | "fgt.srcreputation": { 119 | "terms": { 120 | "field": "fgt.srcreputation", 121 | "missing_bucket": true 122 | } 123 | }, 124 | "source.risk.static_level": { 125 | "terms": { 126 | "field": "source.risk.static_level", 127 | "missing_bucket": true 128 | } 129 | }, 130 | "observer.ingress.interface.name": { 131 | "terms": { 132 | "field": "observer.ingress.interface.name", 133 | "missing_bucket": true 134 | } 135 | }, 136 | "destination.ip": { 137 | "terms": { 138 | "field": "destination.ip", 139 | "missing_bucket": true 140 | } 141 | }, 142 | "destination.port": { 143 | "terms": { 144 | "field": "destination.port", 145 | "missing_bucket": true 146 | } 147 | }, 148 | "destination.nat.ip": { 149 | "terms": { 150 | "field": "destination.nat.ip", 151 | "missing_bucket": true 152 | } 153 | }, 154 | "destination.nat.port": { 155 | "terms": { 156 | "field": "destination.nat.port", 157 | "missing_bucket": true 158 | } 159 | }, 160 | "fgt.dstinetsvc": { 161 | "terms": { 162 | "field": "fgt.dstinetsvc", 163 | "missing_bucket": true 164 | } 165 | }, 166 | "fgt.dstreputation": { 167 | "terms": { 168 | "field": "fgt.dstreputation", 169 | "missing_bucket": true 170 | } 171 | }, 172 | "observer.egress.interface.name": { 173 | "terms": { 174 | "field": "observer.egress.interface.name", 175 | "missing_bucket": true 176 | } 177 | }, 178 | "rule.id-name": { 179 | "terms": { 180 | "field": "rule.id-name", 181 | "missing_bucket": true 182 | } 183 | }, 184 | "network.iana_number": { 185 | "terms": { 186 | "field": "network.iana_number", 187 | "missing_bucket": true 188 | } 189 | }, 190 | "network.protocol": { 191 | "terms": { 192 | "field": "network.protocol", 193 | "missing_bucket": true 194 | } 195 | }, 196 | "network.application": { 197 | "terms": { 198 | "field": "network.application", 199 | "missing_bucket": true 200 | } 201 | }, 202 | "fgt.appcat": { 203 | "terms": { 204 | "field": "fgt.appcat", 205 | "missing_bucket": true 206 | } 207 | }, 208 | "fgt.action": { 209 | "terms": { 210 | "field": "fgt.action", 211 | "missing_bucket": true 212 | } 213 | }, 214 | "fgt.utmaction": { 215 | "terms": { 216 | "field": "fgt.utmaction", 217 | "missing_bucket": true 218 | } 219 | }, 220 | "observer.hostname": { 221 | "terms": { 222 | "field": "observer.hostname", 223 | "missing_bucket": true 224 | } 225 | }, 226 | "fgt.vd": { 227 | "terms": { 228 | "field": "fgt.vd", 229 | "missing_bucket": true 230 | } 231 | } 232 | }, 233 | "aggregations": { 234 | "session.id.value_count": { 235 | "value_count": { 236 | "field": "session.id" 237 | } 238 | }, 239 | "source.risk.static_score.stats": { 240 | "stats": { 241 | "field": "source.risk.static_score" 242 | } 243 | }, 244 | "network.bytes.stats": { 245 | "stats": { 246 | "field": "network.bytes" 247 | } 248 | }, 249 | "source.bytes.stats": { 250 | "stats": { 251 | "field": "source.bytes" 252 | } 253 | }, 254 | "destination.bytes.stats": { 255 | "stats": { 256 | "field": "destination.bytes" 257 | } 258 | }, 259 | "network.packets.stats": { 260 | "stats": { 261 | "field": "network.packets" 262 | } 263 | }, 264 | "source.packets.stats": { 265 | "stats": { 266 | "field": "source.packets" 267 | } 268 | }, 269 | "destination.packets.stats": { 270 | "stats": { 271 | "field": "destination.packets" 272 | } 273 | }, 274 | "event.duration.stats": { 275 | "stats": { 276 | "field": "event.duration" 277 | } 278 | }, 279 | "fgt.countapp.stats": { 280 | "stats": { 281 | "field": "fgt.countapp" 282 | } 283 | }, 284 | "fgt.countweb.stats": { 285 | "stats": { 286 | "field": "fgt.countweb" 287 | } 288 | }, 289 | "fgt.countips.stats": { 290 | "stats": { 291 | "field": "fgt.countips" 292 | } 293 | }, 294 | "fgt.countav.stats": { 295 | "stats": { 296 | "field": "fgt.countav" 297 | } 298 | }, 299 | "fgt.countssl.stats": { 300 | "stats": { 301 | "field": "fgt.countssl" 302 | } 303 | }, 304 | "fgt.countcifs.stats": { 305 | "stats": { 306 | "field": "fgt.countcifs" 307 | } 308 | }, 309 | "fgt.countdlp.stats": { 310 | "stats": { 311 | "field": "fgt.countdlp" 312 | } 313 | }, 314 | "fgt.countdns.stats": { 315 | "stats": { 316 | "field": "fgt.countdns" 317 | } 318 | }, 319 | "fgt.countemail.stats": { 320 | "stats": { 321 | "field": "fgt.countemail" 322 | } 323 | }, 324 | "fgt.countwaf.stats": { 325 | "stats": { 326 | "field": "fgt.countwaf" 327 | } 328 | }, 329 | "fgt.countff.stats": { 330 | "stats": { 331 | "field": "fgt.countff" 332 | } 333 | }, 334 | "fgt.countssh.stats": { 335 | "stats": { 336 | "field": "fgt.countssh" 337 | } 338 | } 339 | } 340 | }, 341 | "settings": { 342 | "max_page_search_size": 5000 343 | } 344 | } 345 | -------------------------------------------------------------------------------- /transforms/transforms-fortinet.fortigate.traffic.private2public_1m: -------------------------------------------------------------------------------- 1 | PUT _transform/transforms-fortinet.fortigate.traffic.private2public_1m 2 | { 3 | "source": { 4 | "index": [ 5 | "logs-fortinet.fortigate.traffic*" 6 | ], 7 | "query": { 8 | "bool": { 9 | "filter": [ 10 | { 11 | "bool": { 12 | "should": [ 13 | { 14 | "range": { 15 | "@timestamp": { 16 | "gte": "now-5m/m", 17 | "lte": "now/m" 18 | } 19 | } 20 | } 21 | ], 22 | "minimum_should_match": 1 23 | } 24 | }, 25 | { 26 | "bool": { 27 | "should": [ 28 | { 29 | "term": { 30 | "fgt.type": "traffic" 31 | } 32 | } 33 | ], 34 | "minimum_should_match": 1 35 | } 36 | }, 37 | { 38 | "bool": { 39 | "should": [ 40 | { 41 | "term": { 42 | "fgt.subtype": "forward" 43 | } 44 | } 45 | ], 46 | "minimum_should_match": 1 47 | } 48 | }, 49 | { 50 | "bool": { 51 | "should": [ 52 | { 53 | "term": { 54 | "fgt.policytype": "policy" 55 | } 56 | } 57 | ], 58 | "minimum_should_match": 1 59 | } 60 | }, 61 | { 62 | "bool": { 63 | "should": [ 64 | { 65 | "term": { 66 | "source.locality": "private" 67 | } 68 | } 69 | ], 70 | "minimum_should_match": 1 71 | } 72 | }, 73 | { 74 | "bool": { 75 | "should": [ 76 | { 77 | "term": { 78 | "destination.locality": "public" 79 | } 80 | } 81 | ], 82 | "minimum_should_match": 1 83 | } 84 | }, 85 | { 86 | "bool": { 87 | "must_not": { 88 | "bool": { 89 | "should": [ 90 | { 91 | "term": { 92 | "fgt.logid": "0000000020" 93 | } 94 | } 95 | ], 96 | "minimum_should_match": 1 97 | } 98 | } 99 | } 100 | } 101 | ] 102 | } 103 | } 104 | }, 105 | "dest": { 106 | "index": "transforms-fortinet.fortigate.traffic-1m-", 107 | "pipeline": "transforms-fortinet.fortigate.traffic.private2public" 108 | }, 109 | "frequency": "2m", 110 | "sync": { 111 | "time": { 112 | "field": "@timestamp", 113 | "delay": "1m" 114 | } 115 | }, 116 | "pivot": { 117 | "group_by": { 118 | "@timestamp": { 119 | "date_histogram": { 120 | "field": "@timestamp", 121 | "calendar_interval": "minute" 122 | } 123 | }, 124 | "source.ip": { 125 | "terms": { 126 | "field": "source.ip", 127 | "missing_bucket": true 128 | } 129 | }, 130 | "source.user.name": { 131 | "terms": { 132 | "field": "source.user.name", 133 | "missing_bucket": true 134 | } 135 | }, 136 | "source.user.group.name": { 137 | "terms": { 138 | "field": "source.user.group.name", 139 | "missing_bucket": true 140 | } 141 | }, 142 | "fgt.srcname": { 143 | "terms": { 144 | "field": "fgt.srcname", 145 | "missing_bucket": true 146 | } 147 | }, 148 | "fgt.srchwvendor": { 149 | "terms": { 150 | "field": "fgt.srchwvendor", 151 | "missing_bucket": true 152 | } 153 | }, 154 | "observer.ingress.interface.name": { 155 | "terms": { 156 | "field": "observer.ingress.interface.name", 157 | "missing_bucket": true 158 | } 159 | }, 160 | "destination.ip": { 161 | "terms": { 162 | "field": "destination.ip", 163 | "missing_bucket": true 164 | } 165 | }, 166 | "observer.egress.interface.name": { 167 | "terms": { 168 | "field": "observer.egress.interface.name", 169 | "missing_bucket": true 170 | } 171 | }, 172 | "rule.id-name": { 173 | "terms": { 174 | "field": "rule.id-name", 175 | "missing_bucket": true 176 | } 177 | }, 178 | "network.protocol": { 179 | "terms": { 180 | "field": "network.protocol", 181 | "missing_bucket": true 182 | } 183 | }, 184 | "network.protocol_category": { 185 | "terms": { 186 | "field": "network.protocol_category", 187 | "missing_bucket": true 188 | } 189 | }, 190 | "network.application": { 191 | "terms": { 192 | "field": "network.application", 193 | "missing_bucket": true 194 | } 195 | }, 196 | "fgt.appcat": { 197 | "terms": { 198 | "field": "fgt.appcat", 199 | "missing_bucket": true 200 | } 201 | }, 202 | "fgt.action": { 203 | "terms": { 204 | "field": "fgt.action", 205 | "missing_bucket": true 206 | } 207 | }, 208 | "fgt.utmaction": { 209 | "terms": { 210 | "field": "fgt.utmaction", 211 | "missing_bucket": true 212 | } 213 | }, 214 | "observer.hostname": { 215 | "terms": { 216 | "field": "observer.hostname", 217 | "missing_bucket": true 218 | } 219 | }, 220 | "fgt.vd": { 221 | "terms": { 222 | "field": "fgt.vd", 223 | "missing_bucket": true 224 | } 225 | } 226 | }, 227 | "aggregations": { 228 | "fgt.sessionid.value_count": { 229 | "value_count": { 230 | "field": "fgt.sessionid" 231 | } 232 | }, 233 | "event.risk_score.stats": { 234 | "stats": { 235 | "field": "event.risk_score" 236 | } 237 | }, 238 | "network.bytes.stats": { 239 | "stats": { 240 | "field": "network.bytes" 241 | } 242 | }, 243 | "source.bytes.stats": { 244 | "stats": { 245 | "field": "source.bytes" 246 | } 247 | }, 248 | "destination.bytes.stats": { 249 | "stats": { 250 | "field": "destination.bytes" 251 | } 252 | }, 253 | "network.packets.stats": { 254 | "stats": { 255 | "field": "network.packets" 256 | } 257 | }, 258 | "source.packets.stats": { 259 | "stats": { 260 | "field": "source.packets" 261 | } 262 | }, 263 | "destination.packets.stats": { 264 | "stats": { 265 | "field": "destination.packets" 266 | } 267 | }, 268 | "event.duration.stats": { 269 | "stats": { 270 | "field": "event.duration" 271 | } 272 | }, 273 | "fgt.countapp.stats": { 274 | "stats": { 275 | "field": "fgt.countapp" 276 | } 277 | }, 278 | "fgt.countweb.stats": { 279 | "stats": { 280 | "field": "fgt.countweb" 281 | } 282 | }, 283 | "fgt.countips.stats": { 284 | "stats": { 285 | "field": "fgt.countips" 286 | } 287 | }, 288 | "fgt.countav.stats": { 289 | "stats": { 290 | "field": "fgt.countav" 291 | } 292 | }, 293 | "fgt.countssl.stats": { 294 | "stats": { 295 | "field": "fgt.countssl" 296 | } 297 | }, 298 | "fgt.countcifs.stats": { 299 | "stats": { 300 | "field": "fgt.countcifs" 301 | } 302 | }, 303 | "fgt.countdlp.stats": { 304 | "stats": { 305 | "field": "fgt.countdlp" 306 | } 307 | }, 308 | "fgt.countdns.stats": { 309 | "stats": { 310 | "field": "fgt.countdns" 311 | } 312 | }, 313 | "fgt.countemail.stats": { 314 | "stats": { 315 | "field": "fgt.countemail" 316 | } 317 | }, 318 | "fgt.countwaf.stats": { 319 | "stats": { 320 | "field": "fgt.countwaf" 321 | } 322 | }, 323 | "fgt.countff.stats": { 324 | "stats": { 325 | "field": "fgt.countff" 326 | } 327 | }, 328 | "fgt.countssh.stats": { 329 | "stats": { 330 | "field": "fgt.countssh" 331 | } 332 | } 333 | } 334 | }, 335 | "settings": { 336 | "max_page_search_size": 5000 337 | } 338 | } 339 | -------------------------------------------------------------------------------- /transforms/transforms-fortinet.fortigate.traffic.public2private_1m: -------------------------------------------------------------------------------- 1 | PUT _transform/transforms-fortinet.fortigate.traffic.public2private_1m 2 | { 3 | "source": { 4 | "index": [ 5 | "logs-fortinet.fortigate.traffic*" 6 | ], 7 | "query": { 8 | "bool": { 9 | "filter": [ 10 | { 11 | "bool": { 12 | "should": [ 13 | { 14 | "range": { 15 | "@timestamp": { 16 | "gte": "now-5m/m", 17 | "lte": "now/m" 18 | } 19 | } 20 | } 21 | ], 22 | "minimum_should_match": 1 23 | } 24 | }, 25 | { 26 | "bool": { 27 | "should": [ 28 | { 29 | "term": { 30 | "fgt.type": "traffic" 31 | } 32 | } 33 | ], 34 | "minimum_should_match": 1 35 | } 36 | }, 37 | { 38 | "bool": { 39 | "should": [ 40 | { 41 | "term": { 42 | "fgt.subtype": "forward" 43 | } 44 | } 45 | ], 46 | "minimum_should_match": 1 47 | } 48 | }, 49 | { 50 | "bool": { 51 | "should": [ 52 | { 53 | "term": { 54 | "fgt.policytype": "policy" 55 | } 56 | } 57 | ], 58 | "minimum_should_match": 1 59 | } 60 | }, 61 | { 62 | "bool": { 63 | "should": [ 64 | { 65 | "term": { 66 | "source.locality": "public" 67 | } 68 | } 69 | ], 70 | "minimum_should_match": 1 71 | } 72 | }, 73 | { 74 | "bool": { 75 | "should": [ 76 | { 77 | "term": { 78 | "destination.locality": "private" 79 | } 80 | } 81 | ], 82 | "minimum_should_match": 1 83 | } 84 | }, 85 | { 86 | "bool": { 87 | "must_not": { 88 | "bool": { 89 | "should": [ 90 | { 91 | "term": { 92 | "fgt.logid": "0000000020" 93 | } 94 | } 95 | ], 96 | "minimum_should_match": 1 97 | } 98 | } 99 | } 100 | } 101 | ] 102 | } 103 | } 104 | }, 105 | "dest": { 106 | "index": "transforms-fortinet.fortigate.traffic-1m-", 107 | "pipeline": "transforms-fortinet.fortigate.traffic.public2private" 108 | }, 109 | "frequency": "2m", 110 | "sync": { 111 | "time": { 112 | "field": "@timestamp", 113 | "delay": "1m" 114 | } 115 | }, 116 | "pivot": { 117 | "group_by": { 118 | "@timestamp": { 119 | "date_histogram": { 120 | "field": "@timestamp", 121 | "calendar_interval": "minute" 122 | } 123 | }, 124 | "source.ip": { 125 | "terms": { 126 | "field": "source.ip", 127 | "missing_bucket": true 128 | } 129 | }, 130 | "observer.ingress.interface.name": { 131 | "terms": { 132 | "field": "observer.ingress.interface.name", 133 | "missing_bucket": true 134 | } 135 | }, 136 | "destination.ip": { 137 | "terms": { 138 | "field": "destination.ip", 139 | "missing_bucket": true 140 | } 141 | }, 142 | "fgt.dsthwvendor": { 143 | "terms": { 144 | "field": "fgt.dsthwvendor", 145 | "missing_bucket": true 146 | } 147 | }, 148 | "observer.egress.interface.name": { 149 | "terms": { 150 | "field": "observer.egress.interface.name", 151 | "missing_bucket": true 152 | } 153 | }, 154 | "rule.id-name": { 155 | "terms": { 156 | "field": "rule.id-name", 157 | "missing_bucket": true 158 | } 159 | }, 160 | "network.protocol": { 161 | "terms": { 162 | "field": "network.protocol", 163 | "missing_bucket": true 164 | } 165 | }, 166 | "network.protocol_category": { 167 | "terms": { 168 | "field": "network.protocol_category", 169 | "missing_bucket": true 170 | } 171 | }, 172 | "network.application": { 173 | "terms": { 174 | "field": "network.application", 175 | "missing_bucket": true 176 | } 177 | }, 178 | "fgt.appcat": { 179 | "terms": { 180 | "field": "fgt.appcat", 181 | "missing_bucket": true 182 | } 183 | }, 184 | "fgt.action": { 185 | "terms": { 186 | "field": "fgt.action", 187 | "missing_bucket": true 188 | } 189 | }, 190 | "fgt.utmaction": { 191 | "terms": { 192 | "field": "fgt.utmaction", 193 | "missing_bucket": true 194 | } 195 | }, 196 | "observer.hostname": { 197 | "terms": { 198 | "field": "observer.hostname", 199 | "missing_bucket": true 200 | } 201 | }, 202 | "fgt.vd": { 203 | "terms": { 204 | "field": "fgt.vd", 205 | "missing_bucket": true 206 | } 207 | } 208 | }, 209 | "aggregations": { 210 | "fgt.sessionid.value_count": { 211 | "value_count": { 212 | "field": "fgt.sessionid" 213 | } 214 | }, 215 | "event.risk_score.stats": { 216 | "stats": { 217 | "field": "event.risk_score" 218 | } 219 | }, 220 | "network.bytes.stats": { 221 | "stats": { 222 | "field": "network.bytes" 223 | } 224 | }, 225 | "source.bytes.stats": { 226 | "stats": { 227 | "field": "source.bytes" 228 | } 229 | }, 230 | "destination.bytes.stats": { 231 | "stats": { 232 | "field": "destination.bytes" 233 | } 234 | }, 235 | "network.packets.stats": { 236 | "stats": { 237 | "field": "network.packets" 238 | } 239 | }, 240 | "source.packets.stats": { 241 | "stats": { 242 | "field": "source.packets" 243 | } 244 | }, 245 | "destination.packets.stats": { 246 | "stats": { 247 | "field": "destination.packets" 248 | } 249 | }, 250 | "event.duration.stats": { 251 | "stats": { 252 | "field": "event.duration" 253 | } 254 | }, 255 | "fgt.countapp.stats": { 256 | "stats": { 257 | "field": "fgt.countapp" 258 | } 259 | }, 260 | "fgt.countweb.stats": { 261 | "stats": { 262 | "field": "fgt.countweb" 263 | } 264 | }, 265 | "fgt.countips.stats": { 266 | "stats": { 267 | "field": "fgt.countips" 268 | } 269 | }, 270 | "fgt.countav.stats": { 271 | "stats": { 272 | "field": "fgt.countav" 273 | } 274 | }, 275 | "fgt.countssl.stats": { 276 | "stats": { 277 | "field": "fgt.countssl" 278 | } 279 | }, 280 | "fgt.countcifs.stats": { 281 | "stats": { 282 | "field": "fgt.countcifs" 283 | } 284 | }, 285 | "fgt.countdlp.stats": { 286 | "stats": { 287 | "field": "fgt.countdlp" 288 | } 289 | }, 290 | "fgt.countdns.stats": { 291 | "stats": { 292 | "field": "fgt.countdns" 293 | } 294 | }, 295 | "fgt.countemail.stats": { 296 | "stats": { 297 | "field": "fgt.countemail" 298 | } 299 | }, 300 | "fgt.countwaf.stats": { 301 | "stats": { 302 | "field": "fgt.countwaf" 303 | } 304 | }, 305 | "fgt.countff.stats": { 306 | "stats": { 307 | "field": "fgt.countff" 308 | } 309 | }, 310 | "fgt.countssh.stats": { 311 | "stats": { 312 | "field": "fgt.countssh" 313 | } 314 | } 315 | } 316 | }, 317 | "settings": { 318 | "max_page_search_size": 5000 319 | } 320 | } 321 | -------------------------------------------------------------------------------- /transforms/transforms-fortinet.fortigate.traffic.public2public_1m: -------------------------------------------------------------------------------- 1 | PUT _transform/transforms-fortinet.fortigate.traffic.public2public_1m 2 | { 3 | "source": { 4 | "index": [ 5 | "logs-fortinet.fortigate.traffic*" 6 | ], 7 | "query": { 8 | "bool": { 9 | "filter": [ 10 | { 11 | "bool": { 12 | "should": [ 13 | { 14 | "range": { 15 | "@timestamp": { 16 | "gte": "now-5m/m", 17 | "lte": "now/m" 18 | } 19 | } 20 | } 21 | ], 22 | "minimum_should_match": 1 23 | } 24 | }, 25 | { 26 | "bool": { 27 | "should": [ 28 | { 29 | "term": { 30 | "fgt.type": "traffic" 31 | } 32 | } 33 | ], 34 | "minimum_should_match": 1 35 | } 36 | }, 37 | { 38 | "bool": { 39 | "should": [ 40 | { 41 | "term": { 42 | "fgt.subtype": "forward" 43 | } 44 | } 45 | ], 46 | "minimum_should_match": 1 47 | } 48 | }, 49 | { 50 | "bool": { 51 | "should": [ 52 | { 53 | "term": { 54 | "fgt.policytype": "policy" 55 | } 56 | } 57 | ], 58 | "minimum_should_match": 1 59 | } 60 | }, 61 | { 62 | "bool": { 63 | "should": [ 64 | { 65 | "term": { 66 | "source.locality": "public" 67 | } 68 | } 69 | ], 70 | "minimum_should_match": 1 71 | } 72 | }, 73 | { 74 | "bool": { 75 | "should": [ 76 | { 77 | "term": { 78 | "destination.locality": "public" 79 | } 80 | } 81 | ], 82 | "minimum_should_match": 1 83 | } 84 | }, 85 | { 86 | "bool": { 87 | "must_not": { 88 | "bool": { 89 | "should": [ 90 | { 91 | "term": { 92 | "fgt.logid": "0000000020" 93 | } 94 | } 95 | ], 96 | "minimum_should_match": 1 97 | } 98 | } 99 | } 100 | } 101 | ] 102 | } 103 | } 104 | }, 105 | "dest": { 106 | "index": "transforms-fortinet.fortigate.traffic-1m-", 107 | "pipeline": "transforms-fortinet.fortigate.traffic.public2public" 108 | }, 109 | "frequency": "2m", 110 | "sync": { 111 | "time": { 112 | "field": "@timestamp", 113 | "delay": "1m" 114 | } 115 | }, 116 | "pivot": { 117 | "group_by": { 118 | "@timestamp": { 119 | "date_histogram": { 120 | "field": "@timestamp", 121 | "calendar_interval": "minute" 122 | } 123 | }, 124 | "source.ip": { 125 | "terms": { 126 | "field": "source.ip", 127 | "missing_bucket": true 128 | } 129 | }, 130 | "observer.ingress.interface.name": { 131 | "terms": { 132 | "field": "observer.ingress.interface.name", 133 | "missing_bucket": true 134 | } 135 | }, 136 | "destination.ip": { 137 | "terms": { 138 | "field": "destination.ip", 139 | "missing_bucket": true 140 | } 141 | }, 142 | "fgt.dsthwvendor": { 143 | "terms": { 144 | "field": "fgt.dsthwvendor", 145 | "missing_bucket": true 146 | } 147 | }, 148 | "observer.egress.interface.name": { 149 | "terms": { 150 | "field": "observer.egress.interface.name", 151 | "missing_bucket": true 152 | } 153 | }, 154 | "rule.id-name": { 155 | "terms": { 156 | "field": "rule.id-name", 157 | "missing_bucket": true 158 | } 159 | }, 160 | "network.protocol": { 161 | "terms": { 162 | "field": "network.protocol", 163 | "missing_bucket": true 164 | } 165 | }, 166 | "network.protocol_category": { 167 | "terms": { 168 | "field": "network.protocol_category", 169 | "missing_bucket": true 170 | } 171 | }, 172 | "network.application": { 173 | "terms": { 174 | "field": "network.application", 175 | "missing_bucket": true 176 | } 177 | }, 178 | "fgt.appcat": { 179 | "terms": { 180 | "field": "fgt.appcat", 181 | "missing_bucket": true 182 | } 183 | }, 184 | "fgt.action": { 185 | "terms": { 186 | "field": "fgt.action", 187 | "missing_bucket": true 188 | } 189 | }, 190 | "fgt.utmaction": { 191 | "terms": { 192 | "field": "fgt.utmaction", 193 | "missing_bucket": true 194 | } 195 | }, 196 | "observer.hostname": { 197 | "terms": { 198 | "field": "observer.hostname", 199 | "missing_bucket": true 200 | } 201 | }, 202 | "fgt.vd": { 203 | "terms": { 204 | "field": "fgt.vd", 205 | "missing_bucket": true 206 | } 207 | } 208 | }, 209 | "aggregations": { 210 | "fgt.sessionid.value_count": { 211 | "value_count": { 212 | "field": "fgt.sessionid" 213 | } 214 | }, 215 | "event.risk_score.stats": { 216 | "stats": { 217 | "field": "event.risk_score" 218 | } 219 | }, 220 | "network.bytes.stats": { 221 | "stats": { 222 | "field": "network.bytes" 223 | } 224 | }, 225 | "source.bytes.stats": { 226 | "stats": { 227 | "field": "source.bytes" 228 | } 229 | }, 230 | "destination.bytes.stats": { 231 | "stats": { 232 | "field": "destination.bytes" 233 | } 234 | }, 235 | "network.packets.stats": { 236 | "stats": { 237 | "field": "network.packets" 238 | } 239 | }, 240 | "source.packets.stats": { 241 | "stats": { 242 | "field": "source.packets" 243 | } 244 | }, 245 | "destination.packets.stats": { 246 | "stats": { 247 | "field": "destination.packets" 248 | } 249 | }, 250 | "event.duration.stats": { 251 | "stats": { 252 | "field": "event.duration" 253 | } 254 | }, 255 | "fgt.countapp.stats": { 256 | "stats": { 257 | "field": "fgt.countapp" 258 | } 259 | }, 260 | "fgt.countweb.stats": { 261 | "stats": { 262 | "field": "fgt.countweb" 263 | } 264 | }, 265 | "fgt.countips.stats": { 266 | "stats": { 267 | "field": "fgt.countips" 268 | } 269 | }, 270 | "fgt.countav.stats": { 271 | "stats": { 272 | "field": "fgt.countav" 273 | } 274 | }, 275 | "fgt.countssl.stats": { 276 | "stats": { 277 | "field": "fgt.countssl" 278 | } 279 | }, 280 | "fgt.countcifs.stats": { 281 | "stats": { 282 | "field": "fgt.countcifs" 283 | } 284 | }, 285 | "fgt.countdlp.stats": { 286 | "stats": { 287 | "field": "fgt.countdlp" 288 | } 289 | }, 290 | "fgt.countdns.stats": { 291 | "stats": { 292 | "field": "fgt.countdns" 293 | } 294 | }, 295 | "fgt.countemail.stats": { 296 | "stats": { 297 | "field": "fgt.countemail" 298 | } 299 | }, 300 | "fgt.countwaf.stats": { 301 | "stats": { 302 | "field": "fgt.countwaf" 303 | } 304 | }, 305 | "fgt.countff.stats": { 306 | "stats": { 307 | "field": "fgt.countff" 308 | } 309 | }, 310 | "fgt.countssh.stats": { 311 | "stats": { 312 | "field": "fgt.countssh" 313 | } 314 | } 315 | } 316 | }, 317 | "settings": { 318 | "max_page_search_size": 5000 319 | } 320 | } 321 | -------------------------------------------------------------------------------- /vector/iana_number.csv: -------------------------------------------------------------------------------- 1 | Decimal,Keyword,Protocol,IPv6 Extension Header,Reference 2 | 0,HOPOPT,IPv6 Hop-by-Hop Option,Y,[RFC8200] 3 | 1,ICMP,Internet Control Message,,[RFC792] 4 | 2,IGMP,Internet Group Management,,[RFC1112] 5 | 3,GGP,Gateway-to-Gateway,,[RFC823] 6 | 4,IPv4,IPv4 encapsulation,,[RFC2003] 7 | 5,ST,Stream,,[RFC1190][RFC1819] 8 | 6,TCP,Transmission Control,,[RFC9293] 9 | 7,CBT,CBT,,[Tony_Ballardie] 10 | 8,EGP,Exterior Gateway Protocol,,[RFC888][David_Mills] 11 | 9,IGP,any private interior gateway (used by Cisco for their IGRP),,[Internet_Assigned_Numbers_Authority] 12 | 10,BBN-RCC-MON,BBN RCC Monitoring,,[Steve_Chipman] 13 | 11,NVP-II,Network Voice Protocol,,[RFC741][Steve_Casner] 14 | 12,PUP,PUP,,"[Boggs, D., J. Shoch, E. Taft, and R. Metcalfe, ""PUP: An Internetwork Architecture"", XEROX Palo Alto Research Center, CSL-79-10, July 1979; also in IEEE Transactions on Communication, Volume COM-28, Number 4, April 1980.][[XEROX]]" 15 | 13,ARGUS (deprecated),ARGUS,,[Robert_W_Scheifler] 16 | 14,EMCON,EMCON,,[Bich_Nguyen] 17 | 15,XNET,Cross Net Debugger,,"[Haverty, J., ""XNET Formats for Internet Protocol Version 4"", IEN 158, October 1980.][Jack_Haverty]" 18 | 16,CHAOS,Chaos,,[J_Noel_Chiappa] 19 | 17,UDP,User Datagram,,[RFC768][Jon_Postel] 20 | 18,MUX,Multiplexing,,"[Cohen, D. and J. Postel, ""Multiplexing Protocol"", IEN 90, USC/Information Sciences Institute, May 1979.][Jon_Postel]" 21 | 19,DCN-MEAS,DCN Measurement Subsystems,,[David_Mills] 22 | 20,HMP,Host Monitoring,,[RFC869][Bob_Hinden] 23 | 21,PRM,Packet Radio Measurement,,[Zaw_Sing_Su] 24 | 22,XNS-IDP,XEROX NS IDP,,"[""The Ethernet, A Local Area Network: Data Link Layer and Physical Layer Specification"", AA-K759B-TK, Digital Equipment Corporation, Maynard, MA. Also as: ""The Ethernet - A Local Area Network"", Version 1.0, Digital Equipment Corporation, Intel Corporation, Xerox Corporation, September 1980. And: ""The Ethernet, A Local Area Network: Data Link Layer and Physical Layer Specifications"", Digital, Intel and Xerox, November 1982. And: XEROX, ""The Ethernet, A Local Area Network: Data Link Layer and Physical Layer Specification"", X3T51/80-50, Xerox Corporation, Stamford, CT., October 1980.][[XEROX]]" 25 | 23,TRUNK-1,Trunk-1,,[Barry_Boehm] 26 | 24,TRUNK-2,Trunk-2,,[Barry_Boehm] 27 | 25,LEAF-1,Leaf-1,,[Barry_Boehm] 28 | 26,LEAF-2,Leaf-2,,[Barry_Boehm] 29 | 27,RDP,Reliable Data Protocol,,[RFC908][Bob_Hinden] 30 | 28,IRTP,Internet Reliable Transaction,,[RFC938][Trudy_Miller] 31 | 29,ISO-TP4,ISO Transport Protocol Class 4,,[RFC905][Robert_Cole] 32 | 30,NETBLT,Bulk Data Transfer Protocol,,[RFC969][David_Clark] 33 | 31,MFE-NSP,MFE Network Services Protocol,,"[Shuttleworth, B., ""A Documentary of MFENet, a National Computer Network"", UCRL-52317, Lawrence Livermore Labs, Livermore, California, June 1977.][Barry_Howard]" 34 | 32,MERIT-INP,MERIT Internodal Protocol,,[Hans_Werner_Braun] 35 | 33,DCCP,Datagram Congestion Control Protocol,,[RFC4340] 36 | 34,3PC,Third Party Connect Protocol,,[Stuart_A_Friedberg] 37 | 35,IDPR,Inter-Domain Policy Routing Protocol,,[Martha_Steenstrup] 38 | 36,XTP,XTP,,[Greg_Chesson] 39 | 37,DDP,Datagram Delivery Protocol,,[Wesley_Craig] 40 | 38,IDPR-CMTP,IDPR Control Message Transport Proto,,[Martha_Steenstrup] 41 | 39,TP++,TP++ Transport Protocol,,[Dirk_Fromhein] 42 | 40,IL,IL Transport Protocol,,[Dave_Presotto] 43 | 41,IPv6,IPv6 encapsulation,,[RFC2473] 44 | 42,SDRP,Source Demand Routing Protocol,,[Deborah_Estrin] 45 | 43,IPv6-Route,Routing Header for IPv6,Y,[Steve_Deering] 46 | 44,IPv6-Frag,Fragment Header for IPv6,Y,[Steve_Deering] 47 | 45,IDRP,Inter-Domain Routing Protocol,,[Sue_Hares] 48 | 46,RSVP,Reservation Protocol,,[RFC2205][RFC3209][Bob_Braden] 49 | 47,GRE,Generic Routing Encapsulation,,[RFC2784][Tony_Li] 50 | 48,DSR,Dynamic Source Routing Protocol,,[RFC4728] 51 | 49,BNA,BNA,,[Gary Salamon] 52 | 50,ESP,Encap Security Payload,Y,[RFC4303] 53 | 51,AH,Authentication Header,Y,[RFC4302] 54 | 52,I-NLSP,Integrated Net Layer Security TUBA,,[K_Robert_Glenn] 55 | 53,SWIPE (deprecated),IP with Encryption,,[John_Ioannidis] 56 | 54,NARP,NBMA Address Resolution Protocol,,[RFC1735] 57 | 55,Min-IPv4,Minimal IPv4 Encapsulation,,[RFC2004][Charlie_Perkins] 58 | 56,TLSP,Transport Layer Security Protocol using Kryptonet key management,,[Christer_Oberg] 59 | 57,SKIP,SKIP,,[Tom_Markson] 60 | 58,IPv6-ICMP,ICMP for IPv6,,[RFC8200] 61 | 59,IPv6-NoNxt,No Next Header for IPv6,,[RFC8200] 62 | 60,IPv6-Opts,Destination Options for IPv6,Y,[RFC8200] 63 | 61,,any host internal protocol,,[Internet_Assigned_Numbers_Authority] 64 | 62,CFTP,CFTP,,"[Forsdick, H., ""CFTP"", Network Message, Bolt Beranek and Newman, January 1982.][Harry_Forsdick]" 65 | 63,,any local network,,[Internet_Assigned_Numbers_Authority] 66 | 64,SAT-EXPAK,SATNET and Backroom EXPAK,,[Steven_Blumenthal] 67 | 65,KRYPTOLAN,Kryptolan,,[Paul Liu] 68 | 66,RVD,MIT Remote Virtual Disk Protocol,,[Michael_Greenwald] 69 | 67,IPPC,Internet Pluribus Packet Core,,[Steven_Blumenthal] 70 | 68,,any distributed file system,,[Internet_Assigned_Numbers_Authority] 71 | 69,SAT-MON,SATNET Monitoring,,[Steven_Blumenthal] 72 | 70,VISA,VISA Protocol,,[Gene_Tsudik] 73 | 71,IPCV,Internet Packet Core Utility,,[Steven_Blumenthal] 74 | 72,CPNX,Computer Protocol Network Executive,,[David Mittnacht] 75 | 73,CPHB,Computer Protocol Heart Beat,,[David Mittnacht] 76 | 74,WSN,Wang Span Network,,[Victor Dafoulas] 77 | 75,PVP,Packet Video Protocol,,[Steve_Casner] 78 | 76,BR-SAT-MON,Backroom SATNET Monitoring,,[Steven_Blumenthal] 79 | 77,SUN-ND,SUN ND PROTOCOL-Temporary,,[William_Melohn] 80 | 78,WB-MON,WIDEBAND Monitoring,,[Steven_Blumenthal] 81 | 79,WB-EXPAK,WIDEBAND EXPAK,,[Steven_Blumenthal] 82 | 80,ISO-IP,ISO Internet Protocol,,[Marshall_T_Rose] 83 | 81,VMTP,VMTP,,[Dave_Cheriton] 84 | 82,SECURE-VMTP,SECURE-VMTP,,[Dave_Cheriton] 85 | 83,VINES,VINES,,[Brian Horn] 86 | 84,IPTM,Internet Protocol Traffic Manager,,[Jim_Stevens][1] 87 | 85,NSFNET-IGP,NSFNET-IGP,,[Hans_Werner_Braun] 88 | 86,DGP,Dissimilar Gateway Protocol,,"[M/A-COM Government Systems, ""Dissimilar Gateway Protocol Specification, Draft Version"", Contract no. CS901145, November 16, 1987.][Mike_Little]" 89 | 87,TCF,TCF,,[Guillermo_A_Loyola] 90 | 88,EIGRP,EIGRP,,[RFC7868] 91 | 89,OSPFIGP,OSPFIGP,,[RFC1583][RFC2328][RFC5340][John_Moy] 92 | 90,Sprite-RPC,Sprite RPC Protocol,,"[Welch, B., ""The Sprite Remote Procedure Call System"", Technical Report, UCB/Computer Science Dept., 86/302, University of California at Berkeley, June 1986.][Bruce Willins]" 93 | 91,LARP,Locus Address Resolution Protocol,,[Brian Horn] 94 | 92,MTP,Multicast Transport Protocol,,[Susie_Armstrong] 95 | 93,AX.25,AX.25 Frames,,[Brian_Kantor] 96 | 94,IPIP,IP-within-IP Encapsulation Protocol,,[John_Ioannidis] 97 | 95,MICP (deprecated),Mobile Internetworking Control Pro.,,[John_Ioannidis] 98 | 96,SCC-SP,Semaphore Communications Sec. Pro.,,[Howard_Hart] 99 | 97,ETHERIP,Ethernet-within-IP Encapsulation,,[RFC3378] 100 | 98,ENCAP,Encapsulation Header,,[RFC1241][Robert_Woodburn] 101 | 99,,any private encryption scheme,,[Internet_Assigned_Numbers_Authority] 102 | 100,GMTP,GMTP,,[[RXB5]] 103 | 101,IFMP,Ipsilon Flow Management Protocol,,"[Bob_Hinden][November 1995, 1997.]" 104 | 102,PNNI,PNNI over IP,,[Ross_Callon] 105 | 103,PIM,Protocol Independent Multicast,,[RFC7761][Dino_Farinacci] 106 | 104,ARIS,ARIS,,[Nancy_Feldman] 107 | 105,SCPS,SCPS,,[Robert_Durst] 108 | 106,QNX,QNX,,[Michael_Hunter] 109 | 107,A/N,Active Networks,,[Bob_Braden] 110 | 108,IPComp,IP Payload Compression Protocol,,[RFC2393] 111 | 109,SNP,Sitara Networks Protocol,,[Manickam_R_Sridhar] 112 | 110,Compaq-Peer,Compaq Peer Protocol,,[Victor_Volpe] 113 | 111,IPX-in-IP,IPX in IP,,[CJ_Lee] 114 | 112,VRRP,Virtual Router Redundancy Protocol,,[RFC9568] 115 | 113,PGM,PGM Reliable Transport Protocol,,[Tony_Speakman] 116 | 114,,any 0-hop protocol,,[Internet_Assigned_Numbers_Authority] 117 | 115,L2TP,Layer Two Tunneling Protocol,,[RFC3931][Bernard_Aboba] 118 | 116,DDX,D-II Data Exchange (DDX),,[John_Worley] 119 | 117,IATP,Interactive Agent Transfer Protocol,,[John_Murphy] 120 | 118,STP,Schedule Transfer Protocol,,[Jean_Michel_Pittet] 121 | 119,SRP,SpectraLink Radio Protocol,,[Mark_Hamilton] 122 | 120,UTI,UTI,,[Peter_Lothberg] 123 | 121,SMP,Simple Message Protocol,,[Leif_Ekblad] 124 | 122,SM (deprecated),Simple Multicast Protocol,,[Jon_Crowcroft][draft-perlman-simple-multicast] 125 | 123,PTP,Performance Transparency Protocol,,[Michael_Welzl] 126 | 124,ISIS over IPv4,,,[Tony_Przygienda] 127 | 125,FIRE,,,[Criag_Partridge] 128 | 126,CRTP,Combat Radio Transport Protocol,,[Robert_Sautter] 129 | 127,CRUDP,Combat Radio User Datagram,,[Robert_Sautter] 130 | 128,SSCOPMCE,,,[Kurt_Waber] 131 | 129,IPLT,,,[[Hollbach]] 132 | 130,SPS,Secure Packet Shield,,[Bill_McIntosh] 133 | 131,PIPE,Private IP Encapsulation within IP,,[Bernhard_Petri] 134 | 132,SCTP,Stream Control Transmission Protocol,,[Randall_R_Stewart] 135 | 133,FC,Fibre Channel,,[Murali_Rajagopal][RFC6172] 136 | 134,RSVP-E2E-IGNORE,,,[RFC3175] 137 | 135,Mobility Header,,Y,[RFC6275] 138 | 136,UDPLite,,,[RFC3828] 139 | 137,MPLS-in-IP,,,[RFC4023] 140 | 138,manet,MANET Protocols,,[RFC5498] 141 | 139,HIP,Host Identity Protocol,Y,[RFC7401] 142 | 140,Shim6,Shim6 Protocol,Y,[RFC5533] 143 | 141,WESP,Wrapped Encapsulating Security Payload,,[RFC5840] 144 | 142,ROHC,Robust Header Compression,,[RFC5858] 145 | 143,Ethernet,Ethernet,,[RFC8986] 146 | 144,AGGFRAG,AGGFRAG encapsulation payload for ESP,,[RFC9347] 147 | 145,NSH,Network Service Header,N,[RFC9491] 148 | 253,,Use for experimentation and testing,Y,[RFC3692] 149 | 254,,Use for experimentation and testing,Y,[RFC3692] 150 | 255,Reserved,,,[Internet_Assigned_Numbers_Authority] 151 | -------------------------------------------------------------------------------- /vector/vector.yaml: -------------------------------------------------------------------------------- 1 | # __ __ __ 2 | # \ \ / / / / 3 | # \ V / / / 4 | # \_/ \/ 5 | # 6 | # V E C T O R 7 | # Configuration 8 | # 9 | # ------------------------------------------------------------------------------ 10 | # Website: https://vector.dev 11 | # Docs: https://vector.dev/docs 12 | # Chat: https://chat.vector.dev 13 | # ------------------------------------------------------------------------------ 14 | 15 | # Change this to use a non-default directory for Vector data storage: 16 | # data_dir: "/var/lib/vector" 17 | 18 | # Random Syslog-formatted logs 19 | #sources: 20 | # dummy_logs: 21 | # type: "demo_logs" 22 | # format: "syslog" 23 | # interval: 1 24 | 25 | # Parse Syslog logs 26 | # See the Vector Remap Language reference for more info: https://vrl.dev 27 | #transforms: 28 | # parse_logs: 29 | # type: "remap" 30 | # inputs: ["dummy_logs"] 31 | # source: | 32 | # . = parse_syslog!(string!(.message)) 33 | 34 | # Print parsed logs to stdout 35 | #sinks: 36 | # print: 37 | # type: "console" 38 | # inputs: ["parse_logs"] 39 | # encoding: 40 | # codec: "json" 41 | # json: 42 | # pretty: true 43 | 44 | # Vector's GraphQL API (disabled by default) 45 | # Uncomment to try it out with the `vector top` command or 46 | # in your browser at http://localhost:8686 47 | api: 48 | enabled: true 49 | address: "127.0.0.1:8686" 50 | -------------------------------------------------------------------------------- /vector/vector_monitoring.yaml: -------------------------------------------------------------------------------- 1 | # __ __ __ 2 | # \ \ / / / / 3 | # \ V / / / 4 | # \_/ \/ 5 | # 6 | # V E C T O R 7 | # Configuration 8 | # 9 | # ------------------------------------------------------------------------------ 10 | # Website: https://vector.dev 11 | # Docs: https://vector.dev/docs 12 | # Chat: https://chat.vector.dev 13 | # ------------------------------------------------------------------------------ 14 | 15 | # Change this to use a non-default directory for Vector data storage: 16 | # data_dir: "/var/lib/vector" 17 | 18 | sources: 19 | vector_metrics: 20 | type: "internal_metrics" 21 | scrape_interval_secs: 60 22 | 23 | vector_logs: 24 | type: "internal_logs" 25 | 26 | 27 | transforms: 28 | 29 | vector_metrics_add_tags: 30 | type: "remap" 31 | inputs: 32 | - vector_metrics 33 | source: | 34 | .tags.tenant = "${TENANT_NAME:-default}" 35 | 36 | vector_logs_add_tags: 37 | type: "remap" 38 | inputs: 39 | - vector_logs 40 | source: | 41 | .tags.tenant = "${TENANT_NAME:-default}" 42 | # https://grafana.com/docs/loki/latest/get-started/labels/#default-labels-for-all-users 43 | #.tags.service_name = "vector" 44 | .tags.source_type = .source_type 45 | .tags |= object(.metadata) ?? {} 46 | 47 | sinks: 48 | prometheus_vector: 49 | type: "prometheus_remote_write" 50 | endpoint: "${PROMETHEUS_ENDPOINT:-http://localhost:9090}/api/prom/push" 51 | auth: 52 | strategy: "basic" 53 | user: "${PROMETHEUS_USER:-prometheus_user}" 54 | password: "${PROMETHEUS_PASS:-myprometheuspassword}" 55 | inputs: 56 | #- vector_metrics 57 | - vector_metrics_add_tags 58 | healthcheck: 59 | enabled: false 60 | 61 | # console: 62 | # type: "console" 63 | # inputs: 64 | # - vector_logs_add_tags 65 | # encoding: 66 | # codec: "text" 67 | 68 | loki_vector: 69 | type: loki 70 | inputs: 71 | - vector_logs_add_tags 72 | endpoint: "${LOKI_ENDPOINT:-http://localhost:3100}" 73 | auth: 74 | strategy: "basic" 75 | user: "${LOKI_USER:-loki_user}" 76 | password: "${LOKI_PASS:-mylokipassword}" 77 | encoding: 78 | codec: "json" 79 | compression: "snappy" 80 | labels: 81 | "*": "{{tags}}" 82 | structured_metadata: 83 | "host": "{{host}}" 84 | # ### For performance optimization. Vector works really well with defaults. Don't use it unless you really need to fine-tune yor ingest. 85 | # buffer: 86 | # - type: memory 87 | # max_events: 12800 # default 500 https://www.elastic.co/docs/reference/fleet/es-output-settings#es-output-settings-performance-tuning-settings 88 | # #when_full: drop_newest #default block 89 | # batch: 90 | # #max_bytes: 91 | # max_events: 1600 # default 1000 92 | # timeout_secs: 5 # default 1 93 | -------------------------------------------------------------------------------- /vector/victoria_monitoring.yaml: -------------------------------------------------------------------------------- 1 | # __ __ __ 2 | # \ \ / / / / 3 | # \ V / / / 4 | # \_/ \/ 5 | # 6 | # V E C T O R 7 | # Configuration 8 | # 9 | # ------------------------------------------------------------------------------ 10 | # Website: https://vector.dev 11 | # Docs: https://vector.dev/docs 12 | # Chat: https://chat.vector.dev 13 | # ------------------------------------------------------------------------------ 14 | 15 | # Change this to use a non-default directory for Vector data storage: 16 | # data_dir: "/var/lib/vector" 17 | 18 | sources: 19 | victorialogs_metrics: 20 | type: "prometheus_scrape" 21 | endpoints: 22 | - "${VICTORIA_LOGS_ENDPOINT:-http://localhost:9428}/metrics" 23 | scrape_interval_secs: 60 24 | 25 | victorialogs_logs: 26 | type: "journald" 27 | include_units: 28 | - victorialogs 29 | 30 | transforms: 31 | 32 | victorialogs_metrics_add_tags: 33 | type: "remap" 34 | inputs: 35 | - victorialogs_metrics 36 | source: | 37 | .tags.tenant = "${TENANT_NAME:-default}" 38 | 39 | victorialogs_logs_add_tags: 40 | type: "remap" 41 | inputs: 42 | - victorialogs_logs 43 | source: | 44 | .tags.tenant = "${TENANT_NAME:-default}" 45 | # https://grafana.com/docs/loki/latest/get-started/labels/#default-labels-for-all-users 46 | #.tags.service_name = "victorialogs" 47 | .tags.source_type = .source_type 48 | .tags |= object(.metadata) ?? {} 49 | 50 | 51 | sinks: 52 | prometheus_victorialogs: 53 | type: "prometheus_remote_write" 54 | endpoint: "${PROMETHEUS_ENDPOINT:-http://localhost:9090}/api/prom/push" 55 | auth: 56 | strategy: "basic" 57 | user: "${PROMETHEUS_USER:-prometheus_user}" 58 | password: "${PROMETHEUS_PASS:-myprometheuspassword}" 59 | inputs: 60 | - victorialogs_metrics_add_tags 61 | healthcheck: 62 | enabled: false 63 | 64 | # console: 65 | # type: "console" 66 | # inputs: 67 | # - victorialogs_logs_add_tags 68 | # encoding: 69 | # codec: "text" 70 | 71 | loki_victorialogs: 72 | type: loki 73 | inputs: 74 | - victorialogs_logs_add_tags 75 | endpoint: "${LOKI_ENDPOINT:-http://localhost:3100}" 76 | auth: 77 | strategy: "basic" 78 | user: "${LOKI_USER:-loki_user}" 79 | password: "${LOKI_PASS:-mylokipassword}" 80 | encoding: 81 | codec: "json" 82 | compression: "snappy" 83 | labels: 84 | "*": "{{ tags }}" 85 | #structured_metadata: 86 | "host": "{{host}}" 87 | # ### For performance optimization. Vector works really well with defaults. Don't use it unless you really need to fine-tune yor ingest. 88 | # buffer: 89 | # - type: memory 90 | # max_events: 12800 # default 500 https://www.elastic.co/docs/reference/fleet/es-output-settings#es-output-settings-performance-tuning-settings 91 | # #when_full: drop_newest #default block 92 | # batch: 93 | # #max_bytes: 94 | # max_events: 1600 # default 1000 95 | # timeout_secs: 5 # default 1 96 | --------------------------------------------------------------------------------