-
Notifications
You must be signed in to change notification settings - Fork 10
/
fortinet.conf
67 lines (58 loc) · 1.9 KB
/
fortinet.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
# Licensed to empow under one or more contributor
# license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright
# ownership. empow licenses this file to you under
# the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
input{
pipeline{
address => fortinet_pipeline
}
}
filter{
grok{
match => {"message" => "%{NUMBER}\>(?<kv_log>.*)"}
}
kv{
source => "kv_log"
}
mutate{
add_field => {"[observer][type]" => "IDS" "[observer][product]" => "fortinet"}
rename => {"srcip" => "[source][ip]"}
rename => {"srcip" => "[source][ip]"}
rename => {"dstip" => "[destination][ip]"}
replace => {"tmp_date" => "%{date} %{time}"}
rename => {"srcport" => "[source][port]"}
rename => {"dstport" => "[destination][port]"}
rename => {"attack" => "[event][category]"}
rename => {"msg" => "[event][description]"}
rename => {"attackid" => "[empow][signature]"}
add_field => {"[event][id]" => "%{[empow][signature]}"}
rename => {"ref" => "[event][more_info]"}
rename => {"logid" => "[event][sequence]"}
rename => {"direction" => "[network][direction]"}
add_tag => ["empow_classification"]
add_tag => ["src_ip"]
add_tag => ["dst_ip"]
}
date{
match => ["tmp_date", "UNIX", "yyyy-MM-dd HH:mm:ss"]
target => "@timestamp"
remove_field => ["tmp_date"]
}
}
output {
pipeline{
send_to => [elastic_output]
}
}