기술 노트/fortigate
fortigate 7.0.X버전의 logstash 설정
미래의억만장자
2023. 6. 16. 20:44
fortigate 6.X 와 7.X대 syslog가 변화가 있었네요.
7.X대 logstash 설정은 코드가 좀 더 업그레이드 되었습니다.
[root@tmplogsvr 192.168.x.x]# vi /etc/logstash/conf.d/logstash.conf
input {
file {
path => "/var/log/rsyslog/192.168.x.1/*.log"
start_position => "beginning"
tags => ["fortigate"]
}
file {
path => "/var/log/rsyslog/192.168.x.2/*.log"
start_position => "beginning"
tags => ["fortigate"]
}
}
filter {
if "fortigate" in [tags] {
grok {
patterns_dir => ["/etc/logstash/pattern.d"]
match => { "message" => [ "%{FORTILOG} %{GREEDYDATA:sub_message}" ] }
overwrite => [ "message" ]
}
kv {
value_split => "="
}
if "wan" in [srcintfrole] {
geoip {
source => "srcip"
target => "geoip_src"
}
}
if [sentbyte] != "" and [rcvdbyte] != "" {
bytes {
source => "rcvdbyte"
target => "rcvdbyte"
}
bytes {
source => "sentbyte"
target => "sentbyte"
}
}
mutate {
convert => {
"transport" => "integer"
"duration" => "integer"
"sentpkt" => "integer"
"rcvdpkt" => "integer"
"srcserver" => "integer"
"proto" => "integer"
"sessionid" => "integer"
"policyid" => "integer"
"crscore" => "integer"
"craction" => "integer"
"srcport" => "integer"
"dstport" => "integer"
"cpu" => "integer"
"mem" => "integer"
"totalsession" => "integer"
"disk" => "integer"
"setuprate" => "integer"
"disklograte" => "integer"
"fazlograte" => "integer"
"freediskstorage" => "integer"
"sysuptime" => "integer"
}
}
}
}
output {
if "fortigate" in [tags] {
elasticsearch {
hosts => "http://192.168.x.x:9200"
index => "logstash-fortigate-index-%{+YYYY.MM.dd}"
data_stream => "false"
}
}
}[root@tmplogsvr pattern.d]# vi /etc/logstash/pattern.d/fortigate.pattern
FORTILOG (?<timestamp>^\w+\s+\d+\s+\d+\:\d+\:\d+)\s(?<log_send_dev>(?:%{IP}|\_gateway))