{ "id" : null, "name" : "fortigate", "description" : "fortigate", "category" : "firewall", "inputs" : [ { "title" : "fortigate", "configuration" : { "override_source" : "", "allow_override_date" : true, "recv_buffer_size" : 1048576, "bind_address" : "0.0.0.0", "port" : 11514 }, "type" : "org.graylog2.inputs.syslog.udp.SyslogUDPInput", "global" : false, "extractors" : [ { "title" : "traffic - default", "type" : "GROK", "configuration" : { "grok_pattern" : "date=%{DATE_YMD:logdate},time=%{TIME:logtime},devname=%{DATA:devname},devid=%{DATA:devid},logid=%{DATA:logid},type=%{DATA:type},subtype=%{DATA:subtype},level=%{DATA:lv},vd=%{DATA:vd},srcip=%{IP:srcip},(srcport=%{DATA:srcport},)?srcintf=%{DATA:srcintf},dstip=%{IP:dstip},(dstport=%{DATA:dstport},)?dstintf=%{DATA:dstintf},poluuid=%{DATA:poluuid},sessionid=%{DATA:sessionid},proto=%{DATA:proto},action=%{DATA:action},policyid=%{DATA:policyid},(dstcountry=%{DATA:dstcountry},srccountry=%{DATA:srccountry},)?(trandisp=%{DATA:UNWANTED},)?(service=%{DATA:service},)?(appid=%{DATA:appid},app=%{DATA:app},)?appcat=%{DATA:appcat},(apprisk=%{DATA:apprisk},)?(applist=%{DATA:UNWANTED},)?(appact=%{DATA:appact},)?(duration=%{NUMBER:duration;int},sentbyte=%{NUMBER:sentbyte;int},rcvdbyte=%{NUMBER:rcvdbyte;int},sentpkt=%{NUMBER:sentpkt;int},)?(rcvdpkt=%{NUMBER:rcvdpkt;int}(,|$))?" }, "converters" : [ ], "order" : 0, "cursor_strategy" : "COPY", "target_field" : "message", "source_field" : "message", "condition_type" : "STRING", "condition_value" : "type=traffic" }, { "title" : "utm - app-ctrl", "type" : "GROK", "configuration" : { "grok_pattern" : "date=%{DATE_YMD:logdate},time=%{TIME:logtime},devname=%{DATA:devname},devid=%{DATA:devid},logid=%{DATA:logid},type=%{DATA:type},subtype=%{DATA:subtype},%{DATA:UNWANTED},srcip=%{IP:srcip},srcport=%{DATA:srcport},(srcintf=%{DATA:srcintf},)?dstip=%{IP:dstip},dstport=%{DATA:dstport},(dstintf=%{DATA:dstintf},)?proto=%{DATA:proto},service=%{DATA:service},policyid=%{DATA:policyid},sessionid=%{DATA:sessionid},(applist=%{DATA:UNWANTED},)?(appcat=%{DATA:appcat},)?(app=%{DATA:app},)?action=%{DATA:action},(%{DATA:UNWANTED},)?(apprisk=%{DATA:apprisk}$)?" }, "converters" : [ ], "order" : 1, "cursor_strategy" : "COPY", "target_field" : "message", "source_field" : "message", "condition_type" : "STRING", "condition_value" : "subtype=app-ctrl" }, { "title" : "traffic - unscanned - short", "type" : "GROK", "configuration" : { "grok_pattern" : "date=%{DATE_YMD:logdate},time=%{TIME:logtime},devname=%{DATA:devname},devid=%{DATA:devid},logid=%{DATA:logid},type=%{DATA:type},subtype=%{DATA:subtype},level=%{DATA:lv},vd=%{DATA:vd},srcip=%{IP:srcip},(srcport=%{DATA:srcport},)?srcintf=%{DATA:srcintf},dstip=%{IP:dstip},(dstport=%{DATA:dstport},)?dstintf=%{DATA:dstintf},poluuid=%{DATA:poluuid},sessionid=%{DATA:sessionid},proto=%{DATA:proto},action=%{DATA:action},policyid=%{DATA:policyid},appcat=%{DATA:appcat}," }, "converters" : [ ], "order" : 3, "cursor_strategy" : "COPY", "target_field" : "message", "source_field" : "message", "condition_type" : "STRING", "condition_value" : "appcat=\"unscanned\"" }, { "title" : "traffic - unscanned - long", "type" : "GROK", "configuration" : { "grok_pattern" : "date=%{DATE_YMD:logdate},time=%{TIME:logtime},devname=%{DATA:devname},devid=%{DATA:devid},logid=%{DATA:logid},type=%{DATA:type},subtype=%{DATA:subtype},level=%{DATA:lv},vd=%{DATA:vd},srcip=%{IP:srcip},(srcport=%{DATA:srcport},)?srcintf=%{DATA:srcintf},dstip=%{IP:dstip},(dstport=%{DATA:dstport},)?dstintf=%{DATA:dstintf},(poluuid=%{DATA:poluuid},)?sessionid=%{DATA:sessionid},proto=%{DATA:proto},action=%{DATA:action},policyid=%{DATA:policyid},(dstcountry=%{DATA:dstcountry},srccountry=%{DATA:srccountry},)?(%{DATA:UNWANTED},)?service=%{DATA:service},duration=%{NUMBER:duration;int},sentbyte=%{NUMBER:sentbyte;int},rcvdbyte=%{NUMBER:rcvdbyte;int},sentpkt=%{NUMBER:sentpkt;int},(rcvdpkt=%{NUMBER:rcvdpkt;int},)?(%{DATA:UNWANTED},)?appcat=%{DATA:appcat}(,|$)" }, "converters" : [ ], "order" : 2, "cursor_strategy" : "COPY", "target_field" : "message", "source_field" : "message", "condition_type" : "STRING", "condition_value" : "appcat=\"unscanned\"" }, { "title" : "utm - ips", "type" : "GROK", "configuration" : { "grok_pattern" : "date=%{DATE_YMD:logdate},time=%{TIME:logtime},devname=%{DATA:devname},devid=%{DATA:devid},logid=%{DATA:logid},type=%{DATA:type},subtype=%{DATA:subtype},eventtype=%{DATA:eventtype},level=%{DATA:lv},vd=%{DATA:vd},severity=%{DATA:severity},srcip=%{IP:srcip},dstip=%{IP:dstip},srcintf=%{DATA:srcintf},dstintf=%{DATA:dstintf},policyid=%{DATA:policyid},sessionid=%{DATA:sessionid},action=%{DATA:action},proto=%{DATA:proto},service=%{DATA:service},attack=%{DATA:attack},srcport=%{DATA:srcport},dstport=%{DATA:dstport},(%{DATA:UNWANTED},)?direction=%{DATA:direction}," }, "converters" : [ ], "order" : 4, "cursor_strategy" : "COPY", "target_field" : "message", "source_field" : "message", "condition_type" : "STRING", "condition_value" : "subtype=ips" } ], "static_fields" : { "fortigate" : "true" } } ], "streams" : [ { "id" : "56ca114a0992e5e0e48c5689", "title" : "fortigate utm", "description" : "fortigate utm", "disabled" : false, "outputs" : [ ], "stream_rules" : [ { "type" : "EXACT", "field" : "source", "value" : "10.1.1.1/10.1.1.1", "inverted" : false }, { "type" : "EXACT", "field" : "type", "value" : "utm", "inverted" : false } ] }, { "id" : "56ca114a0992e5e0e48c5685", "title" : "fortigate traffic", "description" : "fortigate", "disabled" : false, "outputs" : [ ], "stream_rules" : [ { "type" : "EXACT", "field" : "source", "value" : "10.1.1.1/10.1.1.1", "inverted" : false }, { "type" : "EXACT", "field" : "type", "value" : "traffic", "inverted" : false } ] } ], "outputs" : [ ], "dashboards" : [ ], "grok_patterns" : [ { "name" : "DATE_YMD", "pattern" : "%{YEAR}[./-]%{MONTHNUM}[./-]%{MONTHDAY}" } ] }