Incorrect field parsing for FortiOS syslog messages with quotes

[joschi]

The FortiOS syslog parser doesn't seem to handle key/value pairs with quotes correctly:

https://community.graylog.org/t/2-2-3-fortigate-parsing/1034

[neyz]

Hello,

i'm experiencing the same problem which quickly fills up the Elastic Search index, slows down the system and then reach the 1000 field limit.

Full message :

<182>date=2018-02-27 time=15:34:03 devname=REDACTED devid=REDACTED logid=1059028704 type=utm subtype=app-ctrl eventtype=app-ctrl-all level=information vd=root appid=15893 user="" srcip=192.168.0.186 srcport=55303 srcintf="internal" dstip=5.45.62.118 dstport=80 dstintf="wan1" profiletype="applist" proto=6 service="HTTP" policyid=1 sessionid=1589466 applist="default" appcat="Web.Client" app="HTTP.BROWSER" action=pass hostname="su.ff.avast.com" url="/R/A1MKIDQyOEZCMzlCNjJCMDRBNjJBRUIzOTY3ODI2ODJBQ0M2EgQAJQIYGK4BIgEBKgcIBBCwiNdcMgoIABDyitdcGIACOICAkGhIgICAgPr_____AQ==" msg="Web.Client: HTTP.BROWSER," apprisk=medium

Created field is :

A1MKIDQyOEZCMzlCNjJCMDRBNjJBRUIzOTY3ODI2ODJBQ0M2EgQAJQIYGK4BIgEBKgcIBBCwiNdcMgoIABDyitdcGIACOICAkGhIgICAgPr_____AQ=

I understand that the "=" is making graylog believe that it's a new field but shouldn't the quotes inhibit this behavior ?

[eXeXiL]

Hello,

has there been a solution for this case? I´m also struggling to get this work..

[d-a-n-d-u]

Issue still present in 5.1 release.

And the problem seems to be with the syslog4j-graylog2 code that uses a both quoted and unqouted pattern for fields.