Filebeat module Fortinet-FortiManager doesn't support last version v7.2.1

[leweafan]

Describe the enhancement: Filebeat module Fortinet (FortiManager fileset) needs new parsing for Fortimanager 7.2.1 (build1215 220809)

Describe a specific use case for the enhancement or feature: Current filebeat module for Fortinet FortiManager uses local js script based on kv filter which can't be used for new log format.

Old format:

date=2016-2-12 time=1:12:33 logver=litesse devid=orev devname=pisciv logid=uii type=umexe subtype=estlabo level=high vd=iatnu srcip=10.182.84.248 srcport=4880 srcintf=enp0s208 dstip=10.162.33.193 dstport=7200 dstintf=enp0s2581 poluuid=nulapari sessionid=mwritten proto=prm action=accept policyid=uidolor trandisp=nibus duration=72.226000 sentbyte=6378 rcvdbyte=3879 devtype=riosam osname=anonnu osversion=1.410 mastersrcmac=ameaqu srcmac=01:00:5e:84:66:6c crscore=145.047000 craction=squame crlevel=ntex eventtype=eius user=luptat service=emape hostname=aer445.host profile=eumiu reqtype=uame url=https://www.example.net/orisn/cca.htm?ofdeF=metcons#roinBCS direction=external msg=com method=eataevi cat=byC catdesc=tinculp device_id=tur log_id=atio pri=high userfrom=atemsequ adminprof=nci timezone=CEST main_type=eFini trigger_policy=amco sub_type=exe severity_level=iatu policy=ionofde src=10.62.4.246 src_port=189 dst=10.171.204.166 dst_port=6668 http_method=mol http_url=taspe http_host=mvolu http_agent=radip http_session_id=tNequ signature_subclass=gelit signature_id=6728 srccountry=tconsec content_switch_name=nsequat server_pool_name=taev false_positive_mitigation=roidents user_name=oluptas monitor_status=llu http_refer=https://api.example.org/tamremap/tur.html?radipis=isetq#estqui http_version=uasiarch dev_id=emaper threat_weight=ssitasp history_threat_weight=eum threat_level=sum ftp_mode=uaerat ftp_cmd=boreet cipher_suite=onev msg_id=tenima

New format:

<185>date=2022-12-11 time=07:06:39 tz="+0300" devname=10ib-ftm01 device_id=FMG-VMTM22008934 log_id=0001010014 type=event subtype=system pri=alert desc="User login from SSH failed" user="root" msg="Login from ssh: Failed for invalid user root from 10.237.110.5 port 58416" remote_ip="10.237.110.5" remote_port=58416 operation="login failed" performed_on="ssh(10.237.110.5)" changes="'root' login failed from ssh(10.237.110.5)" valid=0 authmsg="Failed" extrainfo=""

Link to Fortinet documentation - FortiManager 7.2.1 event log message example

Please find more log examples here.

You can find demo ingest pipeline created for FortiManager 7.2.1 here

To test it execute from Dev console:

POST /_ingest/pipeline/filebeat-fortinet-fortimanager-7.2.1-ingest-pipeline/_simulate
{
  "docs": [
    {
      "_source": {
        "@timestamp": "2022-06-29T10:41:19.484Z",
        "event" : {
          "original": "<190>date=2022-12-11 time=11:38:45 tz=\"+0300\" devname=10ib-ftm01 device_id=FMG-VMTM22008934 log_id=0012021018 type=event subtype=dm pri=information desc=\"Device state updates\" msg=\"Device ftggwgd02 config status changed to IN_SYNC, devdb NOT_MODIFIED\" device=\"ftggwgd02\" operation=\"Update device state\" performed_on=\"ftggwgd02\" changes=\"Device ftggwgd02 config status changed to IN_SYNC, devdb NOT_MODIFIED\" dbstatus=\"insync\" confstatus=\"insync\" condition=\"unknown\" dmstate=\"none\"",
          "timezone": "+03:00",
          "module": "fortinet",
          "action": "event",
          "dataset": "fortinet.fortimanager"
        }
      }
    }
  ]
}

[elasticmachine]

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

[botelastic[bot]]

Hi! We just realized that we haven't looked into this issue in a while. We're sorry!

We're labeling this issue as Stale to make it hit our filters and make sure we get back to it as soon as possible. In the meantime, it'd be extremely helpful if you could take a look at it as well and confirm its relevance. A simple comment with a nice emoji will be enough :+1. Thank you for your contribution!

[elasticmachine]

Pinging @elastic/sec-deployment-and-devices (Team:Security-Deployment and Devices)

[taylor-swanson]

Closing issue as the Fortinet Fortimanager fileset was deprecated in 8.12.0.

We recommend moving to the Fortinet FortiManager Logs Elastic integration.