search

seanthegeek / graylog-fortigate-cef

A Graylog content pack containing a stream and dashboards for Fortinet Fortigate CEF logs
https://marketplace.graylog.org/addons/7fd21323-a579-45db-89eb-b86e0ba73eb6
Apache License 2.0
14 stars 8 forks source link

CEF TCP / Unable to decode raw message #2

Open abrodziak opened 2 years ago

abrodziak commented 2 years ago

When I configure the FortiGate to send CEF logs over TCP I get errors like below:

2022-01-21T09:14:06.052Z ERROR [DecodingProcessor] Unable to decode raw message RawMessage{id=7b981742-7a9a-11ec-a7be-fa163eb46c72, messageQueueId=10158, codec=CEF, payloadSize=1194, timestamp=2022-01-21T09:14:05.876Z, remoteAddress=/**.**.**.**:15394} on input <61ea78ce6455d64533205f9a>. 2022-01-21T09:14:06.052Z ERROR [DecodingProcessor] Error processing message RawMessage{id=7b981742-7a9a-11ec-a7be-fa163eb46c72, messageQueueId=10158, codec=CEF, payloadSize=1194, timestamp=2022-01-21T09:14:05.876Z, remoteAddress=/**.**.**.**:15394} java.lang.IllegalStateException: Could not parse timestamp. '1190 <189>Jan 21 09:14:05' at com.github.jcustenborder.cef.CEFParserImpl.parse(CEFParserImpl.java:162) ~[graylog.jar:?] at org.graylog.plugins.cef.codec.CEFCodec.decodeCEF(CEFCodec.java:128) ~[graylog.jar:?] at org.graylog.plugins.cef.codec.CEFCodec.decode(CEFCodec.java:117) ~[graylog.jar:?] at org.graylog2.shared.buffers.processors.DecodingProcessor.processMessage(DecodingProcessor.java:153) ~[graylog.jar:?] at org.graylog2.shared.buffers.processors.DecodingProcessor.onEvent(DecodingProcessor.java:94) [graylog.jar:?] at org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:95) [graylog.jar:?] at org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:49) [graylog.jar:?] at com.lmax.disruptor.WorkProcessor.run(WorkProcessor.java:143) [graylog.jar:?] at com.codahale.metrics.InstrumentedThreadFactory$InstrumentedRunnable.run(InstrumentedThreadFactory.java:66) [graylog.jar:?] at java.lang.Thread.run(Thread.java:829) [?:?]

Input: bind_address: 0.0.0.0 locale: <empty> max_message_size: 2097152 number_worker_threads: 2 port: 5555 recv_buffer_size: 1048576 tcp_keepalive: false timezone: Etc/UTC tls_cert_file: /etc/letsencrypt/live/***/fullchain.pem tls_client_auth: disabled tls_client_auth_cert_file: <empty> tls_enable: false tls_key_file: /etc/letsencrypt/live/***/privkey.pem tls_key_password:******** use_full_names: false use_null_delimiter: true

Do you have any idea how to solve it ?

seanthegeek commented 2 years ago

Not sure,. I collect logs over UDP

aman207 commented 2 years ago

Sorry, don't have any solutions (other than just to use UDP) but I also have the same issue. Weird that it works fine on UDP but not TCP. From looking at packet capture dumps, the CEF log is the exact same format.