search

splunk / splunk-connect-for-syslog

Splunk Connect for Syslog
Apache License 2.0
152 stars 107 forks source link

Fortinet Firewall traffic filter / drop specific IP range and port. #2622

Open dinesht77 opened 3 days ago

dinesht77 commented 3 days ago

Hi Team,

Assistance required in correcting this syntax. I need to filter / drop Fortinet traffic logs from the specific srcip range (10.x.x.x/24) and dstport 554. I tried with the below block parser matching for app TCP_554 and dest port 554, it is not working.

filename: /opt/sc4s/local/config/app_parsers/rewriters/app-dest-rewrite-fortinet_fortios-d.conf

=========================================================================

block parser app-dest-rewrite-fortinet_fortios-d_fmt_hec_default() {
channel { rewrite(r_set_dest_splunk_null_queue); }; };

application app-dest-rewrite-fortinet_fortios-d_fmt_hec_default[sc4s-lp-dest-format-d_hec_fmt] { filter { match('fortinet' value('fields.sc4s_vendor') type(string)) and match('fortios' value('fields.sc4s_product') type(string))

    and match('TCP_554' value('fields.app') type(string))
    and match('554.' value('fields.dstport') type(string) flags(prefix) );

};    
parser { app-dest-rewrite-fortinet_fortios-d_fmt_hec_default(); };

};

dinesht77 commented 1 day ago

Hi, I tired with below updated parser, No syntax error but still events are getting forwarded to Splunk Cloud. ( Events are not dropped)

Any suggestions on this parsers will be very helpful.

filename: /opt/sc4s/local/config/app_parsers/rewriters/app-dest-rewrite-fortinet_fortios_traffic_drop.conf

block parser app-dest-rewrite-fortinet_fortios_traffic_drop-d_fmt_hec_default() {
channel { rewrite(r_set_dest_splunk_null_queue); }; };

application app-dest-rewrite-fortinet_fortios_traffic_drop-d_fmt_hec_default[sc4s-lp-dest-format-d_hec_fmt] { filter { match('fortinet' value('fields.sc4s_vendor') type(string)) and match('fortios' value('fields.sc4s_product') type(string))

    and match('554' value('.SDATA.sc4s@fields.dstport') type(string))
    and match('10.6.129.' value('.SDATA.sc4s@fields.src') type(string) flags(prefix) );

};    
parser { app-dest-rewrite-fortinet_fortios_traffic_drop-d_fmt_hec_default(); };

};

====================================================================

Oct 19 22:00:50 XXXX docker[2730116]: syslog-ng checking config Oct 19 22:00:50 XXXX docker[2730116]: sc4s version=3.32.0 Oct 19 22:00:53 XXXX docker[2730116]: starting syslog-ng

Raw Logs: logver=702081639 timestamp=1729375384 devname="ABC_AB_Core_FGXXX" devid="FGXXXXX5" vd="root" date=2024-10-19 time=22:03:04 eventtime=1729335783837646757 tz="+1100" logid="0000000013" type="traffic" subtype="forward" level="notice" srcip=10.6.129.6 srcport=55694 srcintf="Agg1.354" srcintfrole="lan" dstip=10.XXX.1.99 dstport=554 dstintf="Port26.657" dstintfrole="lan" srccountry="Reserved" dstcountry="Reserved" sessionid=2163515850 proto=6 action="timeout"