This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Error with default parser for Fortinet logs

Posted on 12-09-2024 04:25 AM
chicoqueiroga
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

Some of my logs have a field that is mapped to a port number instead of the service (such as HTTP, HTTPS) in the value. This causes a failure to identify an enum field in SecOps: Network.ApplicationProtocol.

The error is displayed on the print screen:

Index 0: Couldn't find enum value by name.

And this is the parser code block that maps the field in the original log to the UDM:

------------------

if [service] != {
mutate {
uppercase => ["service"]
}
}
mutate {
replace => {
"network.application_protocol" => "%{service}"
}
on_error => "service_value_invalid"
}
------------------Sample errorSample errorSample codeSample code

I've tried adding a value check when the service field contains a port number (as an integer), but I get the same error. How do I handle this error?

Any suggestion to verify the value of the field before the mapping operation for the UDM?

0 3 303
0 Likes
3 REPLIES 3

Posted on --/--/---- --:-- AM
ionutm
Staff
Reply posted on --/--/---- --:-- AM

The way the current default parser works is that the field 'protocol' is mapped to 'network.ip_protocol' if protocol contains tcp and udp else mapped it to 'network.application_protocol'. I would go to support to have the default parser modified as obviously this mapping doesn't cover all scenarios.

0 Likes

Posted on --/--/---- --:-- AM
AbdElHafez
Staff
Reply posted on --/--/---- --:-- AM

If you could please share a sanitized log sample + the mapping you need. This will require a short parser extension.

The parser section you shared ;

if [service] != {
mutate {
uppercase => ["service"]
}
}

 is not syntactically correct. You would need to put in an explicit string in the condition like 

if [service] != "value" {..do...}

 

Posted on --/--/---- --:-- AM
AbdElHafez
Staff
Reply posted on --/--/---- --:-- AM

For the specific error you are getting, it is because the field "Network.application_protocol" is enumerated so it will only accept one of these values [UNKNOWN_APPLICATION_PROTOCOL, QUIC, HTTP, HTTPS,DNS,DHCP]. But you are attempting to pass a string "56717" that is not one of the allowed lists. You could try passing "UNKNOWN_APPLICATION_PROTOCOL" directly in that case or you could share the sanitized log sample and I could fix this in few lines.

0 Likes
Top Solution Authors
View all