This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
The Google Cloud Security Community is upgrading platforms!

Read more and check out our FAQ
Log in to ask a question

Fortigate not parsing cfgattr

Posted on 02-10-2025 12:21 AM
tnxtr
Bronze 4
Bronze 4
Reply posted on --/--/---- --:-- AM

Hi Folks,

The default parser in Google SecOps (Chronicle) does not parse attributes inside cfgattr= (such as uuid, status, name, comments) from FortiGate firewall logs. In statedump, it extracts cfgattr but I couldn't map these to udms.

Using Grok Debugger, I created a parser that correctly extracts these attributes and maps them to the appropriate UDM fields. 

I would appreciate your support in troubleshooting this issue.

%{DATA}cfgattr="uuid\[%{UUID:uuid}\]status\[%{WORD:status}->%{WORD:status_new}\]name\[%{DATA:name}\]srcaddr\[%{DATA:srcaddr_old}->%{DATA:srcaddr_new}\]schedule\[%{DATA:schedule_old}->%{DATA:schedule_new}\]comments\[%{DATA:comments_old}->%{DATA:comments_new}\]"

<190>date=2025-02-07 time=10:55:36 devname="DEVICENAME" devid="FGVM123123123" eventtime=1738914936223542976 tz="+0300" logid="0101010101" type="event" subtype="system" level="information" vd="root" logdesc="Object attribute configured" user="username" ui="GUI(1.1.1.1)" action="Edit" cfgtid=123321 cfgpath="firewall.policy" cfgobj="50" cfgattr="uuid[c11fdabe-c321-34df-b918-ad6661291c10]status[disable->enable]name[->Ticket-121212]srcaddr[Group_Name_1 Group_Name_2->Group2_Test_10.10.10.10 Group2_Test_10.10.10.10]schedule[always->22feb]comments[ (Rulename)->Ticket-131313]" msg="Edit firewall.policy 50"

0 4 313
Topic Labels
0 Likes
4 REPLIES 4

Posted on --/--/---- --:-- AM
t-martin
Staff
Reply posted on --/--/---- --:-- AM

Hi @tnxtr ,

We noticed something similar internally and the parser team released an update on 2025-01-20 to resolve. Please ensure you're using the latest version of the parser for FORTINET_FIREWALL. See https://cloud.google.com/chronicle/docs/ingestion/parser-list/fortinet-firewall-changelog for details.

If you're still seeing this issue, please file a support ticket.

Thanks!

 

Posted on --/--/---- --:-- AM
tnxtr
Bronze 4
Bronze 4
In response to t-martin
Reply posted on --/--/---- --:-- AM

Yeah updated parser is worked but It did not extract the values inside; it only extracted the entire block

this is how it looks on udm;

additional.fields["cfgattr"]: "uuid[c11fdabe-c321-34df-b918-ad6661291c10]status[disable->enable]name[->Ticket-121212]srcaddr[Group_Name_1 Group_Name_2->Group2_Test_10.10.10.10 Group2_Test_10.10.10.10]schedule[always->22feb]comments[ (Rulename)->Ticket-131313]"

but i need attributes inside of cfgattr

0 Likes

Posted on --/--/---- --:-- AM
t-martin
Staff
In response to tnxtr
Reply posted on --/--/---- --:-- AM

I see! I passed your request to the parsing team for evaluation.

Posted on --/--/---- --:-- AM
tnxtr
Bronze 4
Bronze 4
In response to t-martin
Reply posted on --/--/---- --:-- AM

Thanks 🙂 I'll wait for the update

0 Likes
Top Solution Authors
View all