Fortigate Logs to CSV

Tags:

#1 Mrkasali

Ok so im trying to export the logs from our FortiGate to a CSV file. Thats actually allready working fine. But the problem is, lots of information is stored in the $Message. So what i want to do is to get all "variables" in the $Message in seperate fields. Im having a really hard time with this right now. Ive never really done something with regex and nxlog. I´d be really happy if you guys could help me out here.

Thats how nxlog writes an event into the csv file: 2021-06-28 00:00:05;"INFO";2;"XXX.XXX.XXX.XXX";;"date=2021-06-28,time=00:00:05,devname="XXXX",devid="XXX",logid="0000000013",type="traffic",subtype="forward",level="notice",vd="root",eventtime=1624831205715391871,tz="+0200",srcip=XXX.XXX.XXX.XXX,srcport=33084,srcintf="port1",srcintfrole="lan",dstip=XXX.XXX.XXX.XXX,dstport=80,dstintf="wan1",dstintfrole="wan",sessionid=24018243,proto=6,action="close",policyid=3,policytype="policy",poluuid="7f09e0e6-c026-51ea-ccf3-27ba9a95d742",service="HTTP",dstcountry="France",srccountry="Reserved",trandisp="snat",transip=XXX.XXX.XXX.XXX,transport=33084,appid=16648,app="Kaspersky.Update",appcat="Update",apprisk="low",applist="Std-Appcontrol",duration=5,sentbyte=836,rcvdbyte=1036,sentpkt=6,rcvdpkt=4,shapingpolicyid=7,shapersentname="A1_Outgoing",shaperdropsentbyte=0,shaperrcvdname="Incoming",shaperdroprcvdbyte=0,vwlid=0,utmaction="allow",countapp=1 mastersrcmac="XXX",srcmac="XXX",srcserver=0"

I guess replacing all the ',' with ';' would work. But i have no Idea how to do that. If you need more infos im going to send them asap.

#2 rafDeactivated Nxlog ✓
#1 Mrkasali
Ok so im trying to export the logs from our FortiGate to a CSV file. Thats actually allready working fine. But the problem is, lots of information is stored in the $Message. So what i want to do is to get all "variables" in the $Message in seperate fields. Im having a really hard time with this right now. Ive never really done something with regex and nxlog. I´d be really happy if you guys could help me out here. Thats how nxlog writes an event into the csv file: 2021-06-28 00:00:05;"INFO";2;"XXX.XXX.XXX.XXX";;"date=2021-06-28,time=00:00:05,devname="XXXX",devid="XXX",logid="0000000013",type="traffic",subtype="forward",level="notice",vd="root",eventtime=1624831205715391871,tz="+0200",srcip=XXX.XXX.XXX.XXX,srcport=33084,srcintf="port1",srcintfrole="lan",dstip=XXX.XXX.XXX.XXX,dstport=80,dstintf="wan1",dstintfrole="wan",sessionid=24018243,proto=6,action="close",policyid=3,policytype="policy",poluuid="7f09e0e6-c026-51ea-ccf3-27ba9a95d742",service="HTTP",dstcountry="France",srccountry="Reserved",trandisp="snat",transip=XXX.XXX.XXX.XXX,transport=33084,appid=16648,app="Kaspersky.Update",appcat="Update",apprisk="low",applist="Std-Appcontrol",duration=5,sentbyte=836,rcvdbyte=1036,sentpkt=6,rcvdpkt=4,shapingpolicyid=7,shapersentname="A1_Outgoing",shaperdropsentbyte=0,shaperrcvdname="Incoming",shaperdroprcvdbyte=0,vwlid=0,utmaction="allow",countapp=1 mastersrcmac="XXX",srcmac="XXX",srcserver=0" I guess replacing all the ',' with ';' would work. But i have no Idea how to do that. If you need more infos im going to send them asap.

Hi,

Could you share your conf file, please? It's gonna be easier to pick it up from that place.

Thanks,
Raf