Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Fortinet Fortigate] Split current dataset into multiple datasets #12606

Open
leandrojmp opened this issue Feb 4, 2025 · 1 comment
Open

[Fortinet Fortigate] Split current dataset into multiple datasets #12606

leandrojmp opened this issue Feb 4, 2025 · 1 comment
Labels
Integration:fortinet_fortigate Fortinet FortiGate Firewall Logs Team:Security-Deployment and Devices Deployment and Devices Security team [elastic/sec-deployment-and-devices]

Comments

@leandrojmp
Copy link
Contributor

leandrojmp commented Feb 4, 2025
edited
Loading

Hello,

Currently the integration for the Fortinet Fortigate has only one dataset, fortinet_fortigate.log, which means that all logs from fortigate will be stored in the same data stream, but the integration produces different types of logs like traffic, utm and event.

The goal for this is that this would allow you to have different retention per dataset, for example, you may be required to keep audit logs for a longer time than traffic logs, audit logs have the fortinet.firewall.type value as event and traffic logs have the same field as traffic.

Since the volume of traffic logs are higher, to keep only the audit logs you do not have many options, you basically need to create a custom transform to store those events in another index, I'm not sure that you can use a reroute processor to create a custom dataset/namespace since Fleet integrations permissions are pretty limited.

Now we have this:

  • fortinet_fortigate.log: all logs from fortigate

But we should have something like this:

  • fortinet_fortigate.traffic: traffic logs from fortigate
  • fortinet_fortigate.event: event logs from fortigate
  • fortinet_fortigate.utm: utm logs from fortigate
  • fortinet_fortigate.log: new/unmapped logs from fortigate

We already have separated ingest pipelines for each fortinet.firewall.type value here.

  - pipeline:
      name: '{{ IngestPipeline "event" }}'
      if: ctx.fortinet?.firewall?.type == 'event'
  - pipeline:
      name: '{{ IngestPipeline "login" }}'
      if: >-
        if (ctx.message instanceof String) {
          String normalizedMessage = ctx.message.toLowerCase();
          return (normalizedMessage.contains('login') || normalizedMessage.contains('logged in'));
        }
        return false;
  - pipeline:
      name: '{{ IngestPipeline "traffic" }}'
      if: ctx.fortinet?.firewall?.type == 'traffic'
  - pipeline:
      name: '{{ IngestPipeline "utm" }}'
      if: ctx.fortinet?.firewall?.type == 'utm' || ctx.fortinet?.firewall?.type == 'dns'

I think this helps implement separated data streams, I'm not sure how to do that, but with some orientation I could send a PR.

What we need to do to create a new dataset?
@jamiehynds jamiehynds added the Team:Security-Deployment and Devices Deployment and Devices Security team [elastic/sec-deployment-and-devices] label Feb 5, 2025
@elasticmachine
Copy link

Pinging @elastic/sec-deployment-and-devices (Team:Security-Deployment and Devices)

@jamiehynds jamiehynds added the Integration:fortinet_fortigate Fortinet FortiGate Firewall Logs label Feb 5, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Integration:fortinet_fortigate Fortinet FortiGate Firewall Logs Team:Security-Deployment and Devices Deployment and Devices Security team [elastic/sec-deployment-and-devices]
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@leandrojmp @elasticmachine @jamiehynds