Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Filebeat][Fortinet Module] Triage on changes needed to add support for FortiAnalyzer #19315

Open
P1llus opened this issue Jun 22, 2020 · 5 comments
Open

[Filebeat][Fortinet Module] Triage on changes needed to add support for FortiAnalyzer #19315

P1llus opened this issue Jun 22, 2020 · 5 comments
Labels
enhancement Team:Security-Deployment and Devices Deployment and Devices Team in Security Solution

Comments

@P1llus
Copy link
Member

P1llus commented Jun 22, 2020

Forwarding logs from Fortinet products from Fortianalyzer is a common usecase scenario. Research needs to be put into how this affects current and any future filesets on this module, to add support for both.
@elasticmachine
Copy link
Collaborator

Pinging @elastic/siem (Team:SIEM)

This was referenced Jun 22, 2020
Closed
Closed
@fredtj
Copy link

fredtj commented Jun 22, 2020

I've ticketed Fortinet on this issue and they weren't very helpful. They basically said they could find no mention of these fields in their documentation and also said they "think" it is not possible to turn them off. I have asked for clarification from them:

Basically, the FAZ is adding (at least) 2 fields to forwarded logs:

tz (sometimes already exists in original log message and is added again by FAZ)
timestamp (already exists as eventtime in original log message and is added again as timestamp by FAZ)

There is no mention of these fields in your documentation.

Can you please confirm:

  1. Are we able to disable these extra fields?
  2. Are there any other fields we should be aware of that FAZ may add to forwarded log messages?

@P1llus P1llus mentioned this issue Jun 25, 2020
Merged
6 tasks
@fredtj fredtj mentioned this issue May 7, 2021
Closed
@botelastic
Copy link

botelastic bot commented May 23, 2021

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@botelastic botelastic bot added the Stalled label May 23, 2021
@botelastic botelastic bot closed this as completed Jun 22, 2021
@narph narph reopened this Dec 6, 2022
@botelastic botelastic bot removed the Stalled label Dec 6, 2022
@botelastic
Copy link

botelastic bot commented Dec 6, 2023

Hi!
We just realized that we haven't looked into this issue in a while. We're sorry!

We're labeling this issue as Stale to make it hit our filters and make sure we get back to it as soon as possible. In the meantime, it'd be extremely helpful if you could take a look at it as well and confirm its relevance. A simple comment with a nice emoji will be enough :+1.
Thank you for your contribution!

@botelastic botelastic bot added the Stalled label Dec 6, 2023
@narph narph added Team:Security-Deployment and Devices Deployment and Devices Team in Security Solution and removed Team:SIEM labels Feb 13, 2024
@elasticmachine
Copy link
Collaborator

Pinging @elastic/sec-deployment-and-devices (Team:Security-Deployment and Devices)

@botelastic botelastic bot removed the Stalled label Feb 13, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement Team:Security-Deployment and Devices Deployment and Devices Team in Security Solution
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@narph @P1llus @elasticmachine @fredtj