forcepoint FW
Description¶
-
Constructor : Forcepoint
-
Product : Fire wall
-
log types : Forcepoint_FW
log sample¶
- Forcepoint_FW Traffic
1 | LEEF:1.0|FORCEPOINT|Firewall|6.2.1|FW_Protocol-Agent-Application-Protocol-Violation|devTimeFormat=MMM dd yyyy HH:mm:ss devTime=Jan 13 2019 03:15:03 proto=6 dstPort=21 srcPort=35278 dst=10.1.32.136 src=10.1.255.52 sender=thsdc1smgfwl01p msg=Invalid address in PORT command. IP: 10.1.255.52, port: 10794 |
- Forcepoint_FW DHCP
1 | LEEF:1.0|FORCEPOINT|Firewall|6.2.1|FW_DHCP-DHCP-Reply-Received|devTimeFormat=MMM dd yyyy HH:mm:ss srcMAC=00:50:56:A3:52:F8 |
- Forcepoint_FW System
1 | LEEF:1.0|FORCEPOINT|Firewall|6.2.1|Generic|devTimeFormat=MMM dd yyyy HH:mm:ss devTime=Jan 13 2019 03:42:05 sender=thsdc1smgfwl02p msg=pam_unix(sshd:auth): check pass; user unknown |
Parsing strategy¶
-
First of all, we deal with the first part with a grok operator.
-
Then we use the kv operator to parse this log .
-
We can now normalize the fields
Fields normalization¶
- Forcepoint_FW
| Normalized fields | Parsed fields |
|---|---|
| [type] | "fw" |
| [alarm][name] | [tmp][Name] |
| [alarm][description] | [tmp][Extension][msg] |
| [init][host][ip] | [tmp][Extension][src] |
| [init][host][port] | [tmp][Extension][srcPort] |
| [init][host][mac] | [tmp][Extension][srcMAC] |
| [target][host][ip] | [tmp][Extension][dst] |
| [target][host][port] | [tmp][Extension][dstPort] |
| [target][host][mac] | [tmp][Extension][dstMAC] |
| [app][proto][num] | [tmp][Extension][proto] |
| [action] | [tmp][Extension][action] |
| [msg]] | [tmp][Extension][msg] |
| [obs][ts] | [tmp][Extension][devTime] |
| [obs][host][name] | [tmp][Extension][sender] |