Collect Fortinet FortiAnalyzer logs

Supported in:

Google SecOps SIEM

This document explains how to collect and ingest Fortinet FortiAnalyzer logs to Google Security Operations by using Bindplane. The parser transforms the logs into UDM format. It handles both CEF and key-value formatted messages, extracting fields, performing data transformations (like converting timestamps and enriching IP protocols), and mapping them to the appropriate UDM fields based on event type and subtype. The parser also includes specific logic for handling network connections, DNS queries, HTTP requests, and various security events, enriching the UDM with details like application protocols, user information, and security outcomes.

Before you begin

Ensure that you have a Google Security Operations instance.
Ensure that you are using Windows 2016 or later, or a Linux host with systemd.
If running behind a proxy, ensure firewall ports are open.
Ensure that you have privileged access to Fortinet FortiAnalyzer.

Get Google SecOps ingestion authentication file

Sign in to the Google SecOps console.
Go to SIEM Settings > Collection Agents.
Download the Ingestion Authentication File. Save the file securely on the system where Bindplane will be installed.

Get Google SecOps customer ID

Sign in to the Google SecOps console.
Go to SIEM Settings > Profile.
Copy and save the Customer ID from the Organization Details section.

Install the Bindplane agent

Windows installation

Open the Command Prompt or PowerShell as an administrator.

Run the following command:

msiexec /i "https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi" /quiet

Linux installation

Open a terminal with root or sudo privileges.

Run the following command:

sudo sh -c "$(curl -fsSlL https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh)" install_unix.sh

Additional installation resources

For additional installation options, consult this installation guide.

Configure the Bindplane agent to ingest Syslog and send to Google SecOps

Access the configuration file:
1. Locate the config.yaml file. Typically, it's in the /etc/bindplane-agent/ directory on Linux or in the installation directory on Windows.
2. Open the file using a text editor (for example, nano, vi, or Notepad).

Edit the config.yaml file as follows:

receivers:
    udplog:
        # Replace the port and IP address as required
        listen_address: "0.0.0.0:514"

exporters:
    chronicle/chronicle_w_labels:
        compression: gzip
        # Adjust the path to the credentials file you downloaded in Step 1
        creds: '/path/to/ingestion-authentication-file.json'
        # Replace with your actual customer ID from Step 2
        customer_id: <customer_id>
        endpoint: malachiteingestion-pa.googleapis.com
        # Add optional ingestion labels for better organization
        ingestion_labels:
            log_type: FORTINET_FORTIANALYZER
            raw_log_field: body

service:
    pipelines:
        logs/source0__chronicle_w_labels-0:
            receivers:
                - udplog
            exporters:
                - chronicle/chronicle_w_labels

Replace the port and IP address as required in your infrastructure.
Replace <customer_id> with the actual customer ID.
Update /path/to/ingestion-authentication-file.json to the path where the authentication file was saved in the Get Google SecOps ingestion authentication file section.

Restart the Bindplane agent to apply the changes

To restart the Bindplane agent in Linux, run the following command:
```
sudo systemctl restart bindplane-agent
```
To restart the Bindplane agent in Windows, you can either use the Services console or enter the following command:
```
net stop BindPlaneAgent && net start BindPlaneAgent
```

Configure Syslog on Fortinet FortiAnalyzer

Sign in to the FortiAnalyzer.
Activate CLI mode.

Run the following commands:

config system syslog
  edit NAME
    set ip IP_ADDRESS
    set port PORT
    set reliable enable or disable
  next
end

Update the following fields:
- NAME: the name of the syslog server.
- IP_ADDRESS: enter the IPv4 address of the Bindplane agent.
- PORT: enter the port number for the Bindplane agent; for example, 514.
- enable or disable: if you set the value of reliable as enable, it sends as TCP; if you set the value of reliable as disable, it sends as UDP.

UDM Mapping Table

Log Field	UDM Mapping	Logic
`act`	`security_result.action_details`	Value from the `act` field when the log is in CEF format.
`action`	`security_result.action_details`	Value from the `action` field when the log is not in CEF format. Used to derive `security_result.action` and `security_result.description`.
`action`	`security_result.action`	Derived. If `action` is `accept`, `passthrough`, `pass`, `permit`, `detected`, or `login`, then `ALLOW`. If `deny`, `dropped`, `blocked`, or `close`, then `BLOCK`. If `timeout`, then `FAIL`. Otherwise, `UNKNOWN_ACTION`.
`action`	`security_result.description`	Derived. Set to `Action:` + derived `security_result.action`.
`ad.app`	`target.application`	Value from the `ad.app` field when the log is in CEF format. If the value is `HTTPS`, `HTTP`, `DNS`, `DHCP`, or `SMB`, it is mapped to `network.application_protocol`.
`ad.appact`	`additional.fields`	Value from the `ad.appact` field when the log is in CEF format, added as a key-value pair with key `appact`.
`ad.appcat`	`additional.fields`	Value from the `ad.appcat` field when the log is in CEF format, added as a key-value pair with key `appcat`.
`ad.appid`	`additional.fields`	Value from the `ad.appid` field when the log is in CEF format, added as a key-value pair with key `appid`.
`ad.applist`	`additional.fields`	Value from the `ad.applist` field when the log is in CEF format, added as a key-value pair with key `applist`.
`ad.apprisk`	`additional.fields`	Value from the `ad.apprisk` field when the log is in CEF format, added as a key-value pair with key `apprisk`.
`ad.cipher_suite`	`network.tls.cipher`	Value from the `ad.cipher_suite` field when the log is in CEF format.
`ad.countapp`	(not mapped)	Not mapped to the IDM object.
`ad.countweb`	(not mapped)	Not mapped to the IDM object.
`ad.dstcity`	`target.location.city`	Value from the `ad.dstcity` field when the log is in CEF format.
`ad.dstcountry`	`target.location.country_or_region`	Value from the `ad.dstcountry` field when the log is in CEF format.
`ad.dstintf`	`security_result.detection_fields`	Value from the `ad.dstintf` field when the log is in CEF format, added as a key-value pair with key `dstintf`.
`ad.dstintfrole`	`security_result.detection_fields`	Value from the `ad.dstintfrole` field when the log is in CEF format, added as a key-value pair with key `dstintfrole`.
`ad.dstregion`	`target.location.state`	Value from the `ad.dstregion` field when the log is in CEF format.
`ad.duration`	`network.session_duration.seconds`	Value from the `ad.duration` field when the log is in CEF format.
`ad.eventtime`	`metadata.event_timestamp`	Value from the `ad.eventtime` field when the log is in CEF format.
`ad.http_agent`	`network.http.parsed_user_agent`	Value from the `ad.http_agent` field when the log is in CEF format.
`ad.http_method`	`network.http.method`	Value from the `ad.http_method` field when the log is in CEF format.
`ad.http_refer`	`network.http.referral_url`	Value from the `ad.http_refer` field when the log is in CEF format.
`ad.http_request_bytes`	`network.sent_bytes`	Value from the `ad.http_request_bytes` field when the log is in CEF format.
`ad.http_response_bytes`	`network.received_bytes`	Value from the `ad.http_response_bytes` field when the log is in CEF format.
`ad.http_retcode`	(not mapped)	Not mapped to the IDM object.
`ad.http_url`	(not mapped)	Not mapped to the IDM object.
`ad.lanin`	(not mapped)	Not mapped to the IDM object.
`ad.lanout`	(not mapped)	Not mapped to the IDM object.
`ad.logid`	`metadata.product_log_id`	Value from the `ad.logid` field when the log is in CEF format.
`ad.mastersrcmac`	`principal.mac`	Value from the `ad.mastersrcmac` field when the log is in CEF format.
`ad.original_src`	(not mapped)	Not mapped to the IDM object.
`ad.original_srccountry`	(not mapped)	Not mapped to the IDM object.
`ad.poluuid`	(not mapped)	Not mapped to the IDM object.
`ad.policyid`	`security_result.rule_id`	Value from the `ad.policyid` field when the log is in CEF format.
`ad.policyname`	`security_result.rule_name`	Value from the `ad.policyname` field when the log is in CEF format.
`ad.policytype`	`security_result.rule_type`	Value from the `ad.policytype` field when the log is in CEF format.
`ad.profile`	`target.resource.name`	Value from the `ad.profile` field when the log is in CEF format. Also sets `target.resource.resource_type` to `ACCESS_POLICY`.
`ad.proto`	`network.ip_protocol`	Value from the `ad.proto` field when the log is in CEF format. Parsed using the `parse_ip_protocol.include` file.
`ad.qclass`	`network.dns.questions.class`	Value from the `ad.qclass` field when the log is in CEF format. Mapped using the `dns_query_class_mapping.include` file.
`ad.qname`	`network.dns.questions.name`	Value from the `ad.qname` field when the log is in CEF format.
`ad.qtype`	(not mapped)	Not mapped to the IDM object.
`ad.qtypeval`	`network.dns.questions.type`	Value from the `ad.qtypeval` field when the log is in CEF format.
`ad.rcvddelta`	(not mapped)	Not mapped to the IDM object.
`ad.rcvdpkt`	`additional.fields`	Value from the `ad.rcvdpkt` field when the log is in CEF format, added as a key-value pair with key `receivedPackets`.
`ad.sentdelta`	(not mapped)	Not mapped to the IDM object.
`ad.sentpkt`	`additional.fields`	Value from the `ad.sentpkt` field when the log is in CEF format, added as a key-value pair with key `sentPackets`.
`ad.server_pool_name`	(not mapped)	Not mapped to the IDM object.
`ad.sourceTranslatedAddress`	`principal.nat_ip`	Value from the `ad.sourceTranslatedAddress` field when the log is in CEF format.
`ad.sourceTranslatedPort`	`principal.nat_port`	Value from the `ad.sourceTranslatedPort` field when the log is in CEF format.
`ad.src`	`principal.ip`	Value from the `ad.src` field when the log is in CEF format.
`ad.srccountry`	`principal.location.country_or_region`	Value from the `ad.srccountry` field when the log is in CEF format.
`ad.srcintf`	`security_result.detection_fields`	Value from the `ad.srcintf` field when the log is in CEF format, added as a key-value pair with key `srcintf`.
`ad.srcintfrole`	`security_result.detection_fields`	Value from the `ad.srcintfrole` field when the log is in CEF format, added as a key-value pair with key `srcintfrole`.
`ad.srcmac`	`principal.mac`	Value from the `ad.srcmac` field when the log is in CEF format.
`ad.srcserver`	(not mapped)	Not mapped to the IDM object.
`ad.spt`	`principal.port`	Value from the `ad.spt` field when the log is in CEF format.
`ad.status`	`security_result.summary`	Value from the `ad.status` field when the log is in CEF format.
`ad.subtype`	`metadata.product_event_type`	Used with `ad.logid` to create the `metadata.product_event_type` when the log is in CEF format. Also used to derive `metadata.event_type` and to map specific fields for DNS and HTTP events.
`ad.trandisp`	(not mapped)	Not mapped to the IDM object.
`ad.tz`	(not mapped)	Not mapped to the IDM object.
`ad.utmaction`	`security_result.action`	Value from the `ad.utmaction` field when the log is in CEF format. Used to derive `security_result.action` and `security_result.description`.
`ad.user_name`	(not mapped)	Not mapped to the IDM object.
`ad.vd`	`principal.administrative_domain`	Value from the `ad.vd` field when the log is in CEF format.
`ad.vwlid`	(not mapped)	Not mapped to the IDM object.
`ad.wanin`	(not mapped)	Not mapped to the IDM object.
`ad.wanout`	(not mapped)	Not mapped to the IDM object.
`ad.xid`	(not mapped)	Not mapped to the IDM object.
`ad.x509_cert_subject`	(not mapped)	Not mapped to the IDM object.
`agent`	(not mapped)	Not mapped to the IDM object.
`appid`	`additional.fields`	Value from the `appid` field when the log is not in CEF format, added as a key-value pair with key `appid`.
`app`	`target.application`	Value from the `app` field when the log is not in CEF format. If the value is `HTTPS`, `HTTP`, `DNS`, `DHCP`, or `SMB`, it is mapped to `network.application_protocol`.
`appact`	`additional.fields`	Value from the `appact` field when the log is not in CEF format, added as a key-value pair with key `appact`.
`appcat`	`additional.fields`	Value from the `appcat` field when the log is not in CEF format, added as a key-value pair with key `appcat`.
`applist`	`additional.fields`	Value from the `applist` field when the log is not in CEF format, added as a key-value pair with key `applist`.
`apprisk`	`additional.fields`	Value from the `apprisk` field when the log is not in CEF format, added as a key-value pair with key `apprisk`.
`cat`	`security_result1.rule_id`	Value from the `cat` field when the log is not in CEF format.
`catdesc`	`security_result.description`	Value from the `catdesc` field when the log is not in CEF format. Only used if `catdesc` is not empty.
`centralnatid`	(not mapped)	Not mapped to the IDM object.
`cipher_suite`	`network.tls.cipher`	Value from the `cipher_suite` field when the log is not in CEF format.
`countssl`	(not mapped)	Not mapped to the IDM object.
`crlevel`	`security_result.severity`	Value from the `crlevel` field when the log is not in CEF format. Used to derive `security_result.severity`. If `CRITICAL`, sets `is_alert` and `is_significant` to true.
`craction`	`security_result.about.labels`	Value from the `craction` field when the log is not in CEF format, added as a key-value pair with key `craction`.
`create_time`	(not mapped)	Not mapped to the IDM object.
`data`	(not mapped)	The raw log data. Not directly mapped to UDM.
`date`	(not mapped)	Not mapped to the IDM object.
`devname`	`principal.hostname`, `principal.asset.hostname`	Value from the `devname` field when the log is not in CEF format.
`devid`	(not mapped)	Not mapped to the IDM object.
`devtype`	(not mapped)	Not mapped to the IDM object.
`direction`	`network.direction`	Value from the `direction` field when the log is not in CEF format. If `incoming` or `inbound`, then `INBOUND`. If `outgoing` or `outbound`, then `OUTBOUND`.
`dpt`	`target.port`	Value from the `dpt` field when the log is in CEF format.
`dstip`	`target.ip`, `target.asset.ip`	Value from the `dstip` field when the log is not in CEF format.
`dstintf`	`security_result.detection_fields`	Value from the `dstintf` field when the log is not in CEF format, added as a key-value pair with key `dstintf`.
`dstintfrole`	`security_result.detection_fields`	Value from the `dstintfrole` field when the log is not in CEF format, added as a key-value pair with key `dstintfrole`.
`dstport`	`target.port`	Value from the `dstport` field when the log is not in CEF format.
`dstregion`	`target.location.state`	Value from the `dstregion` field when the log is not in CEF format.
`dstuuid`	`target.user.product_object_id`	Value from the `dstuuid` field when the log is not in CEF format.
`duration`	`network.session_duration.seconds`	Value from the `duration` field when the log is not in CEF format.
`dstcity`	`target.location.city`	Value from the `dstcity` field when the log is not in CEF format.
`dstcountry`	`target.location.country_or_region`	Value from the `dstcountry` field when the log is not in CEF format.
`dstmac`	`target.mac`	Value from the `dstmac` field when the log is not in CEF format.
`eventtime`	`metadata.event_timestamp`	Value from the `eventtime` field when the log is not in CEF format. The value is reduced from microseconds to seconds.
`eventtype`	`security_result2.rule_type`	Value from the `eventtype` field when the log is not in CEF format.
`externalID`	(not mapped)	Not mapped to the IDM object.
`group`	`principal.user.group_identifiers`	Value from the `group` field when the log is not in CEF format.
`hostname`	`target.hostname`, `target.asset.hostname`	Value from the `hostname` field when the log is not in CEF format.
`http_agent`	`network.http.parsed_user_agent`	Value from the `http_agent` field when the log is not in CEF format. Converted to a parsed user agent object.
`http_method`	`network.http.method`	Value from the `http_method` field when the log is not in CEF format.
`http_refer`	`network.http.referral_url`	Value from the `http_refer` field when the log is not in CEF format.
`http_request_bytes`	`network.sent_bytes`	Value from the `http_request_bytes` field when the log is not in CEF format.
`http_response_bytes`	`network.received_bytes`	Value from the `http_response_bytes` field when the log is not in CEF format.
`httpmethod`	`network.http.method`	Value from the `httpmethod` field when the log is not in CEF format.
`in`	`network.received_bytes`	Value from the `in` field when the log is in CEF format.
`incidentserialno`	(not mapped)	Not mapped to the IDM object.
`lanin`	(not mapped)	Not mapped to the IDM object.
`lanout`	(not mapped)	Not mapped to the IDM object.
`level`	`security_result.severity`, `security_result.severity_details`	Value from the `level` field when the log is not in CEF format. Used to derive `security_result.severity`. If `error` or `warning`, then `HIGH`. If `notice`, then `MEDIUM`. If `information` or `info`, then `LOW`. Also sets `security_result.severity_details` to `level:` + `level`. If `crlevel` is `CRITICAL` or `level` is `alert`, sets `is_alert` and `is_significant` to true.
`locip`	`principal.ip`, `principal.asset.ip`	Value from the `locip` field when the log is not in CEF format.
`logdesc`	`metadata.description`	Value from the `logdesc` field when the log is not in CEF format.
`logid`	`metadata.product_log_id`	Value from the `logid` field when the log is not in CEF format.
`logver`	(not mapped)	Not mapped to the IDM object.
`mastersrcmac`	`principal.mac`	Value from the `mastersrcmac` field when the log is not in CEF format.
`method`	(not mapped)	Not mapped to the IDM object.
`msg`	`metadata.description`	Value from the `msg` field when the log is not in CEF format. Also used for `security_result.description` if `catdesc` is empty.
`out`	`network.sent_bytes`	Value from the `out` field when the log is in CEF format.
`outintf`	(not mapped)	Not mapped to the IDM object.
`policyid`	`security_result.rule_id`	Value from the `policyid` field when the log is not in CEF format.
`policyname`	`security_result.rule_name`	Value from the `policyname` field when the log is not in CEF format.
`policytype`	`security_result.rule_type`	Value from the `policytype` field when the log is not in CEF format.
`poluuid`	(not mapped)	Not mapped to the IDM object.
`profile`	`target.resource.name`	Value from the `profile` field when the log is not in CEF format. Also sets `target.resource.resource_type` to `ACCESS_POLICY`.
`proto`	`network.ip_protocol`	Value from the `proto` field when the log is not in CEF format. Parsed using the `parse_ip_protocol.include` file.
`qclass`	`network.dns.questions.class`	Value from the `qclass` field when the log is not in CEF format. Mapped using the `dns_query_class_mapping.include` file.
`qname`	`network.dns.questions.name`	Value from the `qname` field when the log is not in CEF format.
`reason`	`security_result.description`	Value from the `reason` field when the log is not in CEF format. Only used if `reason` is not `N/A` and not empty.
`rcvdbyte`	`network.received_bytes`	Value from the `rcvdbyte` field when the log is not in CEF format.
`rcvdpkt`	`additional.fields`	Value from the `rcvdpkt` field when the log is not in CEF format, added as a key-value pair with key `receivedPackets`.
`remip`	`target.ip`, `target.asset.ip`	Value from the `remip` field when the log is not in CEF format.
`remport`	(not mapped)	Not mapped to the IDM object.
`reqtype`	(not mapped)	Not mapped to the IDM object.
`sentbyte`	`network.sent_bytes`	Value from the `sentbyte` field when the log is not in CEF format.
`sentpkt`	`additional.fields`	Value from the `sentpkt` field when the log is not in CEF format, added as a key-value pair with key `sentPackets`.
`service`	`network.application_protocol`, `target.application`	Value from the `service` field when the log is not in CEF format. Parsed using the `parse_app_protocol.include` file. If the output of the parser is not empty, it is mapped to `network.application_protocol`. Otherwise, the original value is mapped to `target.application`.
`sessionid`	`network.session_id`	Value from the `sessionid` field when the log is not in CEF format.
`sn`	(not mapped)	Not mapped to the IDM object.
`sourceTranslatedAddress`	`principal.nat_ip`	Value from the `sourceTranslatedAddress` field when the log is in CEF format.
`sourceTranslatedPort`	`principal.nat_port`	Value from the `sourceTranslatedPort` field when the log is in CEF format.
`spt`	`principal.port`	Value from the `spt` field when the log is in CEF format.
`src`	`principal.ip`	Value from the `src` field when the log is in CEF format.
`srcip`	`principal.ip`, `principal.asset.ip`	Value from the `srcip` field when the log is not in CEF format.
`srcintf`	`security_result.detection_fields`	Value from the `srcintf` field when the log is not in CEF format, added as a key-value pair with key `srcintf`.
`srcintfrole`	`security_result.detection_fields`	Value from the `srcintfrole` field when the log is not in CEF format, added as a key-value pair with key `srcintfrole`.
`srcmac`	`principal.mac`	Value from the `srcmac` field when the log is not in CEF format. Hyphens are replaced with colons.
`srcport`	`principal.port`	Value from the `srcport` field when the log is not in CEF format.
`srccountry`	`principal.location.country_or_region`	Value from the `srccountry` field when the log is not in CEF format. Only mapped if not `Reserved` and not empty.
`srcuuid`	`principal.user.product_object_id`	Value from the `srcuuid` field when the log is not in CEF format.
`srcserver`	(not mapped)	Not mapped to the IDM object.
`start`	(not mapped)	Not mapped to the IDM object.
`status`	`security_result.summary`	Value from the `status` field when the log is not in CEF format.
`subtype`	`metadata.product_event_type`	Used with `type` to create the `metadata.product_event_type` when the log is not in CEF format. Also used to derive `metadata.event_type` and to map specific fields for DNS and HTTP events.
`time`	(not mapped)	Not mapped to the IDM object.
`timestamp`	`metadata.event_timestamp`	Value from the `timestamp` field.
`trandisp`	(not mapped)	Not mapped to the IDM object.
`transip`	(not mapped)	Not mapped to the IDM object.
`transport`	(not mapped)	Not mapped to the IDM object.
`type`	`metadata.product_event_type`	Used with `subtype` to create the `metadata.product_event_type` when the log is not in CEF format. Also used to derive `metadata.event_type`.
`tz`	(not mapped)	Not mapped to the IDM object.
`ui`	(not mapped)	Not mapped to the IDM object.
`url`	`target.url`	Value from the `url` field when the log is not in CEF format.
`user`	`principal.user.userid`	Value from the `user` field when the log is not in CEF format. Only mapped if not `N/A` and not empty.
`utmaction`	`security_result.action`, `security_result2.action_details`	Value from the `utmaction` field when the log is not in CEF format. Used to derive `security_result.action` and `security_result.description`.
`utmaction`	`security_result.action`	Derived. If `utmaction` is `accept`, `allow`, `passthrough`, `pass`, `permit`, or `detected`, then `ALLOW`. If `deny`, `dropped`, `blocked`, or `block`, then `BLOCK`. Otherwise, `UNKNOWN_ACTION`.
`utmaction`	`security_result.description`	Derived. Set to `UTMAction:` + derived `security_result.action` if `action1` is empty.
`utmevent`	(not mapped)	Not mapped to the IDM object.
`vd`	`principal.administrative_domain`	Value from the `vd` field when the log is not in CEF format.
`vpntunnel`	(not mapped)	Not mapped to the IDM object.
`wanin`	(not mapped)	Not mapped to the IDM object.
`wanout`	(not mapped)	Not mapped to the IDM object.
N/A (Parser Logic)	`about.asset.asset_id`	Derived. Set to `Fortinet.` + `product_name` + `:` + `deviceExternalId` when the log is in CEF format.
N/A (Parser Logic)	`about.hostname`	Derived. Set to `auth0` when the log is in CEF format.
N/A (Parser Logic)	`extensions.auth`	Derived. An empty object is created when `metadata.event_type` is `USER_LOGIN`.
N/A (Parser Logic)	`extensions.auth.type`	Derived. Set to `AUTHTYPE_UNSPECIFIED` when `metadata.event_type` is `USER_LOGIN`.
N/A (Parser Logic)	`is_alert`, `is_significant`	Derived. Set to true if `crlevel` is `CRITICAL` or `level` is `alert`.
N/A (Parser Logic)	`metadata.event_type`	Derived based on various log fields and logic within the parser. Can be `NETWORK_CONNECTION`, `STATUS_UPDATE`, `GENERIC_EVENT`, `NETWORK_DNS`, `NETWORK_HTTP`, `USER_LOGIN`, `USER_LOGOUT`, or `NETWORK_UNCATEGORIZED`.
N/A (Parser Logic)	`metadata.log_type`	Derived. Set to `FORTINET_FORTIANALYZER`.
N/A (Parser Logic)	`metadata.product_event_type`	Derived. Set to `type` + `-` + `subtype`.
N/A (Parser Logic)	`metadata.product_name`	Derived. Set to `Fortianalyzer` or extracted from the CEF message.
N/A (Parser Logic)	`metadata.product_version`	Extracted from the CEF message.
N/A (Parser Logic)	`metadata.vendor_name`	Derived. Set to `Fortinet`.
N/A (Parser Logic)	`network.application_protocol`	Derived from the `service` or `app` fields using the `parse_app_protocol.include` file, or set to `DNS` for DNS events. Also set based on `ad.app` if it's one of `HTTPS`, `HTTP`, `DNS`, `DHCP`, or `SMB`.
N/A (Parser Logic)	`network.dns.questions`	Derived. An array of question objects, each with `name`, `type`, and `class` fields, populated for DNS events.
N/A (Parser Logic)	`network.http.parsed_user_agent`	Derived from the `http_agent` field by converting it to a parsed user agent object.
N/A (Parser Logic)	`network.ip_protocol`	Derived from the `proto` field using the `parse_ip_protocol.include` file.
N/A (Parser Logic)	`principal.administrative_domain`	Value from the `vd` field.
N/A (Parser Logic)	`principal.asset.ip`	Copied from `principal.ip`.
N/A (Parser Logic)	`principal.asset.hostname`	Copied from `principal.hostname`.
N/A (Parser Logic)	`security_result.about.labels`	An array of key-value pairs, populated with `craction` if present.
N/A (Parser Logic)	`security_result.action`	Derived from `action` or `utmaction`.
N/A (Parser Logic)	`security_result.description`	Derived from `action`, `utmaction`, `msg`, `catdesc`, or `reason`, depending on the available fields and log format.
N/A (Parser Logic)	`security_result.severity`	Derived from `crlevel` or `level`.
N/A (Parser Logic)	`security_result.severity_details`	Derived. Set to `level:` + `level`.
N/A (Parser Logic)	`security_result.detection_fields`	An array of key-value pairs, populated with `srcintf`, `srcintfrole`, `dstintf`, and `dstintfrole` if present.
N/A (Parser Logic)	`target.asset.ip`	Copied from `target.ip`.
N/A (Parser Logic)	`target.asset.hostname`	Copied from `target.hostname`.
N/A (Parser Logic)	`target.resource.resource_type`	Derived. Set to `ACCESS_POLICY` when the `profile` field is present.

Changes

2025-01-31

Enhancement:

Mapped catdesc to security_result.rule_name.
Mapped crscore to security_result.detection_fields.
Mapped method to network.http.method.
Mapped cat to security_result.rule_id.

2025-01-02

Enhancement:

When action is login and status is success, then mapped ALLOW to security_result.action.
When action is login and status is failure, then mapped BLOCK to security_result.action.

2024-11-28

Enhancement:

Mapped filename to target.file.full_path.

2024-11-19

Enhancement:

Mapped dstuser to target.user.userid.

2024-11-13

Enhancement:

Mapped fsaverdict to additional.fields.

2024-10-28

Enhancement:

Changed srcinf, dstinf, srcintfrole, and dstintfrole mapping from security_result.detection_fields to additional.fields.

2024-10-16

Enhancement:

Mapped type, subtype, and level to metadata.ingestion_labels.

2024-10-01

Enhancement:

Mapped logdesc to metadata.description.

2024-10-01

Enhancement:

Mapped logdesc to metadata.description.

2024-09-23

Enhancement:

Modified mapping for devname to principal.resource.attribute.labels.
Mapped srcname to principal.hostname and principal.asset.hostname.

2024-09-12

Enhancement:

Added conditional checks to map the value BLOCK to the security_result.action UDM field when the reason value is sslvpn_login_permission_denied.

2024-07-22

Enhancement:

Added gusb to handle the unparsed logs.

2024-07-04

Enhancement:

When msg contains login, then set event_type to USER_LOGIN.

2024-04-25

Enhancement:

Mapped httpmethod to network.http.method.
When action is login, then map ALLOW to security_result.action.
When msg contains logged in successfully, then set event_type to USER_LOGIN.
When msg contains login failed, then set event_type to USER_LOGOUT.

2023-07-19

Bug fix:

Added gsub to remove \n to parse failing logs.

2023-05-05

Added support for logs with CEF format.

2022-09-19

Newly created parser.

Need more help? Get answers from Community members and Google SecOps professionals.