From 543640c5739c74e3a2950f402e68a6886dc6b3b1 Mon Sep 17 00:00:00 2001 From: Sean Whalen <44679+seanthegeek@users.noreply.github.com> Date: Wed, 12 Apr 2023 11:46:20 -0400 Subject: [PATCH] 2.0.1-rev21 - Remove duplicate streams --- CHANGELOG.md | 4 + content_pack.json | 845 +++++++++++++++++----------------------------- 2 files changed, 321 insertions(+), 528 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 14454e2..5f06c53 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,9 @@ # Changelog +## 2.0.1-rev21 + +- Remove duplicate streams + ## 2.0.0-rev20 - Use `_exists_` instead of `*` diff --git a/content_pack.json b/content_pack.json index aa650cb..df7bc4b 100644 --- a/content_pack.json +++ b/content_pack.json @@ -1,7 +1,7 @@ { "v": "1", "id": "af84f707-7473-4258-bb2a-9d9617247bdd", - "rev": 20, + "rev": 21, "name": "Fortigate CEF Logs - Content Pack", "summary": " Stream and dashboards for Fortinet Fortigate CEF logs ", "description": "# Fortigate CEF Logs - Graylog Content Pack\n\nThis [Graylog][graylog] content pack includes a steam and dashboards for Fortinet Fortigate Common Event Format (CEF) logs.\n\n## Streams\n\n### Fortigate CEF Logs\n\nRoutes CEF logs from Fortigates to the `Fortigate CEF Logs` Graylog index set\n\n## Dashboards\n\n### Fortigate - Applications and Devices\n\nAnalysis of devices and application traffic\n\nIncludes IP addresses, MAC addresses, device manufacturers, and application layer network traffic\n\n### Fortigate - DNS Traffic\n\nDetails of DNS queries and responses\n\nIncludes details of the query, response, action, and category\n\n### Fortigate - IPS Alerts\n\nIntrusion Prevention System (IPS) alert details\n\nIncludes signature, action, severity, source, and destination information\n\n### Fortigate - Overview\n\nAn overview of incoming messages from Fortigates\n\nIncludes Fortigate hostnames, serial numbers, and full message details\n\n### Fortigate - SSL/TLS Interventions\n\nSSL/TLS actions taken by Fortigates\n\nProvides records of when Fortigates intervened (with or without decrypting) in SSL/TLS traffic\n\n### Fortigate - Web Traffic\n\nWeb traffic details\n\nIncludes category, action, and more\n\n## Searches\n\n### Fortigate CEF\n\nAll Fortigate CEF logs\n\n## Graylog Setup\n\nEdit the Graylog server configuration file at `/etc/graylog/server/server.conf`. Locate the `allow_leading_wildcard_searches` and `allow_highlighting` options, and set both to `true`. Restart the Graylog server by running `sudo systemctl restart graylog-server.service`.\n\nImport the Content Pack into Graylog by navigating to System> Content Packs, clicking on the upload button, and uploading the Content Pack JSON file.\n\nIn Graylog an Input accepts log traffic from a source an parses it. That data is sent to Streams, which filters and routes log traffic to Index Sets. Index Sets manage the Elasticsearch indexes that Graylog uses as a backend.\n\nThe Stream that comes with this content pack is configured to route the logs to a separate Index Set called `Fortigate CEF Logs`. It does not create the Index Set, so the Index Set needs to be created.\n\nNavigate to System> Indices, and create a new Index Set with a title of `Fortigate CEF Logs` and an index prefix of `fortigate_cef`. Then, click on Streams in the main navigation bar. Edit the `Fortigate CEF Logs` Stream and ensure it is configured to use the Index Set that you just created.\n\n**Important**: Leave `Remove matches from ‘All messages’ stream` box checked, or the data will be duplicated over two Index Sets.\n\nCreate a CEF UDP **or** a CEF TCP input by navigating to System> Inputs as a Graylog administrator, and clicking on Launch New Input.\n\nBefore creating a CEF TCP input:\n\nEnsure that your certificate and and key are readable by the user running Graylog, or Graylog will create it's own self-signed certificate (which Fortigates will not trust) without informing you in the web UI (this error can be found in `server.log`.)\n\nIt is recommended to use a commercial external Certificate Authority (CA). Documentation contributions for using internal CAs would be appreciated. Documentation for using Let's Encrypt Certificates is in progress.\n\nWhen creating a CEF TLS Input, be sure to check the `Accept encrypted connections` checkbox.\n\n## Fortigate setup\n\nConfigure your Fortigates to send data to Graylog in CEF format by using the FortiOS [Command Line Interface (CLI)][CLI].\n\nReplace the server address and port with the address and port of your input, of course.\n\n## Time zone\n\nTo simplify and unify log management, it is important that every firewall be configured to use the GMT timezone, which for logging purposes is equivalent UTC.\n\n```fortios\nconfig system global\n set timezone 80\nend\n```\n\n## Log filtering\n\nBy default, logs sent to the syslog server are not filtered. To ensure that the Graylog Input gets all logs, ensure all log filter options are at their default settings.\n\n```fortios\nconfig log syslogd filter\n unset severity\n unset forward-traffic\n unset local-traffic\n unset multicast-traffic\n unset sniffer-traffic\n unset anomaly\n unset voip\nend\n```\n\n### CEF UDP\n\n**Warning** : UDP traffic is unencrypted.\n\n```fortios\nconfig log syslogd setting\n set status enable\n set server \"graylog.example.com\"\n set port 5555\n set format cef\n set mode udp\nend\n```\n\n### CEF TCP\n\n**Warning**: When using CEF TCP, the 'server' setting **must** be set the Graylog server's fully-qualified hostname, **not** the IP address.\n\n```fortios\nconfig log syslogd setting\n set status enable\n set server \"graylog.example.com\"\n set port 5555\n set format cef\n set mode reliable\nend\n```\n\n[Graylog]: https://www.graylog.org/\n[CLI]: https://docs.fortinet.com/document/fortigate/7.0.1/cli-reference/445620/config-log-syslogd-setting\n", @@ -44,9 +44,7 @@ "type": "relative", "from": 300 }, - "streams": [ - "b22cba7f-8ae4-4a70-b84f-c71c888b00f4" - ], + "streams": [], "series": [ { "type": "count", @@ -362,9 +360,7 @@ "type": "relative", "from": 300 }, - "streams": [ - "b22cba7f-8ae4-4a70-b84f-c71c888b00f4" - ], + "streams": [], "series": [ { "type": "count", @@ -874,9 +870,7 @@ "type": "relative", "from": 300 }, - "streams": [ - "b22cba7f-8ae4-4a70-b84f-c71c888b00f4" - ], + "streams": [], "series": [ { "type": "count", @@ -1110,9 +1104,7 @@ "from": 300 }, "offset": 0, - "streams": [ - "b22cba7f-8ae4-4a70-b84f-c71c888b00f4" - ], + "streams": [], "filter": null, "decorators": [], "type": "messages", @@ -1612,9 +1604,7 @@ "type": "relative", "from": 604800 }, - "streams": [ - "b22cba7f-8ae4-4a70-b84f-c71c888b00f4" - ], + "streams": [], "series": [ { "type": "count", @@ -2187,7 +2177,7 @@ "name": "dashboard", "version": "2" }, - "id": "3448cb19-6fc9-431a-a405-0a19cc022e81", + "id": "1b42d211-7cfb-48a9-8440-edf84319902b", "data": { "summary": { "@type": "string", @@ -2219,7 +2209,7 @@ }, "column_limit": null, "streams": [ - "50f730fc-e938-4f46-bcc6-60eb5422e2ba" + "48395b4b-1afa-436f-91fc-a43ebe5b6322" ], "row_limit": null, "series": [ @@ -2235,13 +2225,13 @@ { "type": "values", "fields": [ - "FTNTFGTsrchwvendor" + "FTNTFGTapp" ], "limit": 20 } ], "type": "pivot", - "id": "792b5a95-188f-4bb6-a6ca-92655ffc4996", + "id": "8fe17fed-6a9b-4d12-a74c-56eb7af882de", "filters": [], "column_groups": [], "sort": [] @@ -2258,7 +2248,7 @@ }, "column_limit": null, "streams": [ - "50f730fc-e938-4f46-bcc6-60eb5422e2ba" + "8aadda2c-0a11-45bb-bb7f-dfdfb7d3aa9d" ], "row_limit": null, "series": [ @@ -2274,17 +2264,38 @@ { "type": "values", "fields": [ - "FTNTFGTappcat" + "FTNTFGTdevtype" ], "limit": 20 } ], "type": "pivot", - "id": "b833e853-b097-47a8-bad9-02ae88f29b02", + "id": "e67bd74e-274c-44b5-8e66-f9f9476e2839", "filters": [], "column_groups": [], "sort": [] }, + { + "query": { + "type": "elasticsearch", + "query_string": "_exists_:FTNTFGTapp AND _exists_:FTNTFGTutmaction" + }, + "name": null, + "timerange": { + "from": 300, + "type": "relative" + }, + "offset": 0, + "streams": [ + "48395b4b-1afa-436f-91fc-a43ebe5b6322" + ], + "filter": null, + "decorators": [], + "type": "messages", + "id": "8d38862c-b759-4274-87c1-f4d8260ad0a1", + "limit": 150, + "filters": [] + }, { "query": { "type": "elasticsearch", @@ -2297,7 +2308,7 @@ }, "column_limit": null, "streams": [ - "50f730fc-e938-4f46-bcc6-60eb5422e2ba" + "8aadda2c-0a11-45bb-bb7f-dfdfb7d3aa9d" ], "row_limit": null, "series": [ @@ -2313,13 +2324,52 @@ { "type": "values", "fields": [ - "FTNTFGTutmaction" + "FTNTFGTapprisk" + ], + "limit": 20 + } + ], + "type": "pivot", + "id": "023f660c-0af5-40a6-b5c0-d156a5941b3e", + "filters": [], + "column_groups": [], + "sort": [] + }, + { + "query": { + "type": "elasticsearch", + "query_string": "_exists_:FTNTFGTapp AND _exists_:FTNTFGTutmaction" + }, + "name": "chart", + "timerange": { + "from": 300, + "type": "relative" + }, + "column_limit": null, + "streams": [ + "8aadda2c-0a11-45bb-bb7f-dfdfb7d3aa9d" + ], + "row_limit": null, + "series": [ + { + "type": "count", + "id": "count()", + "field": null + } + ], + "filter": null, + "rollup": true, + "row_groups": [ + { + "type": "values", + "fields": [ + "FTNTFGTappcat" ], "limit": 20 } ], "type": "pivot", - "id": "c8e4f732-3b40-4b2f-b7e3-bc48293bd5e3", + "id": "94d26ba2-c867-4ec8-bde9-4f219f4bb657", "filters": [], "column_groups": [], "sort": [] @@ -2336,7 +2386,7 @@ }, "column_limit": null, "streams": [ - "50f730fc-e938-4f46-bcc6-60eb5422e2ba" + "48395b4b-1afa-436f-91fc-a43ebe5b6322" ], "row_limit": null, "series": [ @@ -2365,7 +2415,7 @@ } ], "type": "pivot", - "id": "315292cd-9170-412b-8e28-fb5a02f8b4f0", + "id": "41f4ae76-bc90-49ed-8765-bd57df671eed", "filters": [], "column_groups": [], "sort": [] @@ -2382,7 +2432,7 @@ }, "column_limit": null, "streams": [ - "50f730fc-e938-4f46-bcc6-60eb5422e2ba" + "8aadda2c-0a11-45bb-bb7f-dfdfb7d3aa9d" ], "row_limit": null, "series": [ @@ -2404,7 +2454,7 @@ } ], "type": "pivot", - "id": "f95c870f-0dc8-43a6-99a7-398da91adac2", + "id": "26c996fb-43bb-41cc-aa64-6090b81ec26d", "filters": [], "column_groups": [], "sort": [] @@ -2421,14 +2471,14 @@ }, "column_limit": null, "streams": [ - "50f730fc-e938-4f46-bcc6-60eb5422e2ba" + "8aadda2c-0a11-45bb-bb7f-dfdfb7d3aa9d" ], "row_limit": null, "series": [ { "type": "count", - "id": "messages", - "field": "FTNTFGTapp" + "id": "count()", + "field": null } ], "filter": null, @@ -2437,13 +2487,13 @@ { "type": "values", "fields": [ - "FTNTFGTapp" + "FTNTFGTsrchwvendor" ], - "limit": 500 + "limit": 20 } ], "type": "pivot", - "id": "f8ae4b67-812b-4bda-bc6d-07fe2c7ecedb", + "id": "08c46380-bc73-48b7-ae97-7380f8df91e2", "filters": [], "column_groups": [], "sort": [] @@ -2460,7 +2510,7 @@ }, "column_limit": null, "streams": [ - "50f730fc-e938-4f46-bcc6-60eb5422e2ba" + "8aadda2c-0a11-45bb-bb7f-dfdfb7d3aa9d" ], "row_limit": null, "series": [ @@ -2482,7 +2532,7 @@ } ], "type": "pivot", - "id": "0ae0b19e-4855-4c0f-9f49-032f65b405f0", + "id": "f804de66-5021-4c2a-9631-3537fcd8f50a", "filters": [], "column_groups": [], "sort": [] @@ -2499,14 +2549,14 @@ }, "column_limit": null, "streams": [ - "50f730fc-e938-4f46-bcc6-60eb5422e2ba" + "48395b4b-1afa-436f-91fc-a43ebe5b6322" ], "row_limit": null, "series": [ { "type": "count", - "id": "count()", - "field": null + "id": "messages", + "field": "FTNTFGTapp" } ], "filter": null, @@ -2515,13 +2565,13 @@ { "type": "values", "fields": [ - "FTNTFGTapprisk" + "FTNTFGTapp" ], - "limit": 20 + "limit": 500 } ], "type": "pivot", - "id": "718ea932-9aaf-44c2-bcad-510de6be9d75", + "id": "986cd626-1343-4f2d-b049-c9734e56c6cd", "filters": [], "column_groups": [], "sort": [] @@ -2529,7 +2579,7 @@ { "query": { "type": "elasticsearch", - "query_string": "_exists_:FTNTFGTapp AND _exists_:FTNTFGTutmaction" + "query_string": "_exists_:FTNTFGTappcat AND _exists_:FTNTFGTutmaction" }, "name": "chart", "timerange": { @@ -2538,7 +2588,7 @@ }, "column_limit": null, "streams": [ - "50f730fc-e938-4f46-bcc6-60eb5422e2ba" + "8aadda2c-0a11-45bb-bb7f-dfdfb7d3aa9d" ], "row_limit": null, "series": [ @@ -2554,13 +2604,13 @@ { "type": "values", "fields": [ - "FTNTFGTapp" + "deviceOutboundInterface" ], "limit": 20 } ], "type": "pivot", - "id": "7b556e81-11c2-4ca2-a2ef-2cacb8a684b2", + "id": "78f5b7bf-eb7e-4880-aef1-e046bae2e3e6", "filters": [], "column_groups": [], "sort": [] @@ -2577,7 +2627,7 @@ }, "column_limit": null, "streams": [ - "50f730fc-e938-4f46-bcc6-60eb5422e2ba" + "48395b4b-1afa-436f-91fc-a43ebe5b6322" ], "row_limit": null, "series": [ @@ -2641,7 +2691,7 @@ } ], "type": "pivot", - "id": "07db365e-7bac-4016-9401-af1c554800fc", + "id": "0ae7b2a5-e353-437d-ae40-084db739e484", "filters": [], "column_groups": [], "sort": [ @@ -2657,66 +2707,6 @@ "type": "elasticsearch", "query_string": "_exists_:FTNTFGTapp AND _exists_:FTNTFGTutmaction" }, - "name": null, - "timerange": { - "from": 300, - "type": "relative" - }, - "offset": 0, - "streams": [ - "50f730fc-e938-4f46-bcc6-60eb5422e2ba" - ], - "filter": null, - "decorators": [], - "type": "messages", - "id": "c08a89ef-642d-4481-924c-afa7746c1068", - "limit": 150, - "filters": [] - }, - { - "query": { - "type": "elasticsearch", - "query_string": "_exists_:FTNTFGTapp AND _exists_:FTNTFGTutmaction" - }, - "name": "chart", - "timerange": { - "from": 300, - "type": "relative" - }, - "column_limit": null, - "streams": [ - "50f730fc-e938-4f46-bcc6-60eb5422e2ba" - ], - "row_limit": null, - "series": [ - { - "type": "count", - "id": "count()", - "field": null - } - ], - "filter": null, - "rollup": true, - "row_groups": [ - { - "type": "values", - "fields": [ - "FTNTFGTdevtype" - ], - "limit": 20 - } - ], - "type": "pivot", - "id": "75c4b31c-0771-4bca-a816-8c795f78cf4b", - "filters": [], - "column_groups": [], - "sort": [] - }, - { - "query": { - "type": "elasticsearch", - "query_string": "_exists_:FTNTFGTappcat AND _exists_:FTNTFGTutmaction" - }, "name": "chart", "timerange": { "from": 300, @@ -2724,7 +2714,7 @@ }, "column_limit": null, "streams": [ - "50f730fc-e938-4f46-bcc6-60eb5422e2ba" + "48395b4b-1afa-436f-91fc-a43ebe5b6322" ], "row_limit": null, "series": [ @@ -2740,13 +2730,13 @@ { "type": "values", "fields": [ - "deviceOutboundInterface" + "FTNTFGTutmaction" ], "limit": 20 } ], "type": "pivot", - "id": "181792f7-74bb-4281-89b8-f69f923ad091", + "id": "65603f89-d238-4f98-827d-2b1e3fb001bb", "filters": [], "column_groups": [], "sort": [] @@ -2757,7 +2747,7 @@ "parameters": [], "requires": {}, "owner": "sean", - "created_at": "2023-02-09T21:02:58.254Z" + "created_at": "2023-04-12T15:35:40.836Z" }, "created_at": "2021-08-20T14:52:35.012Z", "requires": {}, @@ -2797,7 +2787,7 @@ }, "widgets": [ { - "id": "9e5821e4-a2ad-4879-847c-58572c59656a", + "id": "c689f7d9-7603-4bbe-9270-0cd72d7d3813", "type": "aggregation", "filter": null, "filters": [], @@ -2810,30 +2800,30 @@ "query_string": "_exists_:FTNTFGTapp AND _exists_:FTNTFGTutmaction" }, "streams": [ - "50f730fc-e938-4f46-bcc6-60eb5422e2ba" + "8aadda2c-0a11-45bb-bb7f-dfdfb7d3aa9d" ], "config": { - "visualization": "table", + "visualization": "pie", "column_limit": null, "event_annotation": false, - "row_limit": 500, + "row_limit": 20, "row_pivots": [ { "fields": [ - "FTNTFGTapp" + "FTNTFGTapprisk" ], "type": "values", "config": { - "limit": 500 + "limit": 20 } } ], "series": [ { "config": { - "name": "messages" + "name": null }, - "function": "count(FTNTFGTapp)" + "function": "count()" } ], "rollup": true, @@ -2844,7 +2834,7 @@ } }, { - "id": "c689f7d9-7603-4bbe-9270-0cd72d7d3813", + "id": "6429b279-f937-4d57-ac07-0f1ef6741b65", "type": "aggregation", "filter": null, "filters": [], @@ -2857,7 +2847,7 @@ "query_string": "_exists_:FTNTFGTapp AND _exists_:FTNTFGTutmaction" }, "streams": [ - "50f730fc-e938-4f46-bcc6-60eb5422e2ba" + "8aadda2c-0a11-45bb-bb7f-dfdfb7d3aa9d" ], "config": { "visualization": "pie", @@ -2867,7 +2857,7 @@ "row_pivots": [ { "fields": [ - "FTNTFGTapprisk" + "FTNTFGTappcat" ], "type": "values", "config": { @@ -2891,7 +2881,7 @@ } }, { - "id": "59ab0cbf-86ba-405e-9414-2f3c0f09ce3b", + "id": "6f858779-4e46-4496-9cda-a808081c0440", "type": "aggregation", "filter": null, "filters": [], @@ -2901,10 +2891,10 @@ }, "query": { "type": "elasticsearch", - "query_string": "_exists_:FTNTFGTapp AND _exists_:FTNTFGTutmaction" + "query_string": "_exists_:FTNTFGTappcat AND _exists_:FTNTFGTutmaction" }, "streams": [ - "50f730fc-e938-4f46-bcc6-60eb5422e2ba" + "8aadda2c-0a11-45bb-bb7f-dfdfb7d3aa9d" ], "config": { "visualization": "pie", @@ -2914,7 +2904,7 @@ "row_pivots": [ { "fields": [ - "FTNTFGTsrchwvendor" + "deviceOutboundInterface" ], "type": "values", "config": { @@ -2938,7 +2928,7 @@ } }, { - "id": "7d41b01e-835f-4a28-a004-3471a948ebb2", + "id": "dde894bd-8943-4dd9-8922-3bff6fe1b1a2", "type": "aggregation", "filter": null, "filters": [], @@ -2948,10 +2938,10 @@ }, "query": { "type": "elasticsearch", - "query_string": "_exists_:FTNTFGTapp AND _exists_:FTNTFGTutmaction" + "query_string": "FTNTFGTappcat:* AND FTNTFGTutmaction:*" }, "streams": [ - "50f730fc-e938-4f46-bcc6-60eb5422e2ba" + "8aadda2c-0a11-45bb-bb7f-dfdfb7d3aa9d" ], "config": { "visualization": "pie", @@ -2961,7 +2951,7 @@ "row_pivots": [ { "fields": [ - "FTNTFGTutmaction" + "FTNTFGTosname" ], "type": "values", "config": { @@ -2985,7 +2975,7 @@ } }, { - "id": "c2193b01-5433-4738-bf8a-5fd9c511c452", + "id": "14dfad00-67c4-4765-8050-d5bac9f4c1ac", "type": "aggregation", "filter": null, "filters": [], @@ -2998,52 +2988,41 @@ "query_string": "_exists_:FTNTFGTapp AND _exists_:FTNTFGTutmaction" }, "streams": [ - "50f730fc-e938-4f46-bcc6-60eb5422e2ba" + "8aadda2c-0a11-45bb-bb7f-dfdfb7d3aa9d" ], "config": { - "visualization": "table", + "visualization": "pie", "column_limit": null, "event_annotation": false, - "row_limit": 500, + "row_limit": 20, "row_pivots": [ { "fields": [ - "dst" - ], - "type": "values", - "config": { - "limit": 500 - } - }, - { - "fields": [ - "dhost" + "deviceInboundInterface" ], "type": "values", "config": { - "limit": 15 + "limit": 20 } } ], "series": [ { "config": { - "name": "messages" + "name": null }, "function": "count()" } ], "rollup": true, "column_pivots": [], - "visualization_config": { - "pinned_columns": [] - }, + "visualization_config": null, "formatting_settings": null, "sort": [] } }, { - "id": "11e26679-8f2a-4dab-8be7-724c5d2c3f1b", + "id": "9e5821e4-a2ad-4879-847c-58572c59656a", "type": "aggregation", "filter": null, "filters": [], @@ -3056,30 +3035,30 @@ "query_string": "_exists_:FTNTFGTapp AND _exists_:FTNTFGTutmaction" }, "streams": [ - "50f730fc-e938-4f46-bcc6-60eb5422e2ba" + "48395b4b-1afa-436f-91fc-a43ebe5b6322" ], "config": { - "visualization": "pie", + "visualization": "table", "column_limit": null, "event_annotation": false, - "row_limit": 20, + "row_limit": 500, "row_pivots": [ { "fields": [ - "FTNTFGTdevtype" + "FTNTFGTapp" ], "type": "values", "config": { - "limit": 20 + "limit": 500 } } ], "series": [ { "config": { - "name": null + "name": "messages" }, - "function": "count()" + "function": "count(FTNTFGTapp)" } ], "rollup": true, @@ -3090,7 +3069,7 @@ } }, { - "id": "14dfad00-67c4-4765-8050-d5bac9f4c1ac", + "id": "11e26679-8f2a-4dab-8be7-724c5d2c3f1b", "type": "aggregation", "filter": null, "filters": [], @@ -3103,7 +3082,7 @@ "query_string": "_exists_:FTNTFGTapp AND _exists_:FTNTFGTutmaction" }, "streams": [ - "50f730fc-e938-4f46-bcc6-60eb5422e2ba" + "8aadda2c-0a11-45bb-bb7f-dfdfb7d3aa9d" ], "config": { "visualization": "pie", @@ -3113,7 +3092,7 @@ "row_pivots": [ { "fields": [ - "deviceInboundInterface" + "FTNTFGTdevtype" ], "type": "values", "config": { @@ -3137,7 +3116,7 @@ } }, { - "id": "dde894bd-8943-4dd9-8922-3bff6fe1b1a2", + "id": "c2193b01-5433-4738-bf8a-5fd9c511c452", "type": "aggregation", "filter": null, "filters": [], @@ -3147,44 +3126,94 @@ }, "query": { "type": "elasticsearch", - "query_string": "FTNTFGTappcat:* AND FTNTFGTutmaction:*" + "query_string": "_exists_:FTNTFGTapp AND _exists_:FTNTFGTutmaction" }, "streams": [ - "50f730fc-e938-4f46-bcc6-60eb5422e2ba" + "48395b4b-1afa-436f-91fc-a43ebe5b6322" ], "config": { - "visualization": "pie", + "visualization": "table", "column_limit": null, "event_annotation": false, - "row_limit": 20, + "row_limit": 500, "row_pivots": [ { "fields": [ - "FTNTFGTosname" + "dst" ], "type": "values", "config": { - "limit": 20 + "limit": 500 + } + }, + { + "fields": [ + "dhost" + ], + "type": "values", + "config": { + "limit": 15 } } ], "series": [ { "config": { - "name": null + "name": "messages" }, "function": "count()" } ], "rollup": true, "column_pivots": [], - "visualization_config": null, + "visualization_config": { + "pinned_columns": [] + }, "formatting_settings": null, "sort": [] } }, { - "id": "12219289-70dd-4d40-8fea-b33b94f4b96d", + "id": "d6bbdb30-ded7-40b9-80fd-002ca662906d", + "type": "messages", + "filter": null, + "filters": [], + "timerange": { + "from": 300, + "type": "relative" + }, + "query": { + "type": "elasticsearch", + "query_string": "_exists_:FTNTFGTapp AND _exists_:FTNTFGTutmaction" + }, + "streams": [ + "48395b4b-1afa-436f-91fc-a43ebe5b6322" + ], + "config": { + "fields": [ + "timestamp", + "shost", + "src", + "dst", + "dpt", + "FTNTFGTapp", + "FTNTFGTappcat", + "FTNTFGTutmaction" + ], + "show_message_row": true, + "show_summary": null, + "decorators": [], + "sort": [ + { + "type": "pivot", + "field": "timestamp", + "direction": "Descending" + } + ] + } + }, + { + "id": "59ab0cbf-86ba-405e-9414-2f3c0f09ce3b", "type": "aggregation", "filter": null, "filters": [], @@ -3197,7 +3226,7 @@ "query_string": "_exists_:FTNTFGTapp AND _exists_:FTNTFGTutmaction" }, "streams": [ - "50f730fc-e938-4f46-bcc6-60eb5422e2ba" + "8aadda2c-0a11-45bb-bb7f-dfdfb7d3aa9d" ], "config": { "visualization": "pie", @@ -3207,7 +3236,7 @@ "row_pivots": [ { "fields": [ - "FTNTFGTapp" + "FTNTFGTsrchwvendor" ], "type": "values", "config": { @@ -3231,7 +3260,7 @@ } }, { - "id": "348c53bd-c803-4140-83f4-d5098ecf9673", + "id": "12219289-70dd-4d40-8fea-b33b94f4b96d", "type": "aggregation", "filter": null, "filters": [], @@ -3244,142 +3273,41 @@ "query_string": "_exists_:FTNTFGTapp AND _exists_:FTNTFGTutmaction" }, "streams": [ - "50f730fc-e938-4f46-bcc6-60eb5422e2ba" + "48395b4b-1afa-436f-91fc-a43ebe5b6322" ], "config": { - "visualization": "table", + "visualization": "pie", "column_limit": null, "event_annotation": false, - "row_limit": 500, + "row_limit": 20, "row_pivots": [ { "fields": [ - "src" - ], - "type": "values", - "config": { - "limit": 500 - } - }, - { - "fields": [ - "FTNTFGTsrcmac" - ], - "type": "values", - "config": { - "limit": 500 - } - }, - { - "fields": [ - "shost" - ], - "type": "values", - "config": { - "limit": 500 - } - }, - { - "fields": [ - "FTNTFGTsrchwvendor" - ], - "type": "values", - "config": { - "limit": 500 - } - }, - { - "fields": [ - "FTNTFGTsrcfamily" - ], - "type": "values", - "config": { - "limit": 500 - } - }, - { - "fields": [ - "FTNTFGTosname" - ], - "type": "values", - "config": { - "limit": 500 - } - }, - { - "fields": [ - "FTNTFGTdevtype" + "FTNTFGTapp" ], "type": "values", "config": { - "limit": 500 + "limit": 20 } } ], "series": [ { "config": { - "name": "messages" + "name": null }, "function": "count()" } ], "rollup": true, "column_pivots": [], - "visualization_config": { - "pinned_columns": [] - }, + "visualization_config": null, "formatting_settings": null, - "sort": [ - { - "type": "series", - "field": "count()", - "direction": "Descending" - } - ] - } - }, - { - "id": "d6bbdb30-ded7-40b9-80fd-002ca662906d", - "type": "messages", - "filter": null, - "filters": [], - "timerange": { - "from": 300, - "type": "relative" - }, - "query": { - "type": "elasticsearch", - "query_string": "_exists_:FTNTFGTapp AND _exists_:FTNTFGTutmaction" - }, - "streams": [ - "50f730fc-e938-4f46-bcc6-60eb5422e2ba" - ], - "config": { - "fields": [ - "timestamp", - "shost", - "src", - "dst", - "dpt", - "FTNTFGTapp", - "FTNTFGTappcat", - "FTNTFGTutmaction" - ], - "show_message_row": true, - "show_summary": null, - "decorators": [], - "sort": [ - { - "type": "pivot", - "field": "timestamp", - "direction": "Descending" - } - ] + "sort": [] } }, { - "id": "6f858779-4e46-4496-9cda-a808081c0440", + "id": "7d41b01e-835f-4a28-a004-3471a948ebb2", "type": "aggregation", "filter": null, "filters": [], @@ -3389,10 +3317,10 @@ }, "query": { "type": "elasticsearch", - "query_string": "_exists_:FTNTFGTappcat AND _exists_:FTNTFGTutmaction" + "query_string": "_exists_:FTNTFGTapp AND _exists_:FTNTFGTutmaction" }, "streams": [ - "50f730fc-e938-4f46-bcc6-60eb5422e2ba" + "48395b4b-1afa-436f-91fc-a43ebe5b6322" ], "config": { "visualization": "pie", @@ -3402,7 +3330,7 @@ "row_pivots": [ { "fields": [ - "deviceOutboundInterface" + "FTNTFGTutmaction" ], "type": "values", "config": { @@ -3426,7 +3354,7 @@ } }, { - "id": "6429b279-f937-4d57-ac07-0f1ef6741b65", + "id": "348c53bd-c803-4140-83f4-d5098ecf9673", "type": "aggregation", "filter": null, "filters": [], @@ -3439,157 +3367,219 @@ "query_string": "_exists_:FTNTFGTapp AND _exists_:FTNTFGTutmaction" }, "streams": [ - "50f730fc-e938-4f46-bcc6-60eb5422e2ba" + "48395b4b-1afa-436f-91fc-a43ebe5b6322" ], "config": { - "visualization": "pie", + "visualization": "table", "column_limit": null, "event_annotation": false, - "row_limit": 20, + "row_limit": 500, "row_pivots": [ { "fields": [ - "FTNTFGTappcat" + "src" ], "type": "values", "config": { - "limit": 20 + "limit": 500 + } + }, + { + "fields": [ + "FTNTFGTsrcmac" + ], + "type": "values", + "config": { + "limit": 500 + } + }, + { + "fields": [ + "shost" + ], + "type": "values", + "config": { + "limit": 500 + } + }, + { + "fields": [ + "FTNTFGTsrchwvendor" + ], + "type": "values", + "config": { + "limit": 500 + } + }, + { + "fields": [ + "FTNTFGTsrcfamily" + ], + "type": "values", + "config": { + "limit": 500 + } + }, + { + "fields": [ + "FTNTFGTosname" + ], + "type": "values", + "config": { + "limit": 500 + } + }, + { + "fields": [ + "FTNTFGTdevtype" + ], + "type": "values", + "config": { + "limit": 500 } } ], "series": [ { "config": { - "name": null + "name": "messages" }, "function": "count()" } ], "rollup": true, "column_pivots": [], - "visualization_config": null, + "visualization_config": { + "pinned_columns": [] + }, "formatting_settings": null, - "sort": [] + "sort": [ + { + "type": "series", + "field": "count()", + "direction": "Descending" + } + ] } } ], "widget_mapping": { "59ab0cbf-86ba-405e-9414-2f3c0f09ce3b": [ - "792b5a95-188f-4bb6-a6ca-92655ffc4996" + "08c46380-bc73-48b7-ae97-7380f8df91e2" ], "c689f7d9-7603-4bbe-9270-0cd72d7d3813": [ - "718ea932-9aaf-44c2-bcad-510de6be9d75" + "023f660c-0af5-40a6-b5c0-d156a5941b3e" ], "7d41b01e-835f-4a28-a004-3471a948ebb2": [ - "c8e4f732-3b40-4b2f-b7e3-bc48293bd5e3" + "65603f89-d238-4f98-827d-2b1e3fb001bb" ], "348c53bd-c803-4140-83f4-d5098ecf9673": [ - "07db365e-7bac-4016-9401-af1c554800fc" + "0ae7b2a5-e353-437d-ae40-084db739e484" ], "c2193b01-5433-4738-bf8a-5fd9c511c452": [ - "315292cd-9170-412b-8e28-fb5a02f8b4f0" + "41f4ae76-bc90-49ed-8765-bd57df671eed" ], "14dfad00-67c4-4765-8050-d5bac9f4c1ac": [ - "f95c870f-0dc8-43a6-99a7-398da91adac2" + "26c996fb-43bb-41cc-aa64-6090b81ec26d" ], "6f858779-4e46-4496-9cda-a808081c0440": [ - "181792f7-74bb-4281-89b8-f69f923ad091" + "78f5b7bf-eb7e-4880-aef1-e046bae2e3e6" ], "9e5821e4-a2ad-4879-847c-58572c59656a": [ - "f8ae4b67-812b-4bda-bc6d-07fe2c7ecedb" + "986cd626-1343-4f2d-b049-c9734e56c6cd" ], "6429b279-f937-4d57-ac07-0f1ef6741b65": [ - "b833e853-b097-47a8-bad9-02ae88f29b02" + "94d26ba2-c867-4ec8-bde9-4f219f4bb657" ], "12219289-70dd-4d40-8fea-b33b94f4b96d": [ - "7b556e81-11c2-4ca2-a2ef-2cacb8a684b2" + "8fe17fed-6a9b-4d12-a74c-56eb7af882de" ], "11e26679-8f2a-4dab-8be7-724c5d2c3f1b": [ - "75c4b31c-0771-4bca-a816-8c795f78cf4b" + "e67bd74e-274c-44b5-8e66-f9f9476e2839" ], "d6bbdb30-ded7-40b9-80fd-002ca662906d": [ - "c08a89ef-642d-4481-924c-afa7746c1068" + "8d38862c-b759-4274-87c1-f4d8260ad0a1" ], "dde894bd-8943-4dd9-8922-3bff6fe1b1a2": [ - "0ae0b19e-4855-4c0f-9f49-032f65b405f0" + "f804de66-5021-4c2a-9631-3537fcd8f50a" ] }, "positions": { "59ab0cbf-86ba-405e-9414-2f3c0f09ce3b": { "col": 9, - "row": 31, + "row": 37, "height": 4, "width": 4 }, "c689f7d9-7603-4bbe-9270-0cd72d7d3813": { "col": 9, - "row": 27, + "row": 33, "height": 4, "width": 4 }, "7d41b01e-835f-4a28-a004-3471a948ebb2": { "col": 9, - "row": 4, + "row": 10, "height": 4, "width": 4 }, "348c53bd-c803-4140-83f4-d5098ecf9673": { "col": 1, - "row": 8, + "row": 14, "height": 4, "width": "Infinity" }, "c2193b01-5433-4738-bf8a-5fd9c511c452": { "col": 1, - "row": 12, + "row": 18, "height": 4, "width": 6 }, "14dfad00-67c4-4765-8050-d5bac9f4c1ac": { "col": 1, - "row": 27, + "row": 33, "height": 4, "width": 4 }, "6f858779-4e46-4496-9cda-a808081c0440": { "col": 5, - "row": 27, + "row": 33, "height": 4, "width": 4 }, "9e5821e4-a2ad-4879-847c-58572c59656a": { "col": 7, - "row": 12, + "row": 18, "height": 4, "width": 6 }, "6429b279-f937-4d57-ac07-0f1ef6741b65": { "col": 1, - "row": 23, + "row": 29, "height": 4, "width": "Infinity" }, "12219289-70dd-4d40-8fea-b33b94f4b96d": { "col": 1, - "row": 4, + "row": 10, "height": 4, "width": 8 }, "11e26679-8f2a-4dab-8be7-724c5d2c3f1b": { "col": 5, - "row": 31, + "row": 37, "height": 4, "width": 4 }, "d6bbdb30-ded7-40b9-80fd-002ca662906d": { "col": 1, - "row": 16, + "row": 22, "height": 7, "width": "Infinity" }, "dde894bd-8943-4dd9-8922-3bff6fe1b1a2": { "col": 1, - "row": 31, + "row": 37, "height": 4, "width": 4 } @@ -3617,7 +3607,7 @@ "constraints": [ { "type": "server-version", - "version": ">=5.0.3+a82acb2" + "version": ">=5.0.6+51f2df8" } ] }, @@ -3839,208 +3829,7 @@ "name": "stream", "version": "1" }, - "id": "b22cba7f-8ae4-4a70-b84f-c71c888b00f4", - "data": { - "alarm_callbacks": [], - "outputs": [], - "remove_matches": { - "@type": "boolean", - "@value": true - }, - "title": { - "@type": "string", - "@value": "Fortigate CEF Logs" - }, - "stream_rules": [ - { - "type": { - "@type": "string", - "@value": "EXACT" - }, - "field": { - "@type": "string", - "@value": "device_product" - }, - "value": { - "@type": "string", - "@value": "Fortigate" - }, - "inverted": { - "@type": "boolean", - "@value": false - }, - "description": { - "@type": "string", - "@value": "" - } - } - ], - "alert_conditions": [], - "matching_type": { - "@type": "string", - "@value": "AND" - }, - "disabled": { - "@type": "boolean", - "@value": false - }, - "description": { - "@type": "string", - "@value": "Common Event Format (CEF) loggs from Fortigate firewalls" - }, - "default_stream": { - "@type": "boolean", - "@value": false - } - }, - "constraints": [ - { - "type": "server-version", - "version": ">=4.3.4+aae97b4" - } - ] - }, - { - "v": "1", - "type": { - "name": "stream", - "version": "1" - }, - "id": "b8ec4424-0dfb-4e9d-a209-7e12aea2d143", - "data": { - "alarm_callbacks": [], - "outputs": [], - "remove_matches": { - "@type": "boolean", - "@value": true - }, - "title": { - "@type": "string", - "@value": "Fortigate CEF Logs" - }, - "stream_rules": [ - { - "type": { - "@type": "string", - "@value": "EXACT" - }, - "field": { - "@type": "string", - "@value": "device_product" - }, - "value": { - "@type": "string", - "@value": "Fortigate" - }, - "inverted": { - "@type": "boolean", - "@value": false - }, - "description": { - "@type": "string", - "@value": "" - } - } - ], - "alert_conditions": [], - "matching_type": { - "@type": "string", - "@value": "AND" - }, - "disabled": { - "@type": "boolean", - "@value": false - }, - "description": { - "@type": "string", - "@value": "Common Event Format (CEF) loggs from Fortigate firewalls" - }, - "default_stream": { - "@type": "boolean", - "@value": false - } - }, - "constraints": [ - { - "type": "server-version", - "version": ">=4.3.8+8c4705e" - } - ] - }, - { - "v": "1", - "type": { - "name": "stream", - "version": "1" - }, - "id": "46845000-a9d4-47b8-b74d-c848959f47ab", - "data": { - "alarm_callbacks": [], - "outputs": [], - "remove_matches": { - "@type": "boolean", - "@value": true - }, - "title": { - "@type": "string", - "@value": "Fortigate CEF Logs" - }, - "stream_rules": [ - { - "type": { - "@type": "string", - "@value": "EXACT" - }, - "field": { - "@type": "string", - "@value": "device_product" - }, - "value": { - "@type": "string", - "@value": "Fortigate" - }, - "inverted": { - "@type": "boolean", - "@value": false - }, - "description": { - "@type": "string", - "@value": "" - } - } - ], - "alert_conditions": [], - "matching_type": { - "@type": "string", - "@value": "AND" - }, - "disabled": { - "@type": "boolean", - "@value": false - }, - "description": { - "@type": "string", - "@value": "Common Event Format (CEF) loggs from Fortigate firewalls" - }, - "default_stream": { - "@type": "boolean", - "@value": false - } - }, - "constraints": [ - { - "type": "server-version", - "version": ">=5.0.2+59d96f8" - } - ] - }, - { - "v": "1", - "type": { - "name": "stream", - "version": "1" - }, - "id": "50f730fc-e938-4f46-bcc6-60eb5422e2ba", + "id": "48395b4b-1afa-436f-91fc-a43ebe5b6322", "data": { "alarm_callbacks": [], "outputs": [], @@ -4097,7 +3886,7 @@ "constraints": [ { "type": "server-version", - "version": ">=5.0.3+a82acb2" + "version": ">=5.0.6+51f2df8" } ] }