Skip to main content

Hi Folks,

The default parser in Google SecOps (Chronicle) does not parse attributes inside cfgattr= (such as uuid, status, name, comments) from FortiGate firewall logs. In statedump, it extracts cfgattr but I couldn't map these to udms.

Using Grok Debugger, I created a parser that correctly extracts these attributes and maps them to the appropriate UDM fields. 

I would appreciate your support in troubleshooting this issue.

%{DATA}cfgattr="uuid\\[%{UUID:uuid}\\]status\\[%{WORD:status}->%{WORD:status_new}\\]name\\[%{DATA:name}\\]srcaddr\\[%{DATA:srcaddr_old}->%{DATA:srcaddr_new}\\]schedule\\[%{DATA:schedule_old}->%{DATA:schedule_new}\\]comments\\[%{DATA:comments_old}->%{DATA:comments_new}\\]"

<190>date=2025-02-07 time=10:55:36 devname="DEVICENAME" devid="FGVM123123123" eventtime=1738914936223542976 tz="+0300" logid="0101010101" type="event" subtype="system" level="information" vd="root" logdesc="Object attribute configured" user="username" ui="GUI(1.1.1.1)" action="Edit" cfgtid=123321 cfgpath="firewall.policy" cfgobj="50" cfgattr="uuid[c11fdabe-c321-34df-b918-ad6661291c10]status[disable->enable]name[->Ticket-121212]srcaddr[Group_Name_1 Group_Name_2->Group2_Test_10.10.10.10 Group2_Test_10.10.10.10]schedule[always->22feb]comments[ (Rulename)->Ticket-131313]" msg="Edit firewall.policy 50"

Hi @tnxtr ,


We noticed something similar internally and the parser team released an update on 2025-01-20 to resolve. Please ensure you're using the latest version of the parser for FORTINET_FIREWALL. See https://cloud.google.com/chronicle/docs/ingestion/parser-list/fortinet-firewall-changelog for details.


If you're still seeing this issue, please file a support ticket.


Thanks!


 

Hi @tnxtr ,


We noticed something similar internally and the parser team released an update on 2025-01-20 to resolve. Please ensure you're using the latest version of the parser for FORTINET_FIREWALL. See https://cloud.google.com/chronicle/docs/ingestion/parser-list/fortinet-firewall-changelog for details.


If you're still seeing this issue, please file a support ticket.


Thanks!


 


Yeah updated parser is worked but It did not extract the values inside; it only extracted the entire block

this is how it looks on udm;

additional.fields["cfgattr"]: "uuid[c11fdabe-c321-34df-b918-ad6661291c10]status[disable->enable]name[->Ticket-121212]srcaddr[Group_Name_1 Group_Name_2->Group2_Test_10.10.10.10 Group2_Test_10.10.10.10]schedule[always->22feb]comments[ (Rulename)->Ticket-131313]"

but i need attributes inside of cfgattr

Yeah updated parser is worked but It did not extract the values inside; it only extracted the entire block

this is how it looks on udm;

additional.fields["cfgattr"]: "uuid[c11fdabe-c321-34df-b918-ad6661291c10]status[disable->enable]name[->Ticket-121212]srcaddr[Group_Name_1 Group_Name_2->Group2_Test_10.10.10.10 Group2_Test_10.10.10.10]schedule[always->22feb]comments[ (Rulename)->Ticket-131313]"

but i need attributes inside of cfgattr


I see! I passed your request to the parsing team for evaluation.

I see! I passed your request to the parsing team for evaluation.


Thanks 🙂 I'll wait for the update

Reply


Terms & ConditionsCookie settings
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.