SIEM & UEBA

Expand all | Collapse all

FortiSIEM NginxParser Update

  • 1.  FortiSIEM NginxParser Update

    Posted Mar 26, 2021 04:40 PM
    we have found an issue with parsing of nginx logs. The built in parser labeled NginxParser has a hard coded parameter for GMT time that only uses a + value, this will in reality not parse half of the world nginx logs that may use a negative(-) value. sample fix is below. For context we are on version 6.1.1.

    Parser name : NginxParser
    BEFORE
    Section off focus
    <collectFieldsByRegex src="$_body"> <regex><![CDATA[^<srcIpAddr:gPatIpAddr>\s+-\s+-\s+\[<:gPatDay>/<:gPatMon>/<:gPatYear>:<:gPatTime>\s+\+\d+\]\s+"<httpMethod:gPatStr>\s+<uriStem:gPatStr>\s+HTTP/<httpVersion:patStrQuoted>"\s+<httpStatusCode:gPatStr>\s+<httpLimitRate:gPatStr>\s+"<httpReferrer:patStrQuoted>"\s+"<httpUserAgent:patStrQuoted>"\s*]]></regex> </collectFieldsByRegex>

    AFTER    – adding (?:\+|\-) to parse the time zone as either + or - from GMT time format , seems like only + was hard coded

    <collectFieldsByRegex src="$_body"> <regex><![CDATA[^<srcIpAddr:gPatIpAddr>\s+-\s+-\s+\[<:gPatDay>/<:gPatMon>/<:gPatYear>:<:gPatTime>\s+(?:\+|\-)\d+\]\s+"<httpMethod:gPatStr>\s+<uriStem:gPatStr>\s+HTTP/<httpVersion:patStrQuoted>"\s+<httpStatusCode:gPatStr>\s+<httpLimitRate:gPatStr>\s+"<httpReferrer:patStrQuoted>"\s+"<httpUserAgent:patStrQuoted>"\s*]]></regex> </collectFieldsByRegex>


  • 2.  RE: FortiSIEM NginxParser Update

    GROUP ADMIN
    Posted Mar 29, 2021 03:24 AM
    Hi Alex,

    Thanks very much for pointing this out.

    Do you have a sample event, where this was an issue?

    I can use that as a test and then look to improve the built-in parser.

    Thanks

    Dan

    ------------------------------
    Daniel
    FortiSIEM Product Manager
    ------------------------------



  • 3.  RE: FortiSIEM NginxParser Update

    Posted Mar 29, 2021 07:45 AM
    Hello Daniel,

    Thank you for your reply. I have engaged support ticket to share the logs in question and discuss update to parser for next release. 

    Regards;
    Alex