Git Product home page Git Product logo

Comments (4)

enotspe avatar enotspe commented on July 2, 2024

you can copy the utmprofile value to namespace.

That is what is cool about all the code being open, you can tweak to your case, which is very very specific. Normally I have seen the use of VODMs for partioning clients.

mutate { replace => { "[data_stream][namespace]" => "%{[fgt][profile]}" } }

from fortinet-2-elasticsearch.

JesseNordin avatar JesseNordin commented on July 2, 2024

Sorry, I'm not entirely sure that I follow,

Are you saying that we could apply this mutation on a per "Space" level while specifying the space and associated fgt profile ?

Or would this be globally applied so that elk can pick up the fgt profiles within the data streams to allow for the options of grant access to specific fields etc

from fortinet-2-elasticsearch.

enotspe avatar enotspe commented on July 2, 2024

I was digging a little bit more into alternatives to your request @JesseNordin .

Let me first clarify your setup: you have one firewall with on vdom that receives traffic from many clients. I guess you have them split in several policies, and each policy applies a different UTM profiles customized for each client.

So

Policy1 --> Client1
Policy2 --> Client1
Policy3 --> Client2
.
.
.

Am I right???

Well, if that is the case, I think the best solution will be to apply a custom field for every policy.

  config log custom-field
      edit "1"
          set name "client"
          set value "client1"
      next
  end

  config log custom-field
      edit "2"
          set name "client"
          set value "client2"
      next
  end

and then apply this custom fields to the corresponding policies

config firewall policy
    edit <policyid-client1>
       set custom-log-fields "1"
    next
end

config firewall policy
    edit <policyid-client2>
       set custom-log-fields "2"
    next
end

that way traffic logs, and hopefully utm logs as well, will have a way to identify your final client.

Then just simply copy that field to data_stream.namespace so you can segment your indexes accordingly

mutate { replace => { "[data_stream][namespace]" => "%{[fgt][client]}" } }

I have not tested any of this code, but I see no reason why it would not work.

Hope this is usefull and please share your results.

from fortinet-2-elasticsearch.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.