Hot!Different log fields order

Author
LUQSON
New Member
  • Total Posts : 2
  • Scores: 0
  • Reward points: 0
  • Joined: 2021/09/28 04:25:07
  • Status: offline
2021/09/28 04:41:56 (permalink)
0

Different log fields order

Hello, I found that there might be some differences between log fields order for different fortiOS implementations. For example (using log from doc: https://docs.fortinet.com/document/fortigate/6.2.3/fortios-log-message-reference/357866/log-message-fields) if we have log:
date=2017-11-15 time=11:44:16 logid="0000000013" type="traffic" subtype="forward" level="notice" vd="vdom1" eventtime=1510775056 srcip=10.1.100.155 srcname="pc1" srcport=40772 srcintf="port12" srcintfrole="undefined" dstip=35.197.51.42 dstname="fortiguard.com" dstport=443 dstintf="port11" dstintfrole="undefined" poluuid="707a0d88-c972-51e7-bbc7-4d421660557b" sessionid=8058 proto=6 action="close" policyid=1 policytype="policy" policymode="learn" service="HTTPS" dstcountry="United States" srccountry="Reserved" trandisp="snat" transip=172.16.200.2 transport=40772 appid=40568 app="HTTPS.BROWSER" appcat="Web.Client" apprisk="medium" duration=2 sentbyte=1850 rcvdbyte=39898 sentpkt=25 rcvdpkt=37 utmaction="allow" countapp=1 devtype="Linux PC" osname="Linux" mastersrcmac="a2:e9:00:ec:40:01" srcmac="a2:e9:00:ec:40:01" srcserver=0 utmref=0-220586
some fields may change their order. In the example above, you can see dstcountry before srccountry, but I've also seen implementations which sent logs with a srccountry field before dstcountry. Such reordering affects almost every field that may appear in the log, e.g. field "service" might be earlier or later in log. Does anyone know - what makes that the order of log fields changes? The question is about parsing, but different order of log fields makes this type of task much more difficult
#1

3 Replies Related Threads

    emnoc
    Expert Member
    • Total Posts : 6225
    • Scores: 435
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: Different log fields order 2021/09/28 07:19:39 (permalink)
    0
    What OS version are you seeing reordering in ? (Fortios version ) 
     
    Ken Felix

    PCNSE 
    NSE 
    StrongSwan  
    #2
    LUQSON
    New Member
    • Total Posts : 2
    • Scores: 0
    • Reward points: 0
    • Joined: 2021/09/28 04:25:07
    • Status: offline
    Re: Different log fields order 2021/09/28 23:19:44 (permalink)
    0
    it was FortiAnalyzer-3000F v6.4.0. GA build2002
    but I was getting logs from different versions and for different fortiOS versions there was fields reordering seen
    is it somehow possible to make fields order universal/common?
    #3
    emnoc
    Expert Member
    • Total Posts : 6225
    • Scores: 435
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: Different log fields order 2021/09/29 00:09:43 (permalink)
    0
    I never heard of that but you still haven't answer the question, what fortios versions? If you running something older , then I would upgrade. I check like our fortios 6.4 and 7.0 and do not see any fields out of order fwiw.
     
    Ken Felix

    PCNSE 
    NSE 
    StrongSwan  
    #4
    Jump to:
    © 2021 APG vNext Commercial Version 5.5