add support for malformed quotes and log version field

haetamoudi · web-flow · commit 62cdd1a1db50 · 2025-10-29T16:13:25.000+01:00
diff --git a/packages/fortinet_fortiproxy/changelog.yml b/packages/fortinet_fortiproxy/changelog.yml
@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "1.2.3"
+  changes:
+    - description: add support for malformed quotes and log version field
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/15766
 - version: "1.2.2"
   changes:
     - description: Generate processor tags and normalize error handler.
diff --git a/packages/fortinet_fortiproxy/data_stream/log/_dev/test/pipeline/test-example.log b/packages/fortinet_fortiproxy/data_stream/log/_dev/test/pipeline/test-example.log
@@ -28,3 +28,4 @@ date=2017-11-15 time=11:44:16 tz="+0200" logid="0000000013" type="traffic" subty
 <189>date=2024-05-09 time=06:20:04 devname="TEST-PXY01" devid="FPXTESTPXY01" eventtime=1715260803895122957 tz="-0700" logid="0000000010" type="traffic" subtype="forward" level="notice" vd="root" srcip=10.0.0.3 srcport=41460 srcintf="port2" srcintfrole="lan" dstcountry="United States" srccountry="Reserved" dstip=67.43.156.171 dstport=443 dstintf="port1" dstintfrole="undefined" sessionid=1781818021 service="HTTPS" proxyapptype="web-proxy" proto=6 action="accept" policyid=1 policytype="proxy-policy" poluuid="27b09930-033d-51ef-0c72-6c1221a8d893" policyname="test-proxy" trandisp="snat" transip=10.0.128.2 transport=7242 clientip=10.0.0.3 duration=12536 wanin=3665 rcvdbyte=3665 wanout=667 lanin=755 sentbyte=755 lanout=3737 appcat="unscanned" utmaction="allow" countssl=1
 <189>date=2024-05-09 time=06:21:14 devname="TEST-PXY01" devid="FPXTESTPXY01" eventtime=1715260873739449705 tz="-0700" logid="0100040704" type="event" subtype="system" level="notice" vd="root" logdesc="System performance statistics" action="perf-stats" cpu=0 mem=29 totalsession=38 disk=0 bandwidth="20/20" setuprate=1 disklograte=0 fazlograte=0 freediskstorage=0 sysuptime=166235 waninfo="N/A" msg="Performance statistics: average CPU: 0, memory:  29, concurrent sessions:  38, setup-rate: 1"
 <189>date=2024-05-09 time=06:19:39 devname="TEST-PXY01" devid="FPXTESTPXY01" eventtime=1715260778798356673 tz="-0700" logid="0000000010" type="traffic" subtype="forward" level="notice" vd="root" srcip=10.0.0.3 srcport=47886 srcintf="port2" srcintfrole="lan" dstcountry="United States" srccountry="Reserved" dstip=67.43.156.10 dstport=443 dstintf="port1" dstintfrole="undefined" sessionid=1781818019 service="HTTPS" proxyapptype="web-proxy" proto=6 action="accept" policyid=1 policytype="proxy-policy" poluuid="27b09930-033d-51ef-0c72-6c1221a8d893" policyname="test-proxy" trandisp="snat" transip=10.0.128.2 transport=53184 clientip=10.0.0.3 duration=8089 wanin=125800732 rcvdbyte=125800732 wanout=632 lanin=798 sentbyte=798 lanout=125824455 appcat="unscanned" utmaction="allow"
+<189>logver=704080649 timestamp=1760084266 devname="TEST-PXY01" devid="FPXTESTPXY01" vd="root" date=2025-10-10 time=08:17:46 eventtime=1760077067153677744 tz="+0200" logid="0000000010" type="event" subtype="user" level="notice" logdesc="Explicit proxy authentication failed" srcip=10.0.0.175 dstip=10.0.0.199 authid="999-WGS-AUTH-DEFAULT" user=""http" authproto="HTTP(10.0.0.175)" action="NTLM-auth" status="failure" url="http://10.0.0.199/" reason="Authentication failed" msg="User "http failed in authentication"
diff --git a/packages/fortinet_fortiproxy/data_stream/log/_dev/test/pipeline/test-example.log-expected.json b/packages/fortinet_fortiproxy/data_stream/log/_dev/test/pipeline/test-example.log-expected.json
@@ -2818,6 +2818,78 @@
                 },
                 "port": 47886
             }
+        },
+        {
+            "@timestamp": "2025-10-10T06:17:46.000Z",
+            "client": {
+                "ip": "10.0.0.175"
+            },
+            "destination": {
+                "ip": "10.0.0.199"
+            },
+            "ecs": {
+                "version": "8.17.0"
+            },
+            "event": {
+                "action": "NTLM-auth",
+                "category": [
+                    "network"
+                ],
+                "code": "0000000010",
+                "kind": "event",
+                "original": "<189>logver=704080649 timestamp=1760084266 devname=\"TEST-PXY01\" devid=\"FPXTESTPXY01\" vd=\"root\" date=2025-10-10 time=08:17:46 eventtime=1760077067153677744 tz=\"+0200\" logid=\"0000000010\" type=\"event\" subtype=\"user\" level=\"notice\" logdesc=\"Explicit proxy authentication failed\" srcip=10.0.0.175 dstip=10.0.0.199 authid=\"999-WGS-AUTH-DEFAULT\" user=\"\"http\" authproto=\"HTTP(10.0.0.175)\" action=\"NTLM-auth\" status=\"failure\" url=\"http://10.0.0.199/\" reason=\"Authentication failed\" msg=\"User \"http failed in authentication\"",
+                "reason": "Authentication failed",
+                "start": "2025-10-10T06:17:47.153Z",
+                "timezone": "+0200"
+            },
+            "fortinet": {
+                "proxy": {
+                    "authid": "999-WGS-AUTH-DEFAULT",
+                    "authproto": "HTTP(10.0.0.175)",
+                    "logver": 704080649,
+                    "status": "failure",
+                    "subtype": "user",
+                    "type": "event",
+                    "url": "http://10.0.0.199/",
+                    "user": "\"http",
+                    "vd": "root"
+                }
+            },
+            "log": {
+                "level": "notice",
+                "syslog": {
+                    "facility": {
+                        "code": 23
+                    },
+                    "priority": 189,
+                    "severity": {
+                        "code": 5
+                    }
+                }
+            },
+            "message": "User \"http failed in authentication",
+            "observer": {
+                "name": "TEST-PXY01",
+                "product": "FortiProxy",
+                "serial_number": "FPXTESTPXY01",
+                "type": "proxy",
+                "vendor": "Fortinet"
+            },
+            "rule": {
+                "description": "Explicit proxy authentication failed"
+            },
+            "server": {
+                "ip": "10.0.0.199"
+            },
+            "source": {
+                "ip": "10.0.0.175"
+            },
+            "url": {
+                "domain": "10.0.0.199",
+                "original": "http://10.0.0.199/",
+                "path": "/",
+                "scheme": "http"
+            }
         }
     ]
 }
diff --git a/packages/fortinet_fortiproxy/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/fortinet_fortiproxy/data_stream/log/elasticsearch/ingest_pipeline/default.yml
@@ -74,6 +74,9 @@ processors:
         for (int i = 0, n = ctx["message"].length(); i < n; ++i) {
           char c = ctx["message"].charAt(i);
           if (c == (char)'"') {
+            if (inQuote && i < n - 1 && ctx["message"].charAt(i + 1) != (char)' ') {
+              continue;
+            }
             inQuote = !inQuote;
           }
           if (inQuote) {
@@ -215,6 +218,11 @@ processors:
       field: _fields_.wanout
       type: long
       ignore_missing: true
+  - convert:
+      tag: convert_logver
+      field: _fields_.logver
+      type: long
+      ignore_missing: true
 
   # ------------------------------------------------------------------------------
   # Enrich fields.
@@ -582,6 +590,7 @@ processors:
         - _fields_.agent
         - _fields_.clientip
         - _fields_.duration
+        - _fields_.timestamp
       ignore_missing: true
   - rename:
       tag: rename__fields__to_fortinet_proxy_e471e0a7
diff --git a/packages/fortinet_fortiproxy/data_stream/log/fields/fields.yml b/packages/fortinet_fortiproxy/data_stream/log/fields/fields.yml
@@ -1201,6 +1201,10 @@
       type: keyword
       description: >-
         SSH login Name
+    - name: logver
+      type: long
+      description: >-
+        Log version
     - name: lowcount
       type: long
       description: >-
diff --git a/packages/fortinet_fortiproxy/docs/README.md b/packages/fortinet_fortiproxy/docs/README.md
@@ -546,6 +546,7 @@ An example event for `log` looks as following:
 | fortinet.proxy.locport | Local Port | long |
 | fortinet.proxy.log | Log Name for Log Rotation | keyword |
 | fortinet.proxy.login | SSH login Name | keyword |
+| fortinet.proxy.logver | Log version | long |
 | fortinet.proxy.lowcount | Security Rating result failed count for low severity | long |
 | fortinet.proxy.mac | MAC Address | keyword |
 | fortinet.proxy.masterdstmac | Destination master MAC address | keyword |
diff --git a/packages/fortinet_fortiproxy/manifest.yml b/packages/fortinet_fortiproxy/manifest.yml
@@ -1,7 +1,7 @@
 format_version: 3.1.3
 name: fortinet_fortiproxy
 title: "Fortinet FortiProxy"
-version: "1.2.2"
+version: "1.2.3"
 description: "Collect logs from Fortinet FortiProxy with Elastic Agent."
 type: integration
 categories:
