I updated my FORTIDATE pattern. I am now getting tons of output into the Logstash.log file.
This is my input script:
Code: Select all
tcp {
type => 'FortiLog'
tags => 'FortiLog'
port => 5566
}
udp {
type => 'FortiLog'
tags => 'FortiLog'
port => 5566
}
By moving from "syslog" to "tcp/udp" it fixed one GROK error, but I am still getting _grokparsefailure in my output.
Here are the three messages I built patterns for:
Code: Select all
##Traffic Local Subtype##
<189>date=2017-08-06 time=19:08:42 devname=FWF60E1A12345678 devid=FWF60E1A12345678 logid="0001000014" type="traffic" subtype="local" level="notice" vd="root" logtime=1502064365 srcip=10.0.0.165 srcport=59728 srcintf="lan" srcintfrole="lan" dstip=10.0.0.1 dstport=161 dstintf="root" dstintfrole="undefined" sessionid=2367579 proto=17 action="accept" policyid=0 policytype="local-in-policy" service="SNMP" dstcountry="Reserved" srccountry="Reserved" trandisp="noop" app="SNMP" duration=180 sentbyte=0 rcvdbyte=341 sentpkt=0 rcvdpkt=1 appcat="unscanned" devtype="Windows PC" mastersrcmac="00:AA:BB:CC:DD:EE" srcmac="00:AA:BB:CC:DD:EE" srcserver=0
Input Filter
FORTITRAFFIC devname=%{HOSTNAME:devname} devid=%{HOSTNAME:devid} logid=\"%{INT:logid}\" type=\"%{WORD:type}\" subtype=\"%{WORD:subtype}\" level=\"%{WORD:level}\" vd=\"%{WORD:vdom}\" logtime=%{INT:logtime} srcip=%{IPV4:srcip} srcport=%{HOST:srcport} srcintf=\"%{WORD:srcinf}\" srcintfrole=\"%{WORD:srcintfrole}\" dstip=%{IPV4:dstip} dstport=%{HOST:dstport} dstintf=\"%{DATA:dstintf}\" dstintfrole=\"%{WORD:dstinfrole}\" sessionid=%{INT:sessionid} proto=%{INT:proto} action=\"%{WORD:action}\" policyid=%{INT:policyid} policytype=\"%{DATA:policytype}\" service=\"%{WORD:service}\" dstcountry=\"%{WORD:dstcountry}\" srccountry=\"%{WORD:srccountry}\" trandisp=\"%{WORD:transdisp}\" app=\"%{WORD:app}\" duration=%{INT:duration} sentbyte=%{INT:sentbyte} rcvdbyte=%{INT:rcvbyte} sentpkt=%{INT:sentpkt} rcvdpkt=%{INT:rcvdpkt} appcat=\"%{WORD:appcat}\" devtype=\"%{DATA:devtype}\" mastersrcmac=\"%{MAC:masterscrmac}\" srcmac=\"%{MAC:srcmac}\" srcserver=%{INT:srcserver}
##Event Wireless Subtype##
<189>date=2017-08-06 time=19:08:42 devname=FWF60E1A12345678 devid=FWF60E1A12345678 logid="0104043594" type="event" subtype="wireless" level="notice" vd="root" logtime=1502064522 logdesc="Physical AP radio oper TX power" sn="FP221C3X12345678" ap="AP221a" ip="10.0.0.110" radioid=1 radioband="802.11n" bandwidth="20MHz" configcountry="US " opercountry="US " cfgtxpower=13 opertxpower=13 action="oper-txpower" msg="AP AP221a radio 1 oper txpower is changed to 13 dBm."
Input Filter
FORTIEVENT devname=%{HOSTNAME:devname} devid=%{HOSTNAME:devid} logid=\"%{INT:logid}\" type=\"%{WORD:type}\" subtype=\"%{WORD:subtype}\" level=\"%{WORD:level}\" vd=\"%{WORD:vdom}\" logtime=%{INT:logtime} logdesc=\"%{DATA:eventdescription}\" sn=\"%{WORD:serialnumber}\" ap=\"%{WORD:ap}\" ip=\"%{IPV4:ap_ip}\" radioid=%{INT:radioid} radioband=\"%{DATA:radioband}\" bandwidth=\"%{WORD:bandwidth}\" configcountry=\"%{DATA:configcountry}\" opercountry=\"%{DATA:opercountry}\" cfgtxpower=%{INT:cfgtxpower} opertxpower=%{INT:opertxpower} action=\"%{DATA:action}\" msg=\"%{DATA:msg}\"
##UTM/VIrus Subtype##
<189>date=2017-08-06 time=19:08:42 devname=FWF60E1A12345678 devid=FWF60E1A12345678 logid="0201009233" type="utm" subtype="virus" eventtype="analytics" level="information" vd="root" logtime=1502066231 msg="File submitted to Sandbox." action="analytics" service="HTTP" sessionid=2379438 srcip=10.0.0.165 dstip=172.217.9.132 srcport=4926 dstport=80 srcintf="lan" srcintfrole="lan" dstintf="wan1" dstintfrole="wan" policyid=1 proto=6 direction="incoming" url="http://www.google.com/"; profile="default" agent="Mozilla/5.0" analyticscksum="260d4eb38d9aadb1d8cd3f556447d83c9032b96baa607758accbbb3c9dcdaa6f" analyticssubmit="true"
Input Filter Pattern
FORTIUTM devname=%{HOSTNAME:devname} devid=%{HOSTNAME:devid} logid=\"%{INT:logid}\" type=\"%{WORD:type}\" subtype=\"%{WORD:subtype}\" eventtype=\"%{WORD:eventtype}\" level=\"%{WORD:level}\" vd=\"%{WORD:vdom}\" logtime=%{INT:logtime} msg=\"%{DATA:msg}\" action=\"%{WORD:action}\" service=\"%{WORD:service}\" sessionid=%{INT:sessionid} srcip=%{IPV4:srcip} dstip=%{IPV4:dstip} srcport=%{HOST:srcport} dstport=%{HOST:dstport} srcintf=\"%{WORD:srcinf}\" srcintfrole=\"%{WORD:srcintfrole}\" dstintf=\"%{DATA:dstintf}\" dstintfrole=\"%{WORD:dstinfrole}\" policyid=%{INT:policyid} proto=%{INT:proto} direction=\"%{WORD:direction}\" url=%{DATA:url} profile=\"%{WORD:profile}\" agent=\"%{DATA:agent}\" analyticscksum=\"%{DATA:analyticscksum}\" analyticssubmit=\"%{WORD:analyticssubmit}\"
Here are the patterns. I worked on the "time" variable today.
Code: Select all
####################################
###Fortinet Syslog Pattern Types:###
####################################
###Date###
FORTIDATE date=%{YEAR}[-]%{MONTHNUM}[-]%{MONTHDAY} time=%{TIME}
####Traffic####
FORTITRAFFIC devname=%{HOSTNAME:devname} devid=%{HOSTNAME:devid} logid=\"%{INT:logid}\" type=\"%{WORD:type}\" subtype=\"%{WORD:subtype}\" level=\"%{WORD:level}\" vd=\"%{WORD:vdom}\" logtime=%{INT:logtime} srcip=%{IPV4:srcip} srcport=%{HOST:srcport} srcintf=\"%{WORD:srcinf}\" srcintfrole=\"%{WORD:srcintfrole}\" dstip=%{IPV4:dstip} dstport=%{HOST:dstport} dstintf=\"%{DATA:dstintf}\" dstintfrole=\"%{WORD:dstinfrole}\" sessionid=%{INT:sessionid} proto=%{INT:proto} action=\"%{WORD:action}\" policyid=%{INT:policyid} policytype=\"%{DATA:policytype}\" service=\"%{WORD:service}\" dstcountry=\"%{WORD:dstcountry}\" srccountry=\"%{WORD:srccountry}\" trandisp=\"%{WORD:transdisp}\" app=\"%{WORD:app}\" duration=%{INT:duration} sentbyte=%{INT:sentbyte} rcvdbyte=%{INT:rcvbyte} sentpkt=%{INT:sentpkt} rcvdpkt=%{INT:rcvdpkt} appcat=\"%{WORD:appcat}\" devtype=\"%{DATA:devtype}\" mastersrcmac=\"%{MAC:masterscrmac}\" srcmac=\"%{MAC:srcmac}\" srcserver=%{INT:srcserver}
###Event###
FORTIEVENT devname=%{HOSTNAME:devname} devid=%{HOSTNAME:devid} logid=\"%{INT:logid}\" type=\"%{WORD:type}\" subtype=\"%{WORD:subtype}\" level=\"%{WORD:level}\" vd=\"%{WORD:vdom}\" logtime=%{INT:logtime} logdesc=\"%{DATA:eventdescription}\" sn=\"%{WORD:serialnumber}\" ap=\"%{WORD:ap}\" ip=\"%{IPV4:ap_ip}\" radioid=%{INT:radioid} radioband=\"%{DATA:radioband}\" bandwidth=\"%{WORD:bandwidth}\" configcountry=\"%{DATA:configcountry}\" opercountry=\"%{DATA:opercountry}\" cfgtxpower=%{INT:cfgtxpower} opertxpower=%{INT:opertxpower} action=\"%{DATA:action}\" msg=\"%{DATA:msg}\"
###FORTIUTM###
FORTIUTM devname=%{HOSTNAME:devname} devid=%{HOSTNAME:devid} logid=\"%{INT:logid}\" type=\"%{WORD:type}\" subtype=\"%{WORD:subtype}\" eventtype=\"%{WORD:eventtype}\" level=\"%{WORD:level}\" vd=\"%{WORD:vdom}\" logtime=%{INT:logtime} msg=\"%{DATA:msg}\" action=\"%{WORD:action}\" service=\"%{WORD:service}\" sessionid=%{INT:sessionid} srcip=%{IPV4:srcip} dstip=%{IPV4:dstip} srcport=%{HOST:srcport} dstport=%{HOST:dstport} srcintf=\"%{WORD:srcinf}\" srcintfrole=\"%{WORD:srcintfrole}\" dstintf=\"%{DATA:dstintf}\" dstintfrole=\"%{WORD:dstinfrole}\" policyid=%{INT:policyid} proto=%{INT:proto} direction=\"%{WORD:direction}\" url=%{DATA:url} profile=\"%{WORD:profile}\" agent=\"%{DATA:agent}\" analyticscksum=\"%{DATA:analyticscksum}\" analyticssubmit=\"%{WORD:analyticssubmit}\"
Here is a couple screenshots of the NLS webGUI:
https://mega.nz/#!PtJA2KKY!mPiFHw9fGE_a ... d18We8kWuc
https://mega.nz/#!255mkCxY!40Jts1I3cmku ... jukfF9D0H4
Here is some output from the Logstash.log file:
Code: Select all
\"@version\"=>\"1\", \"@timestamp\"=>\"2017-08-07T20:10:42.653Z\", \"type\"=>[\"FortiLog\", \"event\"], \"tags\"=>[\"FortiLog\", \"_grokparsefailure\", \"FortiOS_Event\"], \"host\"=>\"10.50.50.1\", \"syslog5424_pri\"=>\"189\", \"devname\"=>\"FWF60E1A12345678\", \"devid\"=>\"FWF60E1A12345678\", \"logid\"=>\"0104043594\", \"subtype\"=>\"wireless\", \"level\"=>\"notice\", \"vdom\"=>\"root\", \"logtime\"=>\"1502136642\", \"eventdescription\"=>\"Physical AP radio oper TX power\", \"serialnumber\"=>\"FP221C3X12345678\", \"ap\"=>\"AP221U\", \"ap_ip\"=>\"10.50.50.111\", \"radioid\"=>\"1\", \"radioband\"=>\"802.11n\", \"bandwidth\"=>\"20MHz\", \"configcountry\"=>\"US \", \"opercountry\"=>\"US \", \"cfgtxpower\"=>\"8\", \"opertxpower\"=>\"8\", \"action\"=>\"oper-txpower\", \"msg\"=>\"AP AP221U radio 1 oper txpower is changed to 8 dBm.\"}, \"type\"], \"tags\"=>[{\"message\"=>\"<189>date=2017-08-07 time=15:10:42 devname=FWF60E1A12345678 devid=FWF60E1A12345678 logid=\\\"0104043594\\\" type=\\\"event\\\" subtype=\\\"wireless\\\" level=\\\"notice\\\" vd=\\\"root\\\" logtime=1502136642 logdesc=\\\"Physical AP radio oper TX power\\\" sn=\\\"FP221C3X12345678\\\" ap=\\\"AP221U\\\" ip=\\\"10.50.50.111\\\" radioid=1 radioband=\\\"802.11n\\\" bandwidth=\\\"20MHz\\\" configcountry=\\\"US \\\" opercountry=\\\"US \\\" cfgtxpower=8 opertxpower=8 action=\\\"oper-txpower\\\" msg=\\\"AP AP221U radio 1 oper txpower is changed to 8 dBm.\\\"\", \"@version\"=>\"1\", \"@timestamp\"=>\"2017-08-07T20:10:42.653Z\", \"type\"=>[\"FortiLog\", \"event\"], \"tags\"=>[\"FortiLog\", \"_grokparsefailure\", \"FortiOS_Event\"], \"host\"=>\"10.50.50.1\", \"syslog5424_pri\"=>\"189\", \"devname\"=>\"FWF60E1A12345678\", \"devid\"=>\"FWF60E1A12345678\", \"logid\"=>\"0104043594\", \"subtype\"=>\"wireless\", \"level\"=>\"notice\", \"vdom\"=>\"root\", \"logtime\"=>\"1502136642\", \"eventdescription\"=>\"Physical AP radio oper TX power\", \"serialnumber\"=>\"FP221C3X12345678\", \"ap\"=>\"AP221U\", \"ap_ip\"=>\"10.50.50.111\", \"radioid\"=>\"1\", \"radioband\"=>\"802.11n\", \"bandwidth\"=>\"20MHz\", \"configcountry\"=>\"US \", \"opercountry\"=>\"US \", \"cfgtxpower\"=>\"8\", \"opertxpower\"=>\"8\", \"action\"=>\"oper-txpower\", \"msg\"=>\"AP AP221U radio 1 oper txpower is changed to 8 dBm.\"}, \"tags\"], \"host\"=>[{\"message\"=>\"<189>date=2017-08-07 time=15:10:42 devname=FWF60E1A12345678 devid=FWF60E1A12345678 logid=\\\"0104043594\\\" type=\\\"event\\\" subtype=\\\"wireless\\\" level=\\\"notice\\\" vd=\\\"root\\\" logtime=1502136642 logdesc=\\\"Physical AP radio oper TX power\\\" sn=\\\"FP221C3X12345678\\\" ap=\\\"AP221U\\\" ip=\\\"10.50.50.111\\\" radioid=1 radioband=\\\"802.11n\\\" bandwidth=\\\"20MHz\\\" configcountry=\\\"US \\\" opercountry=\\\"US \\\" cfgtxpower=8 opertxpower=8 action=\\\"oper-txpower\\\" msg=\\\"AP AP221U radio 1 oper txpower is changed to 8 dBm.\\\"\", \"@version\"=>\"1\", \"@timestamp\"=>\"2017-08-07T20:10:42.653Z\", \"type\"=>[\"FortiLog\", \"event\"], \"tags\"=>[\"FortiLog\", \"_grokparsefailure\", \"FortiOS_Event\"], \"host\"=>\"10.50.50.1\", \"syslog5424_pri\"=>\"189\", \"devname\"=>\"FWF60E1A12345678\", \"devid\"=>\"FWF60E1A12345678\", \"logid\"=>\"0104043594\", \"subtype\"=>\"wireless\", \"level\"=>\"notice\", \"vdom\"=>\"root\", \"logtime\"=>\"1502136642\", \"eventdescription\"=>\"Physical AP radio oper TX power\", \"serialnumber\"=>\"FP221C3X12345678\", \"ap\"=>\"AP221U\", \"ap_ip\"=>\"10.50.50.111\", \"radioid\"=>\"1\", \"radioband\"=>\"802.11n\", \"bandwidth\"=>\"20MHz\", \"configcountry\"=>\"US \", \"opercountry\"=>\"US \", \"cfgtxpower\"=>\"8\", \"opertxpower\"=>\"8\", \"action\"=>\"oper-txpower\", \"msg\"=>\"AP AP221U radio 1 oper txpower is changed to 8 dBm.\"}, \"host\"], \"[program]\"=>[{\"message\"=>\"<189>date=2017-08-07 time=15:10:42 devname=FWF60E1A12345678 devid=FWF60E1A12345678 logid=\\\"0104043594\\\" type=\\\"event\\\" subtype=\\\"wireless\\\" level=\\\"notice\\\" vd=\\\"root\\\" logtime=1502136642 logdesc=\\\"Physical AP radio oper TX power\\\" sn=\\\"FP221C3X12345678\\\" ap=\\\"AP221U\\\" ip=\\\"10.50.50.111\\\" radioid=1 radioband=\\\"802.11n\\\" bandwidth=\\\"20MHz\\\" configcountry=\\\"US \\\" opercountry=\\\"US \\\" cfgtxpower=8 opertxpower=8 action=\\\"oper-txpower\\\" msg=\\\"AP AP221U radio 1 oper txpower is changed to 8 dBm.\\\"\", \"@version\"=>\"1\",
Here is output from the Elasticsearch log file:
Code: Select all
[2017-08-07 15:15:09,279][DEBUG][action.bulk ] [d7bb647d-ef7c-4ef0-905a-da117ba8b5e5] [logstash-2017.08.07][3] failed to execute bulk item (index) index {[logstash-2017.08.07][FortiLog,utm][AV2-Vj3cLQ6B3RquaXHj], source[{"message":"<190>date=2017-08-07 time=15:15:08 devname=FWF60E1A12345678 devid=FWF60E1A12345678 logid=\"0201009233\" type=\"utm\" subtype=\"virus\" eventtype=\"analytics\" level=\"information\" vd=\"root\" logtime=1502136908 msg=\"File submitted to Sandbox.\" action=\"analytics\" service=\"HTTP\" sessionid=2859933 srcip=10.50.50.165 dstip=172.217.1.228 srcport=43464 dstport=80 srcintf=\"lan\" srcintfrole=\"lan\" dstintf=\"wan1\" dstintfrole=\"wan\" policyid=1 proto=6 direction=\"incoming\" url=\"http://www.google.com/\" profile=\"default\" agent=\"Mozilla/5.0\" analyticscksum=\"622681d954e52ac387405274f3dfaf699b58cd07a9f2434eed2384e007ef76e1\" analyticssubmit=\"true\"","@version":"1","@timestamp":"2017-08-07T20:15:09.062Z","type":["FortiLog","utm"],"tags":["FortiLog","_grokparsefailure","FortiOS_UTM"],"host":"10.50.50.1","syslog5424_pri":"190","devname":"FWF60E1A12345678","devid":"FWF60E1A12345678","logid":"0201009233","subtype":"virus","eventtype":"analytics","level":"information","vdom":"root","logtime":"1502136908","msg":"File submitted to Sandbox.","action":"analytics","service":"HTTP","sessionid":"2859933","srcip":"10.50.50.165","dstip":"172.217.1.228","srcport":"43464","dstport":"80","srcinf":"lan","srcintfrole":"lan","dstintf":"wan1","dstinfrole":"wan","policyid":"1","proto":"6","direction":"incoming","url":"\"http://www.google.com/\"","profile":"default","agent":"Mozilla/5.0","analyticscksum":"622681d954e52ac387405274f3dfaf699b58cd07a9f2434eed2384e007ef76e1","analyticssubmit":"true"}]}
org.elasticsearch.indices.InvalidTypeNameException: mapping type name [FortiLog,utm] should not include ',' in it
at org.elasticsearch.index.mapper.MapperService.merge(MapperService.java:325)
at org.elasticsearch.index.mapper.MapperService.merge(MapperService.java:307)
at org.elasticsearch.index.mapper.MapperService.documentMapperWithAutoCreate(MapperService.java:482)
at org.elasticsearch.index.shard.IndexShard.prepareCreate(IndexShard.java:464)
at org.elasticsearch.action.bulk.TransportShardBulkAction.shardIndexOperation(TransportShardBulkAction.java:418)
at org.elasticsearch.action.bulk.TransportShardBulkAction.shardOperationOnPrimary(TransportShardBulkAction.java:148)
at org.elasticsearch.action.support.replication.TransportShardReplicationOperationAction$PrimaryPhase.performOnPrimary(TransportShardReplicationOperationAction.java:574)
at org.elasticsearch.action.support.replication.TransportShardReplicationOperationAction$PrimaryPhase$1.doRun(TransportShardReplicationOperationAction.java:440)
at org.elasticsearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:36)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:748)
[root@lola elasticsearch]# tail -n 40 8f049eab-93dd-4609-9daf-d7e05f448a63.log
at org.elasticsearch.index.mapper.MapperService.merge(MapperService.java:325)
at org.elasticsearch.index.mapper.MapperService.merge(MapperService.java:307)
at org.elasticsearch.index.mapper.MapperService.documentMapperWithAutoCreate(MapperService.java:482)
at org.elasticsearch.index.shard.IndexShard.prepareCreate(IndexShard.java:464)
at org.elasticsearch.action.bulk.TransportShardBulkAction.shardIndexOperation(TransportShardBulkAction.java:418)
at org.elasticsearch.action.bulk.TransportShardBulkAction.shardOperationOnPrimary(TransportShardBulkAction.java:148)
at org.elasticsearch.action.support.replication.TransportShardReplicationOperationAction$PrimaryPhase.performOnPrimary(TransportShardReplicationOperationAction.java:574)
at org.elasticsearch.action.support.replication.TransportShardReplicationOperationAction$PrimaryPhase$1.doRun(TransportShardReplicationOperationAction.java:440)
at org.elasticsearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:36)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:748)
[2017-08-07 15:15:07,241][DEBUG][action.bulk ] [d7bb647d-ef7c-4ef0-905a-da117ba8b5e5] [logstash-2017.08.07][1] failed to execute bulk item (index) index {[logstash-2017.08.07][FortiLog,traffic][AV2-VjXlLQ6B3RquaXHV], source[{"message":"<189>date=2017-08-07 time=15:15:06 devname=FWF60E1A12345678 devid=FWF60E1A12345678 logid=\"0001000014\" type=\"traffic\" subtype=\"local\" level=\"notice\" vd=\"root\" logtime=1502136906 srcip=10.50.50.165 srcport=50562 srcintf=\"lan\" srcintfrole=\"lan\" dstip=10.50.50.1 dstport=161 dstintf=\"root\" dstintfrole=\"undefined\" sessionid=2857578 proto=17 action=\"accept\" policyid=0 policytype=\"local-in-policy\" service=\"SNMP\" dstcountry=\"Reserved\" srccountry=\"Reserved\" trandisp=\"noop\" app=\"SNMP\" duration=334 sentbyte=3003 rcvdbyte=3525 sentpkt=11 rcvdpkt=12 appcat=\"unscanned\" devtype=\"Windows PC\" mastersrcmac=\"00:03:e1:91:03:63\" srcmac=\"00:03:e1:91:03:63\" srcserver=0","@version":"1","@timestamp":"2017-08-07T20:15:06.758Z","type":["FortiLog","traffic"],"tags":["FortiLog","FortiOS_Traffic"],"host":"10.50.50.1","syslog5424_pri":"189","devname":"FWF60E1A12345678","devid":"FWF60E1A12345678","logid":"0001000014","subtype":"local","level":"notice","vdom":"root","logtime":"1502136906","srcip":"10.50.50.165","srcport":"50562","srcinf":"lan","srcintfrole":"lan","dstip":"10.50.50.1","dstport":"161","dstintf":"root","dstinfrole":"undefined","sessionid":"2857578","proto":"17","action":"accept","policyid":"0","policytype":"local-in-policy","service":"SNMP","dstcountry":"Reserved","srccountry":"Reserved","transdisp":"noop","app":"SNMP","duration":"334","sentbyte":"3003","rcvbyte":"3525","sentpkt":"11","rcvdpkt":"12","appcat":"unscanned","devtype":"Windows PC","masterscrmac":"00:03:e1:91:03:63","srcmac":"00:03:e1:91:03:63","srcserver":"0"}]}
org.elasticsearch.indices.InvalidTypeNameException: mapping type name [FortiLog,traffic] should not include ',' in it
at org.elasticsearch.index.mapper.MapperService.merge(MapperService.java:325)
at org.elasticsearch.index.mapper.MapperService.merge(MapperService.java:307)
at org.elasticsearch.index.mapper.MapperService.documentMapperWithAutoCreate(MapperService.java:482)
at org.elasticsearch.index.shard.IndexShard.prepareCreate(IndexShard.java:464)
at org.elasticsearch.action.bulk.TransportShardBulkAction.shardIndexOperation(TransportShardBulkAction.java:418)
at org.elasticsearch.action.bulk.TransportShardBulkAction.shardOperationOnPrimary(TransportShardBulkAction.java:148)
at org.elasticsearch.action.support.replication.TransportShardReplicationOperationAction$PrimaryPhase.performOnPrimary(TransportShardReplicationOperationAction.java:574)
at org.elasticsearch.action.support.replication.TransportShardReplicationOperationAction$PrimaryPhase$1.doRun(TransportShardReplicationOperationAction.java:440)
at org.elasticsearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:36)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:748)
[2017-08-07 15:15:09,279][DEBUG][action.bulk ] [d7bb647d-ef7c-4ef0-905a-da117ba8b5e5] [logstash-2017.08.07][3] failed to execute bulk item (index) index {[logstash-2017.08.07][FortiLog,utm][AV2-Vj3cLQ6B3RquaXHj], source[{"message":"<190>date=2017-08-07 time=15:15:08 devname=FWF60E1A12345678 devid=FWF60E1A12345678 logid=\"0201009233\" type=\"utm\" subtype=\"virus\" eventtype=\"analytics\" level=\"information\" vd=\"root\" logtime=1502136908 msg=\"File submitted to Sandbox.\" action=\"analytics\" service=\"HTTP\" sessionid=2859933 srcip=10.50.50.165 dstip=172.217.1.228 srcport=43464 dstport=80 srcintf=\"lan\" srcintfrole=\"lan\" dstintf=\"wan1\" dstintfrole=\"wan\" policyid=1 proto=6 direction=\"incoming\" url=\"http://www.google.com/\" profile=\"default\" agent=\"Mozilla/5.0\" analyticscksum=\"622681d954e52ac387405274f3dfaf699b58cd07a9f2434eed2384e007ef76e1\" analyticssubmit=\"true\"","@version":"1","@timestamp":"2017-08-07T20:15:09.062Z","type":["FortiLog","utm"],"tags":["FortiLog","_grokparsefailure","FortiOS_UTM"],"host":"10.50.50.1","syslog5424_pri":"190","devname":"FWF60E1A12345678","devid":"FWF60E1A12345678","logid":"0201009233","subtype":"virus","eventtype":"analytics","level":"information","vdom":"root","logtime":"1502136908","msg":"File submitted to Sandbox.","action":"analytics","service":"HTTP","sessionid":"2859933","srcip":"10.50.50.165","dstip":"172.217.1.228","srcport":"43464","dstport":"80","srcinf":"lan","srcintfrole":"lan","dstintf":"wan1","dstinfrole":"wan","policyid":"1","proto":"6","direction":"incoming","url":"\"http://www.google.com/\"","profile":"default","agent":"Mozilla/5.0","analyticscksum":"622681d954e52ac387405274f3dfaf699b58cd07a9f2434eed2384e007ef76e1","analyticssubmit":"true"}]}
org.elasticsearch.indices.InvalidTypeNameException: mapping type name [FortiLog,utm] should not include ',' in it
at org.elasticsearch.index.mapper.MapperService.merge(MapperService.java:325)
at org.elasticsearch.index.mapper.MapperService.merge(MapperService.java:307)
at org.elasticsearch.index.mapper.MapperService.documentMapperWithAutoCreate(MapperService.java:482)
at org.elasticsearch.index.shard.IndexShard.prepareCreate(IndexShard.java:464)
at org.elasticsearch.action.bulk.TransportShardBulkAction.shardIndexOperation(TransportShardBulkAction.java:418)
at org.elasticsearch.action.bulk.TransportShardBulkAction.shardOperationOnPrimary(TransportShardBulkAction.java:148)
at org.elasticsearch.action.support.replication.TransportShardReplicationOperationAction$PrimaryPhase.performOnPrimary(TransportShardReplicationOperationAction.java:574)
at org.elasticsearch.action.support.replication.TransportShardReplicationOperationAction$PrimaryPhase$1.doRun(TransportShardReplicationOperationAction.java:440)
at org.elasticsearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:36)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:748)
I agree the date/time might be part of the problem, but I can't determine where the problem resides.
However, I do not know what to do to resolve the date/time issue.
Please let me know what other information you might need.
Thank you.
Rodney.