Merge pull request #11480 from Azure/SyslogDataReplication

Syslog data replication project
Azure · Nov 28, 2024 · 7b0f4e2 · 7b0f4e2
2 parents b86039c + 6e666c9
commit 7b0f4e2
Show file tree

Hide file tree

Showing 23 changed files with 6,333 additions and 0 deletions.
diff --git a/Tools/Syslog-cef-data-replicator/Customizations/fortigate_customizations.json b/Tools/Syslog-cef-data-replicator/Customizations/fortigate_customizations.json
@@ -0,0 +1,39 @@
+{
+    "fullSchema":{},
+    "customizations":{
+        "version":{"data_type":"Integer", "values": [0]},
+        "deviceVendor": {"data_type":"String", "values": ["CISCO","JUNIPER","Fortinet","MSFT"]},
+        "deviceProduct": {"data_type":"String", "values": ["Cortex","Vertex","Fortigate", "WSF"]},
+        "deviceVersion": {"data_type":"String", "values": ["2","19","34"]},
+        "signatureId": {"data_type":"String", "values": ["3.6.0.3","3.4.0.6","5.6.7.8","1.6.1.3","9.6.1.7","1.9.0.2","1.89.12.3","14.61.0.31","19.6.01.36"]},
+        "name": {"data_type":"String", "values": ["Phishing","TROJAN_GIPPERS.DC","services-health","Monitoring"]},
+        "severity": {"data_type":"Integer", "values": [1,2,3,4,5,6,7,8,9]},
+        "deviceExternalId": {"data_type":"String", "values": ["FGVMEV9XTHSMYCCF","FGVMEV9XPDFRYYCCF","FGVMEV9XPEPFOCFR"]},
+        "FTNTFGTlogid": {"data_type":"String", "values": ["0100026001","010004554","01566fjj56"]},
+        "cat": {"data_type":"String", "values": ["event","alert","traffic"]},
+        "direction": {"data_type":"String", "values": ["egress","ingress","in"]},
+        "FTNTFGTsubtype": {"data_type":"String", "values": ["system"]},
+        "origisationname": {"data_type":"String", "values": ["Fortigate","CISCO"]},
+        "origin": {"data_type":"String", "values": ["NA","NULL",""]},
+        "logid": {"data_type":"String", "values": ["562ed3w","dfdf564s","3455frs"]},
+        "dst_country": {"data_type":"String", "values": ["US","Canada","Bhutan"]},
+        "dst": {"data_type":"String", "values": ["67.21.32.78","201.32.13.56","76.62.201.10"]},
+        "src": {"data_type":"String", "values": ["101.21.21.1","67.23.21.90","82.78.9.87"]},
+        "ifname": {"data_type":"String", "values": ["eth0","eth1"]},
+        "product": {"data_type":"String", "values": ["FortiWeb","Prisma","Fortigate", "WAF"]},
+        "dpt": {"data_type":"Integer", "values": [1233, 3456, 6738]},
+        "spt": {"data_type":"Integer", "values": [7837,8929,7832,8729]},
+        "start1": {"data_type":"datetime", "values": ["current"], "format":"%Y-%m-%d %H:%M:%S"},
+        "end1": {"data_type":"datetime", "values": ["current"], "format":"%Y-%m-%d %H:%M:%S"},
+        "ISOTimeStamp": {"data_type":"datetime", "values": ["current"], "format":"%Y-%m-%d %H:%M:%S"}    
+    },
+    "SyslogMessage":{
+        "headerTemplate": "DateTime HostName",
+        "syslog_message_template":{"values": "{hostName} {application} {pid} {messageId}: {structured_data} {message}"},
+        "syslog_header_fields": {"values": ["hostName", "application", "pid", "messageId"]},
+        "syslog_header_fields_dummy": {"values":"{\"priority\": \"139\", \"version\": \"1\",\"ISOTimeStamp\": \"2022-03-31 11:59:59\",\"hostName\": \"SYSLOG_Host\",\"application\": \"SYSLOG_App\", \"pid\": \"process\",\"messageId\": \"1234\"}"},
+        "KVDelimiter": {"values": "="},
+        "fieldDelimiter": {"values": " "},
+        "headerDelimiter": {"values": ":"}  
+    }
+}
diff --git a/Tools/Syslog-cef-data-replicator/Customizations/generic_customizations.json b/Tools/Syslog-cef-data-replicator/Customizations/generic_customizations.json
@@ -0,0 +1,39 @@
+{
+    "fullSchema":{},
+    "customizations":{
+        "version":{"data_type":"Integer", "values": [0]},
+        "deviceVendor": {"data_type":"String", "values": ["CISCO","JUNIPER","Fortinet","MSFT"]},
+        "deviceProduct": {"data_type":"String", "values": ["Cortex","Vertex","Fortigate", "WSF"]},
+        "deviceVersion": {"data_type":"String", "values": ["2","19","34"]},
+        "signatureId": {"data_type":"String", "values": ["3.6.0.3","3.4.0.6","5.6.7.8","1.6.1.3","9.6.1.7","1.9.0.2","1.89.12.3","14.61.0.31","19.6.01.36"]},
+        "name": {"data_type":"String", "values": ["Phishing","TROJAN_GIPPERS.DC","services-health","Monitoring"]},
+        "severity": {"data_type":"Integer", "values": [1,2,3,4,5,6,7,8,9]},
+        "deviceExternalId": {"data_type":"String", "values": ["FGVMEV9XTHSMYCCF","FGVMEV9XPDFRYYCCF","FGVMEV9XPEPFOCFR"]},
+        "FTNTFGTlogid": {"data_type":"String", "values": ["0100026001","010004554","01566fjj56"]},
+        "cat": {"data_type":"String", "values": ["event","alert","traffic"]},
+        "direction": {"data_type":"String", "values": ["egress","ingress","in"]},
+        "FTNTFGTsubtype": {"data_type":"String", "values": ["system"]},
+        "origisationname": {"data_type":"String", "values": ["Fortigate","CISCO"]},
+        "origin": {"data_type":"String", "values": ["NA","NULL",""]},
+        "logid": {"data_type":"String", "values": ["562ed3w","dfdf564s","3455frs"]},
+        "dst_country": {"data_type":"String", "values": ["US","Canada","Bhutan"]},
+        "dst": {"data_type":"String", "values": ["67.21.32.78","201.32.13.56","76.62.201.10"]},
+        "src": {"data_type":"String", "values": ["101.21.21.1","67.23.21.90","82.78.9.87"]},
+        "ifname": {"data_type":"String", "values": ["eth0","eth1"]},
+        "product": {"data_type":"String", "values": ["FortiWeb","Prisma","Fortigate", "WAF"]},
+        "dpt": {"data_type":"Integer", "values": [1233, 3456, 6738]},
+        "spt": {"data_type":"Integer", "values": [7837,8929,7832,8729]},
+        "start1": {"data_type":"datetime", "values": ["current"], "format":"%Y-%m-%d %H:%M:%S"},
+        "end1": {"data_type":"datetime", "values": ["current"], "format":"%Y-%m-%d %H:%M:%S"},
+        "ISOTimeStamp": {"data_type":"datetime", "values": ["current"], "format":"%Y-%m-%d %H:%M:%S"}    
+    },
+    "SyslogMessage":{
+        "headerTemplate": "DateTime HostName",
+        "syslog_message_template":{"values": "{hostName} {application} {pid} {messageId}: {structured_data} {message}"},
+        "syslog_header_fields": {"values": ["hostName", "application", "pid", "messageId"]},
+        "syslog_header_fields_dummy": {"values":"{\"priority\": \"139\", \"version\": \"1\",\"ISOTimeStamp\": \"2022-03-31 11:59:59\",\"hostName\": \"SYSLOG_Host\",\"application\": \"SYSLOG_App\", \"pid\": \"process\",\"messageId\": \"1234\"}"},
+        "KVDelimiter": {"values": "="},
+        "fieldDelimiter": {"values": " "},
+        "headerDelimiter": {"values": ":"}  
+    }
+}