Flex configuration examples

book

Article ID: 170920

calendar_today

Updated On:

Products

CASB Audit CASB Gateway Advanced Data Loss Prevention Cloud Package

Issue/Introduction

User is creating a flex configuration for their firewall and would like to see examples to help them understand how to create a flex config.

Resolution

Examples:
Each of the following sections has an example log entry followed by the corresponding complete Flex configuration.

ScanSafe TSV:

Flex Config:
{"logformat":"delimited",
"delimiter":" ",
"comments_startwith":"#",
"trim_tokens":"true",
"datetime_index":"1",
"datetime_format":"yyyy-MM-ddHH:mm:ss",
"src_index":"2",
"user_index":"4",
"url_index":"7",
"ua_index":"11",
"bytes_index":"14",
"dst_index":"17",
"referer_index":"25"}

 

CheckPoint CSV

 

Flex Config:
{"logformat":"delimited",
"delimiter":",",
"comments_startwith":"#",
"trim_tokens":"true",
"date_index":"2",
"date_format":"ddMMMyyyy",
"time_index":"3",
"time_format":"HH:mm:ss",
"src_index":"15",
"dst_index":"16",
"bytes_index":"19",
"url_index":"34"}

 

WSA W3C

Flex Config:
{"logformat":"delimited",
"delimiter":" ",
"comments_startwith":"#",
"null_indicated_as":"-",
"trim_tokens":"true",
"epoch_index":"1",
"dur_index":"2",
"src_index":"3",
"action_index":"5",
"rcvd_index":"6",
"url_index":"8",
"user_index":"9",
"sent_index":"16",
"bytes_index":"17",
"action_blockedmatch":"403"
}

 

TMG


Flex Config:
{"logformat":"delimited",
"delimiter":";",
"comments_startwith":"#",
"trim_tokens":"true",
"user_index":"1",
"datetime_index":"2",
"datetime_format":"yyyy-MM-dd HH:mm:ss",
"dst_index":"3",
"src_index":"4",
"sent_index":"6",
"rcvd_index":"7",
"url_index":"8"
}

 

Fortinet WELF

Flex Config:
{
"logformat":"welf",
"comments_startwith":"#",
"trim_tokens":"true",
"date_format":"yyyy-MM-dd",
"time_format":"HH:mm:ss",
"src_alias":"srcip",
"dst_alias":"dstip",
"sent_alias":"sentbyte",
"rcvd_alias":"rcvdbyte"
}

 

Juniper SRX

Flex Config:
{"logformat":"rex",
"comments_startwith":"#",
"trim_tokens":"true",
"datetime_rex":"(^\w{3.EN_US}.*?\d{4.EN_US})",
"datetime_format":"MMM dd HH:mm:ss.SSS yyyy",
"src_rex":"->.*\s(.*?)(?=\/\d)",
"dst_rex":"->.*->(.*?)(?=\/\d)",
"srcport_rex":"->.*\s.*?\/(.*?)->",
"dstport_rex":"->.*->.*?\/(.*?)\s",
"sent_rex":".*?\((.*?)\).*",
"rcvd_rex":".*?\(.*?\((.*?)\)"
}

 

Juniper SRX 2nd example

Flex Config:
{
"logformat":"rex",
"date_rex":"^([0-9]{4.EN_US}-[0-9]{2.EN_US}-[0-9]{2.EN_US})T",
"date_format":"yyyy-MM-dd",
"time_rex":"^.*?T([0-9]{2.EN_US}:[0-9]{2.EN_US}:[0-9]{2.EN_US})",
"time_format":"HH:mm:ss",
"src_rex":"((?:[0-9]{1,3}[\\.]){3.EN_US}[0-9]{1,3}).*?->",
"dst_rex":"->((?:[0-9]{1,3}[\\.]){3.EN_US}[0-9]{1,3}).*? ",
"sent_rex":"[0-9]+\\((.*?)\\) ",
"rcvd_rex":"[0-9]+\\(.*?\\) [0-9]+\\((.*?)\\) "
}

 

SIEM 

<LOG SAMPLE IMAGE>

Flex Config:

{
"logformat":"rex",
"epoch_rex":"date=(.*?);",
"comments_startwith":"#",
"trim_tokens":"true",
"src_rex":"src:.(.*?).;",
"dst_rex":"dst:.(.*?).;",
"bytes_rex":"bytes:.(.*?).;",
"rcvd_rex":"client_inbound_bytes:.(.*?).;",
"sent_rex":"client_outbound_bytes:.(.*?).;",
"url_rex":"resource:.(.*?).;"
}

 

Attachments