#============================================================================== # # Module: fortigate.pm # # Author: Shinichi Motomura (motomura@tottori-u.ac.jp) # # Purpose: Converts native FortiGate logs (FortiOS Ver2.8) to FW1 log export format. # # Version: 1.0.0 # # #============================================================================== use strict; sub Convert { my $input = shift; open INPUT, $input or die "Can not open $input $!\n"; # # For converting protocol numbers to name # my %protocol = ( 0 => 'ip', 1 => 'icmp', 6 => 'tcp', 17 => 'udp' ); # # Output FW1 logexport header (log account format) # print "num;date;time;orig;type;action;i/f_name;i/f_dir;proto;src;dst;rule;service;s_port;icmp-type;icmp-code;bytes;\n"; my $count=0; while () { next unless (/type=traffic/); chomp; $count++; Linecount($count) if $verbose; # # If the log has a "zone" entry, it must be a version 5.x format # my ($fwname,$date,$time,$policy_id,$proto,$direction,$action,$sent,$rcvd,$src,$dst); ($date,$time,$fwname,$policy_id,$proto,$action,$src,$dst,$sent,$rcvd) = /date=(\S+).*time=(\S+).*device_id=(\w+).*policyid=(\d+).*proto=(\d+).*status=(\w+).*src=(\S+).*dst=(\S+).*sent=(\d+).*rcvd=(\d+)/; $direction='n/a'; my ($icmp_type,$src_port,$dst_port); if (/icmp/) { $icmp_type = 'n/a'; } else { ($src_port,$dst_port) = /src_port=(\w+) dst_port=(\w+)/; } my ($yyyy,$mm,$dd) = $date =~ /(\d+)-(\d+)-(\d+)/; print "$count;$dd$mon{$mm}$yyyy;$time;$fwname;account;"; $action="drop" if ($action eq 'deny'); $action='accept' if ($action eq 'accept'); print "$action;n/a;$direction;$protocol{$proto};$src;$dst;$policy_id;"; if (/icmp/) { print ";;$icmp_type;0;\n"; } else { my $bytes = $sent + $rcvd; print "$dst_port;$src_port;;;$bytes\n"; } } close INPUT; } 1;