[Fortinet FortiMail] Replace RSA2ELK with Syslog integration

[janvi-elastic]

What does this PR do?

• Updated data collection logic for the log data stream.
• Updated the ingest pipeline for the log data stream.
• Mapped fields according to the ECS schema and added Fields metadata in the appropriate yml files.
• Added dashboards and visualizations.
• Updated test for pipeline for the log data stream.
• Updated system test cases for the log data stream.

Integration release checklist

This checklist is intended for integrations maintainers to ensure consistency
when creating or updating a Package, Module or Dataset for an Integration.

All changes

• Change follows the contributing guidelines
• Supported versions of the monitoring target is documented
• Supported operating systems are documented (if applicable)
• Integration or System tests exist
• Documentation exists
• Fields follow ECS and naming conventions
• At least a manual test with ES / Kibana / Agent has been performed.
• Required Kibana version set to: ^8.3.0

New Package

• Screenshot of the "Add Integration" page on Fleet added

Dashboards changes

• Dashboards exists
• Screenshots added or updated
• Datastream filters added to visualizations

Log dataset changes

• Pipeline tests exist (if applicable)
• Generated output for at least 1 log file exists
• Sample event (sample_event.json) exists

How to test this PR locally

• Clone integrations repo.
• Install elastic package locally.
• Start elastic stack using elastic-package.
• Move to integrations/packages/fortinet_fortimail directory.
• Run the following command to run tests.

elastic-package test

Related issues

• Closes Fortinet Fortimail #1198

Screenshots

[elasticmachine]

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

[elasticmachine]

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS

Expand to view the summary

Build stats

• Start Time: 2023-03-16T13:30:46.051+0000

• Duration: 16 min 34 sec

Test stats 🧪

Test	Results
Failed	0
Passed	17
Skipped	0
Total	17

🤖 GitHub comments

Expand to view the GitHub comments

To re-run your PR in the CI, just comment with:

• /test : Re-trigger the build.

[elasticmachine]

🌐 Coverage report

Name	Metrics % (covered/total)	Diff
Packages	100.0% (1/1)	💚
Files	100.0% (7/7)	💚
Classes	100.0% (7/7)	💚
Methods	97.727% (43/44)	❕
Lines	92.254% (917/994)	❕
Conditionals	100.0% (0/0)	💚

[efd6]

This grok can be replaced with a dissect/grok/convert

 - dissect: field: _tmp.event.original if: ctx._tmp?.event?.original != null && ctx._tmp.event.original != '' pattern: '<%{fortinet_fortimail.log.priority_number}>date=%{fortinet_fortimail.log.date},time=%{fortinet_fortimail.log.time},device_id=%{fortinet_fortimail.log.device_id},log_id=%{fortinet_fortimail.log.id},type=%{fortinet_fortimail.log.type},%{_tmp.message_suffix}' on_failure: - append: field: error.message value: '{{{_ingest.on_failure_message}}}' - grok: field: _tmp.message_suffix if: ctx._tmp?.message_suffix != null && ctx._tmp.message_suffix != '' patterns: - '^%{PREFIX},%{GREEDYDATA:_tmp.message},subject=\"%{DATA:fortinet_fortimail.log.subject}\",%{GREEDYDATA:_tmp.extra_message},msg=\"%{GREEDYDATA:fortinet_fortimail.log.message}\"$' - '^%{PREFIX},%{GREEDYDATA:_tmp.message},subject=\"%{DATA:fortinet_fortimail.log.subject}\",msg=\"%{GREEDYDATA:fortinet_fortimail.log.message}\"$' - '^%{PREFIX},%{GREEDYDATA:_tmp.message},subject=\"%{DATA:fortinet_fortimail.log.subject}\",%{GREEDYDATA:_tmp.extra_message}$' - '^%{PREFIX},%{GREEDYDATA:_tmp.message},msg=\"%{GREEDYDATA:fortinet_fortimail.log.message}\"$' - '^%{PREFIX},msg=\"%{GREEDYDATA:fortinet_fortimail.log.message}\"$' - '^pri=%{DATA:fortinet_fortimail.log.priority},%{GREEDYDATA:_tmp.message}$' pattern_definitions: PREFIX: '(?:subtype=%{DATA:fortinet_fortimail.log.sub_type},)?pri=%{DATA:fortinet_fortimail.log.priority}' on_failure: - append: field: error.message value: '{{{_ingest.on_failure_message}}}' - convert: field: fortinet_fortimail.log.priority_number type: long ignore_missing: true ignore_failure: true 

Unfortunately it cannot be further reduced, otherwise greediness beats the preference ordering you have here.

[efd6]

Either

Suggested change

	**Log** helps users to keep a record of many different email activities and traffic including system-related events, such as system restarts and HA activity, virus detections, spam filtering results, POP3, SMTP, IMAP, and webmail events. See more details [About FortiMail logging](https://docs.fortinet.com/document/fortimail/7.2.2/administration-guide/435158/about-fortimail-logging)
	**Log** helps users to keep a record of email activity and traffic including system-related events, such as system restarts and HA activity, virus detections, spam filtering results, POP3, SMTP, IMAP, and webmail events. See more details [About FortiMail logging](https://docs.fortinet.com/document/fortimail/7.2.2/administration-guide/435158/about-fortimail-logging)

or

Suggested change

	**Log** helps users to keep a record of many different email activities and traffic including system-related events, such as system restarts and HA activity, virus detections, spam filtering results, POP3, SMTP, IMAP, and webmail events. See more details [About FortiMail logging](https://docs.fortinet.com/document/fortimail/7.2.2/administration-guide/435158/about-fortimail-logging)
	**Log** helps users to keep a record of many different email activities and email traffic including system-related events, such as system restarts and HA activity, virus detections, spam filtering results, POP3, SMTP, IMAP, and webmail events. See more details [About FortiMail logging](https://docs.fortinet.com/document/fortimail/7.2.2/administration-guide/435158/about-fortimail-logging)

(Doesn't sound right to combine nouns with number and without in a noun phrase conjunction)

[efd6]

This will split within values if there is a comma in the value.

[efd6]

This will mutate values if there is a ,, within a (quoted) value.

[janvi-elastic]

Hey @efd6 ,
We are analyzing the pipeline and optimizing it with a better solution using the KV processor, soon will update you on this.

[efd6]

I don't think this is safe to do. You can remove quotes after the KV processor.

[efd6]

Suggested change

	- '^%{DATA}[U|u]ser %{NOTSPACE:_tmp.user} %{DATA}%{IP:fortinet_fortimail.log.ip}%{GREEDYDATA:_tmp.msg}$'
	- "^%{DATA}[U|u]ser %{NOTSPACE:_tmp.user} %{GREEDYDATA:_tmp.msg},%{SPACE}sent from:%{SPACE}\\'%{DATA:fortinet_fortimail.log.sent_from}\\',%{SPACE}subject:%{SPACE}\\'%{GREEDYDATA:_tmp.subject}\\'%{SPACE}%{GREEDYDATA:_tmp.msg2}$"
	- "^%{DATA}[U|u]ser %{NOTSPACE:_tmp.user} %{GREEDYDATA:_tmp.msg},%{SPACE}sent from:%{SPACE}\\'%{DATA:fortinet_fortimail.log.sent_from}\\',%{SPACE}subject:%{SPACE}\\'%{GREEDYDATA:_tmp.subject}\\'$"
	- '^%{DATA}[U|u]ser %{NOTSPACE:_tmp.user} %{GREEDYDATA:_tmp.msg}$'
	- '^%{DATA}[Uu]ser %{NOTSPACE:_tmp.user} %{DATA}%{IP:fortinet_fortimail.log.ip}%{GREEDYDATA:_tmp.msg}$'
	- "^%{DATA}[Uu]ser %{NOTSPACE:_tmp.user} %{GREEDYDATA:_tmp.msg},%{SPACE}sent from:%{SPACE}\\'%{DATA:fortinet_fortimail.log.sent_from}\\',%{SPACE}subject:%{SPACE}\\'%{GREEDYDATA:_tmp.subject}\\'(?:%{SPACE}%{GREEDYDATA:_tmp.msg2})?$"
	- '^%{DATA}[Uu]ser %{NOTSPACE:_tmp.user} %{GREEDYDATA:_tmp.msg}$'

(untested)
Could also consider using (?i) in place of [Uu] (not [U|u] which matches U, u and |), but this depends on the remainder of the expectations.

[efd6]

Suggested change

	- "^%{DATA}[U|u]ser %{NOTSPACE:_tmp.user} %{DATA}%{IP:fortinet_fortimail.log.ip}%{GREEDYDATA:_tmp.msg}$"
	- "^%{DATA}[L|l]ogin for \\'%{NOTSPACE:_tmp.user}\\' %{DATA}%{IP:fortinet_fortimail.log.ip}%{GREEDYDATA:_tmp.msg}$"
	- "^%{DATA}[U|u]ser %{NOTSPACE:_tmp.user} %{GREEDYDATA:_tmp.msg}$"
	- "^%{PREFIX} %{DATA}%{IP:fortinet_fortimail.log.ip}%{GREEDYDATA:_tmp.msg}$"
	- "^%{DATA}[Uu]ser %{NOTSPACE:_tmp.user} %{GREEDYDATA:_tmp.msg}$"
	pattern_definitions:
	PREFIX: "(?:%{DATA}[Uu]ser %{NOTSPACE:_tmp.user}|%{DATA}[Ll]ogin for \\'%{NOTSPACE:_tmp.user}\\')"

(untested)
Note also possibility of (?i).

[efd6]

Similar reductions and corrections.

Suggested change

	- '^%{DATA}[I|i]nterface %{NUMBER:fortinet_fortimail.log.port:long}%{DATA} [U|u]ser %{NOTSPACE:_tmp.user} %{DATA}%{IP:fortinet_fortimail.log.ip}%{GREEDYDATA:_tmp.msg}$'
	- '^%{DATA}[I|i]nterface %{NUMBER:fortinet_fortimail.log.port:long}%{DATA} [U|u]ser %{NOTSPACE:_tmp.user}%{GREEDYDATA:_tmp.msg}$'
	- '^%{DATA}[U|u]ser %{NOTSPACE:_tmp.user} %{DATA}%{IP:fortinet_fortimail.log.ip}%{GREEDYDATA:_tmp.msg}$'
	- '^%{DATA}[U|u]ser %{NOTSPACE:_tmp.user} %{GREEDYDATA:_tmp.msg}$'
	- '^%{PREFIX} %{DATA}%{IP:fortinet_fortimail.log.ip}%{GREEDYDATA:_tmp.msg}$'
	- '^%{PREFIX}%{GREEDYDATA:_tmp.msg}$'
	- '^%{DATA}%{USER} %{DATA}%{IP:fortinet_fortimail.log.ip}%{GREEDYDATA:_tmp.msg}$'
	- '^%{DATA}%{USER} %{GREEDYDATA:_tmp.msg}$'
	pattern_definitions:
	PREFIX: '%{DATA}[Ii]nterface %{NUMBER:fortinet_fortimail.log.port:long}%{DATA} %{USER}'
	USER: '[Uu]ser %{NOTSPACE:_tmp.user}'

(untested)

[efd6]

Suggested change

	PROTOCOL: SSH|telnet|ssh|http|HTTP
	PROTOCOL: '(?i)(?:telnet|ssh|http)'

[efd6]

Thanks. Very minor test additions.

[efd6]

Can we have a test with non-empty values as well?

[janvi-elastic]

Yes, will add test with non-empty values.

[efd6]

Add a test with a non-empty session_id.

[efd6]

Add a non-empty session_id.

[efd6]

Do we want this to include the terser fail-{{{_ingest.on_failure_processor_tag}}} value as well? (I don't have any strong opinion on this)

[janvi-elastic]

Hey @efd6 ,
Instead we have added the tag name with mentioned keyword "Failed" to error.message , So we don't think we should repeat it again. Sill if you feel so let us know will update the same.

[efd6]

We can add it later if needed. The reason I was thinking it would be useful is that it becomes an exact match search for finding how many times any particular processor has failed.

[janvi-elastic]

Sure, we will add in this if needed. Now onwards following same for all the up coming integration.

[elasticmachine]

Package fortinet_fortimail - 2.0.0 containing this change is available at https://epr.elastic.co/search?package=fortinet_fortimail