Try SpotterLog forwarding.
| "added in version" 1.0.0 of dux_fortinet.fortianalyzer_dev"
Authors: Xinwei Du (@dux-fortinet), Link Zheng (@chillancezen), Jie Xue (@JieX19), Frank Shen (@fshen01), Hongbin Lu (@fgtdev-hblu)
preview | supported by community
Install with ansible-galaxy collection install dux_fortinet.fortianalyzer_dev:==1.4.0
collections:
- name: dux_fortinet.fortianalyzer_dev
version: 1.4.0This module is able to configure a FortiAnalyzer device.
Examples include all parameters and values which need to be adjusted to data sources before usage.
- name: Example playbook
connection: httpapi
hosts: fortianalyzers
tasks:
- name: Log forwarding.
fortinet.fortianalyzer.faz_cli_system_logforward:
cli_system_logforward:
id: 1
server_name: "fooname"
server_addr: 12.3.4.5
# server_device: ''
# server_port: 514
fwd_server_type: fortianalyzer
mode: forwarding
# server_ip: "23.231.1.1"
log_filter_status: enable
log_filter_logic: and
log_field_exclusion_status: enable
fwd_reliable: disable
fwd_max_delay: 5min
log_masking_status: enable
state: present
vars:
ansible_httpapi_port: 443
ansible_httpapi_use_ssl: true
ansible_httpapi_validate_certs: false
state:
choices:
- present
- absent
description: The directive to create, update or delete an object
required: true
type: str
log_path:
default: /tmp/fortianalyzer.ansible.log
description:
- The path to save log. Used if enable_log is true.
- Please use absolute path instead of relative path.
- If the log_path setting is incorrect, the log will be saved in /tmp/fortianalyzer.ansible.log
required: false
type: str
rc_failed:
description: the rc codes list with which the conditions to fail will be overriden
elements: int
required: false
type: list
enable_log:
default: false
description: Enable/Disable logging for task
required: false
type: bool
access_token:
description: The token to access FortiManager without using username and password.
required: false
type: str
rc_succeeded:
description: the rc codes list with which the conditions to succeed will be overriden
elements: int
required: false
type: list
proposed_method:
choices:
- set
- update
- add
description: The overridden method for the underlying Json RPC request
required: false
type: str
bypass_validation:
default: false
description: only set to True when module schema diffs with FortiAnalyzer API structure,
module continues to execute without validating parameters
required: false
type: bool
cli_system_logforward:
description: The top level parameters set.
required: false
suboptions:
agg-archive-types:
choices:
- Web_Archive
- Secure_Web_Archive
- Email_Archive
- File_Transfer_Archive
- IM_Archive
- MMS_Archive
- AV_Quarantine
- IPS_Packets
- CDR_Archive
description: no description
elements: str
type: list
agg-data-end-time:
description: no description
type: str
agg-data-start-time:
description: no description
type: str
agg-logtypes:
choices:
- none
- app-ctrl
- attack
- content
- dlp
- emailfilter
- event
- generic
- history
- traffic
- virus
- webfilter
- netscan
- fct-event
- fct-traffic
- fct-netscan
- waf
- gtp
- dns
- ssh
- ssl
- file-filter
- asset
- protocol
- siem
- ztna
- security
description: no description
elements: str
type: list
agg-password:
description: no description
type: str
agg-schedule:
choices:
- daily
- on-demand
description:
- Schedule log aggregation mode.
- daily - Run daily log aggregation
- on-demand - Run log aggregation on demand
type: str
agg-time:
description: Daily at.
type: int
agg-user:
description: Log aggregation access user name for server.
type: str
device-filter:
description: no description
elements: dict
suboptions:
action:
choices:
- include
- exclude
- include-like
- exclude-like
description:
- Include or exclude the specified device.
- include - Include specified device.
- exclude - Exclude specified device.
- include-like - Include specified device matching the given wildcard expression.
- exclude-like - Exclude specified device matching the given wildcard expression.
type: str
adom:
description: Adom name or (null) for all adoms, or a wildcard expression matching
adom(s) if action is a like action.
type: str
device:
description: Device ID of log client device, or a wildcard expression matching
log client device(s) if action is a like action.
type: str
id:
description: Device filter ID.
type: int
type: list
fwd-archive-types:
choices:
- Web_Archive
- Email_Archive
- IM_Archive
- File_Transfer_Archive
- MMS_Archive
- AV_Quarantine
- IPS_Packets
- EDISC_Archive
- CDR_Archive
description: no description
elements: str
type: list
fwd-archives:
choices:
- disable
- enable
description:
- Enable/disable forwarding archives.
- disable - Disable forwarding archives.
- enable - Enable forwarding archives.
type: str
fwd-compression:
choices:
- disable
- enable
description:
- Enable/disable compression for better bandwidth efficiency.
- disable - Disable compression of messages.
- enable - Enable compression of messages.
type: str
fwd-facility:
choices:
- kernel
- user
- mail
- daemon
- auth
- syslog
- lpr
- news
- uucp
- clock
- authpriv
- ftp
- ntp
- audit
- alert
- cron
- local0
- local1
- local2
- local3
- local4
- local5
- local6
- local7
description:
- Facility for remote syslog.
- kernel - kernel messages
- user - random user level messages
- mail - Mail system.
- daemon - System daemons.
- auth - Security/authorization messages.
- syslog - Messages generated internally by syslog daemon.
- lpr - Line printer subsystem.
- news - Network news subsystem.
- uucp - Network news subsystem.
- clock - Clock daemon.
- authpriv - Security/authorization messages (private).
- ftp - FTP daemon.
- ntp - NTP daemon.
- audit - Log audit.
- alert - Log alert.
- cron - Clock daemon.
- local0 - Reserved for local use.
- local1 - Reserved for local use.
- local2 - Reserved for local use.
- local3 - Reserved for local use.
- local4 - Reserved for local use.
- local5 - Reserved for local use.
- local6 - Reserved for local use.
- local7 - Reserved for local use.
type: str
fwd-ha-bind-vip:
choices:
- disable
- enable
description:
- When HA is enabled, always use vip as forwarding port
- disable - Disable bind forwarding to vip interface.
- enable - Enable bind forwarding to vip interface.
type: str
fwd-log-source-ip:
choices:
- local_ip
- original_ip
description:
- Logs source IP address (no effect for reliable forwarding).
- local_ip - Use FAZVM64 local ip.
- original_ip - Use original source ip.
type: str
fwd-max-delay:
choices:
- realtime
- 1min
- 5min
description:
- Max delay for near realtime log forwarding.
- realtime - Realtime forwarding, no delay.
- 1min - Near realtime forwarding with up to one miniute delay.
- 5min - Near realtime forwarding with up to five miniutes delay.
type: str
fwd-output-plugin-id:
description: Name of the output plugin profile
type: str
fwd-reliable:
choices:
- disable
- enable
description:
- Enable/disable reliable logging.
- disable - Disable reliable logging.
- enable - Enable reliable logging.
type: str
fwd-secure:
choices:
- disable
- enable
description:
- Enable/disable TLS/SSL secured reliable logging.
- disable - Disable TLS/SSL secured reliable logging.
- enable - Enable TLS/SSL secured reliable logging.
type: str
fwd-server-type:
choices:
- syslog
- fortianalyzer
- cef
- syslog-pack
- fwd-via-output-plugin
- elite-service
description:
- Forwarding all logs to syslog server or FortiAnalyzer.
- syslog - Forward logs to generic syslog server.
- fortianalyzer - Forward logs to FortiAnalyzer.
- cef - Forward logs to a CEF (Common Event Format) server.
type: str
fwd-syslog-format:
choices:
- fgt
- rfc-5424
description:
- Forwarding format for syslog.
- fgt - fgt syslog format
- rfc-5424 - rfc-5424 syslog format
type: str
id:
description: Log forwarding ID.
type: int
log-field-exclusion:
description: no description
elements: dict
suboptions:
dev-type:
choices:
- FortiGate
- FortiManager
- Syslog
- FortiMail
- FortiWeb
- FortiCache
- FortiAnalyzer
- FortiSandbox
- FortiDDoS
- FortiNAC
- FortiDeceptor
- FortiFirewall
- FortiADC
- FortiClient
- FortiAuthenticator
- FortiProxy
- FortiIsolator
- FortiEDR
- FortiPAM
- FortiCASB
- FortiToken
description:
- Device type.
- FortiGate - FortiGate Device
- FortiManager - FortiManager Device
- Syslog - Syslog Device
- FortiMail - FortiMail Device
- FortiWeb - FortiWeb Device
- FortiCache - FortiCache Device
- FortiAnalyzer - FortiAnalyzer Device
- FortiSandbox - FortiSandbox Device
- FortiDDoS - FortiDDoS Device
- FortiNAC - FortiNAC Device
- FortiDeceptor - FortiDeceptor Device
type: str
field-list:
description: List of fields to be excluded.
type: str
id:
description: Log field exclusion ID.
type: int
log-type:
choices:
- app-ctrl
- appevent
- attack
- content
- dlp
- emailfilter
- event
- generic
- history
- traffic
- virus
- voip
- webfilter
- netscan
- waf
- gtp
- dns
- ssh
- ssl
- file-filter
- Asset
- protocol
- ANY-TYPE
- fct-event
- fct-traffic
- fct-netscan
- ztna
- security
description:
- Log type.
- app-ctrl - Application Control
- appevent - APPEVENT
- attack - Attack
- content - DLP Archive
- dlp - Data Leak Prevention
- emailfilter - Email Filter
- event - Event
- generic - Generic
- history - Mail Statistics
- traffic - Traffic
- virus - Virus
- voip - VoIP
- webfilter - Web Filter
- netscan - Network Scan
- waf - WAF
- gtp - GTP
- dns - Domain Name System
- ssh - SSH
- ssl - SSL
- file-filter - FFLT
- Asset - Asset
- protocol - PROTOCOL
- ANY-TYPE - Any log type
type: str
type: list
log-field-exclusion-status:
choices:
- disable
- enable
description:
- Enable or disable log field exclusion.
- disable - Disable log field exclusion.
- enable - Enable log field exclusion.
type: str
log-filter:
description: no description
elements: dict
suboptions:
field:
choices:
- type
- logid
- level
- devid
- vd
- srcip
- srcintf
- dstip
- dstintf
- dstport
- user
- group
- free-text
description:
- Field name.
- type - Log type
- logid - Log ID
- level - Level
- devid - Device ID
- vd - Vdom ID
- srcip - Source IP
- srcintf - Source Interface
- dstip - Destination IP
- dstintf - Destination Interface
- dstport - Destination Port
- user - User
- group - Group
- free-text - General free-text filter
type: str
id:
description: Log filter ID.
type: int
oper:
choices:
- '='
- '!='
- <
- '>'
- <=
- '>='
- contain
- not-contain
- match
description:
- Field filter operator.
- '< - =Less than or equal to'
- '> - =Greater than or equal to'
- contain - Contain
- not-contain - Not contain
- match - Match (expression)
type: str
value:
description: Field filter operand or free-text matching expression.
type: str
type: list
log-filter-logic:
choices:
- and
- or
description:
- Logic operator used to connect filters.
- and - Conjunctive filters.
- or - Disjunctive filters.
type: str
log-filter-status:
choices:
- disable
- enable
description:
- Enable or disable log filtering.
- disable - Disable log filtering.
- enable - Enable log filtering.
type: str
log-masking-custom:
description: no description
elements: dict
suboptions:
field-name:
description: Field name.
type: str
field-type:
choices:
- string
- ip
- mac
- email
- unknown
description:
- Field type.
- string - String.
- ip - IP.
- mac - MAC address.
- email - Email address.
- unknown - Unknown.
type: str
id:
description: Field masking id.
type: int
type: list
log-masking-custom-priority:
choices:
- disable
- ''
- enable
description:
- Prioritize custom fields.
- disable - Disable custom field search priority.
- ' - Prioritize custom fields.'
type: str
log-masking-fields:
choices:
- user
- srcip
- srcname
- srcmac
- dstip
- dstname
- email
- message
- domain
description: no description
elements: str
type: list
log-masking-key:
description: no description
type: str
log-masking-status:
choices:
- disable
- enable
description:
- Enable or disable log field masking.
- disable - Disable log field masking.
- enable - Enable log field masking.
type: str
mode:
choices:
- forwarding
- aggregation
- disable
description:
- Log forwarding mode.
- forwarding - Realtime or near realtime forwarding logs to servers.
- aggregation - Aggregate logs and archives to Analyzer.
- disable - Do not forward or aggregate logs.
type: str
pcapurl-domain-ip:
description: The domain name or ip for forming a pcapurl. This pcapurl will be
appended to applicable forwarded logs for downloading a pcap...
type: str
pcapurl-enrich:
choices:
- disable
- enable
description:
- Enable/disable enriching pcapurl.
- disable - Disable enriching pcapurl.
- enable - Enable enriching pcapurl. It will append a pcapurl field to the forwarded
syslogs.
type: str
peer-cert-cn:
description: Certificate common name of log-forward server.
type: str
proxy-service:
choices:
- disable
- enable
description:
- Enable/disable proxy service under collector mode.
- disable - Disable proxy service.
- enable - Enable proxy service.
type: str
proxy-service-priority:
description: Proxy service priority from 1 (lowest) to 20 (highest).
type: int
server-addr:
description: Remote server address.
type: str
server-device:
description: Log forwarding server device ID.
type: str
server-ip:
description: Remote server IP address.
type: str
server-name:
description: Log forwarding server name.
type: str
server-port:
description: Server listen port (1 - 65535).
type: int
signature:
description: Aggregation cfg hash token.
type: int
sync-metadata:
choices:
- sf-topology
- interface-role
- device
- endusr-avatar
- fgt-policy
- interface-info
description: no description
elements: str
type: list
type: dict
forticloud_access_token:
description: Authenticate Ansible client with forticloud API access token.
required: false
type: str
meta:
contains:
request_url:
description: The full url requested
returned: always
sample: /sys/login/user
type: str
response_code:
description: The status of api request
returned: always
sample: 0
type: int
response_data:
description: The api response
returned: always
type: list
response_message:
description: The descriptive message of the api response
returned: always
sample: OK.
type: str
system_information:
description: The information of the target system.
returned: always
type: dict
description: The result of the request.
returned: always
type: dict
rc:
description: The status the request.
returned: always
sample: 0
type: int
version_check_warning:
description: Warning if the parameters used in the playbook are not supported by
the current fortianalyzer version.
returned: complex
type: list