Idea ID 2768531
The Fortinet Fortigate parser puts both quantities and IDs in the deviceCustomNumber fields depending on the type of event. This keeps Fortigate events, which are high-volume, from being aggregated. If a number field has a quantity, it needs to be put in the list of fields to sum. If it's an ID then it needs to go into the fields to aggregate. Since all events have to be aggregated the same way, this keeps events from being aggregated.
For most of the event types, the device custom numbers contain quantities that can be added across aggregated events. The main mappings show:
Device Custom Number 1 duration
Device Custom Number 2 One of (sentpkt, sent_pkt) (Packets Sent)
Device Custom Number 3 One of (rcvdpkt, rcvd_pkt) (Packets Received)
These can all be specified in the Fields to Sum.
In the Fortigate UTM section, though, ID numbers are put in custom numbers 2 and 3. These are not quantities, just identifiers and they cannot be used in the Fields to Sum or the values will be lost in addition. These and other similar fields should be moved to custom string or other non-numeric fields so that the events can be aggregated.
Device Custom Number 2 One of (sessionid, session_id) (Session ID)
Device Custom Number 3 policy_id (Policy ID)
So to summarize, if aggregation is done with the current mappings, you either lose the quantities in events that have them or the IDs in the events that have those. The ID mappings should be moved to string fields.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.