diff --git a/packages/fortinet_fortiauthenticator/_dev/build/build.yml b/packages/fortinet_fortiauthenticator/_dev/build/build.yml
new file mode 100644
index 00000000000..10c829f8db7
--- /dev/null
+++ b/packages/fortinet_fortiauthenticator/_dev/build/build.yml
@@ -0,0 +1,4 @@
+dependencies:
+ ecs:
+ reference: "git@v8.17.0"
+ import_mappings: true
diff --git a/packages/fortinet_fortiauthenticator/_dev/build/docs/README.md b/packages/fortinet_fortiauthenticator/_dev/build/docs/README.md
new file mode 100644
index 00000000000..1db894f6fa4
--- /dev/null
+++ b/packages/fortinet_fortiauthenticator/_dev/build/docs/README.md
@@ -0,0 +1,171 @@
+# Fortinet FortiAuthenticator Logs Integration for Elastic
+
+## Overview
+
+The Fortinet FortiAuthenticator Logs integration for Elastic enables the collection of logs from Fortinet FortiAuthenticator. This allows for system and security monitoring. By ingesting FortiAuthenticator logs, users can gain visibility into radius, and tacacs+ activity.
+
+### Compatibility
+
+This integration has been tested against FortiAuthenticator version 8.0.2, this version has important bugfix for log messages. Version 7.x or any version below 8.0.2 may not work with this integration!
+
+This integration is compatible with Elastic Stack version 9.0.0 or higher.
+
+### How it works
+
+This integration collects logs from FortiAuthenticator by receiving syslog data via TCP/UDP or by reading directly from log files. An Elastic Agent is deployed on a host that is configured as a syslog receiver or has access to the log files. The agent forwards the logs to your Elastic deployment, where they can be monitored or analyzed.
+
+## What data does this integration collect?
+
+The Fortinet FortiAuthenticator Logs integration collects the following types of logs:
+* **System Event logs**: System-level events, license, firmware, high-availability (HA) events, and configuration changes.
+* **Authentication logs**: Records of radius, tacacs+, administrator, and user authentication events
+
+## What do I need to use this integration?
+
+- A FortiAuthenticator with version 8.0.2 or higher and administrative access to configure syslog settings.
+- Elastic Stack version 9.0.0 or higher.
+
+## How do I deploy this integration?
+
+### Agent-based deployment
+
+Elastic Agent must be installed on a host that will receive the syslog data or has access to the log files from the FortiAuthenticator. For detailed installation instructions, refer to the Elastic Agent [installation guide](docs-content://reference/fleet/install-elastic-agents.md). Only one Elastic Agent is needed per host.
+
+### Vendor set up steps
+
+#### Syslog Configuration
+
+You can configure FortiAuthenticator to send logs to the Elastic Agent using either the GUI or the CLI.
+
+**GUI Configuration:**
+
+1. Log in to the Fortinet FortiAuthenticator
+2. Navigate to **Logging -> Log Config -> Syslog Servers**.
+3. Create new syslog-server. In the IP address field, enter the IP address of the host where the Elastic Agent is installed.
+4. Navigate to **Logging -> Log COnfig -> Log Settings**.
+5. Enable **Send system logs to remote Syslog servers**.
+6. Select your newly created syslog-server and click the right arrow to move to list of "chosen syslog servers"
+7. Click **Save**.
+
+### Onboard / configure in Kibana
+
+1. In Kibana, navigate to **Management > Integrations**.
+2. Search for "Fortinet FortiAuthenticator" and select the integration.
+3. Click **Add Fortinet FortiAuthenticator Logs**.
+4. Configure the integration by selecting an input type and providing the necessary settings. This integration supports `TCP`, `UDP`, and `Log file` inputs.
+
+#### TCP Input Configuration
+
+This input collects logs over a TCP socket.
+
+| Setting | Description |
+|---|---|
+| **Listen Address** | The bind address for the TCP listener (e.g., `localhost`, `0.0.0.0`). |
+| **Listen Port** | The TCP port number to listen on (e.g., `9004`). |
+| **Preserve original event** | If checked, a raw copy of the original log is stored in the `event.original` field. |
+| **Preserve duplicate custom fields** | Check this to preserve fields that were copied to ECS fields. Default: false. |
+
+Under **Advanced Options**, you can configure the following optional parameters:
+
+| Setting | Description |
+|---|---|
+| **Internal/External interfaces** | Define your network interfaces to correctly map network direction. |
+| **Internal networks** | Specify your internal network ranges (defaults to private address spaces). Supports CIDR notation and named ranges like `private`. |
+| **SSL Configuration** | Configure SSL options for encrypted communication. See the [SSL documentation](https://www.elastic.co/guide/en/beats/filebeat/current/configuration-ssl.html#ssl-common-config) for details. |
+| **Custom TCP Options** | `max_message_size`: The maximum size of a log message (e.g., `50KiB`).
`max_connections`: The maximum number of simultaneous connections. |
+| **Timezone** | Specify an IANA timezone or offset (e.g., `+0200`) for logs with no timezone information. |
+| **Timezone Map** | A mapping of timezone strings from logs to standard IANA timezone formats. |
+| **Processors** | Add custom processors to enhance or reduce event fields before parsing. |
+
+#### UDP Input Configuration
+
+This input collects logs over a UDP socket.
+
+| Setting | Description |
+|---|---|
+| **Listen Address** | The bind address for the UDP listener (e.g., `localhost`, `0.0.0.0`). |
+| **Listen Port** | The UDP port number to listen on (e.g., `9004`). |
+| **Preserve original event** | If checked, a raw copy of the original log is stored in the `event.original` field. |
+| **Preserve duplicate custom fields** | Check this to preserve fields that were copied to ECS fields. Default: false. |
+
+Under **Advanced Options**, you can configure the following optional parameters:
+
+| Setting | Description |
+|---|---|
+| **Internal/External interfaces** | Define your network interfaces to correctly map network direction. |
+| **Internal networks** | Specify your internal network ranges (defaults to private address spaces). |
+| **Custom UDP Options** | `read_buffer`: The size of the read buffer for the UDP socket (e.g., `100MiB`).
`max_message_size`: The maximum size of a log message (e.g., `50KiB`).
`timeout`: The read timeout for the UDP socket (e.g., `300s`). |
+| **Timezone** | Specify an IANA timezone or offset (e.g., `+0200`) for logs with no timezone information. |
+| **Timezone Map** | A mapping of timezone strings from logs to standard IANA timezone formats. |
+| **Processors** | Add custom processors to enhance or reduce event fields before parsing. |
+
+
+#### Log file Input Configuration
+
+This input collects logs directly from log files on the host where the Elastic Agent is running.
+
+| Setting | Description |
+|---|---|
+| **Paths** | A list of file paths to monitor (e.g., `/var/log/fortinet-fortiauthenticatgor.log`). |
+| **Preserve original event** | If checked, a raw copy of the original log is stored in the `event.original` field. |
+| **Preserve duplicate custom fields** | Check this to preserve fields that were copied to ECS fields. Default: false. |
+
+Under **Advanced Options**, you can configure the following optional parameters:
+
+| Setting | Description |
+|---|---|
+| **Internal/External interfaces** | Define your network interfaces to correctly map network direction. |
+| **Internal networks** | Specify your internal network ranges (defaults to private address spaces). |
+| **Timezone** | Specify an IANA timezone or offset (e.g., `+0200`) for logs with no timezone information. |
+| **Timezone Map** | A mapping of timezone strings from logs to standard IANA timezone formats. |
+| **Processors** | Add custom processors to enhance or reduce event fields before parsing. |
+
+After configuring the input, assign the integration to an agent policy and click **Save and continue**.
+
+### Validation
+
+1. First, verify on the FortiAuthenticator device that logs are being actively sent to the configured Elastic Agent host.
+2. In Kibana, navigate to **Discover**.
+3. In the search bar, enter `data_stream.dataset: "fortinet_fortiauthenticator.log"` and check for incoming documents.
+4. Verify that events are appearing with recent timestamps.
+5. Navigate to **Management > Dashboards** and search for "Fortinet FortiAuthenticator Overview" to see if the visualizations are populated with data.
+6. Generate some test traffic that would be logged by the FortiAuthenticator and confirm that the corresponding logs appear in Kibana.
+
+## Troubleshooting
+
+For help with Elastic ingest tools, check [Common problems](https://www.elastic.co/docs/troubleshoot/ingest/fleet/common-problems).
+
+### Common Configuration Issues
+
+- **No data is being collected**:
+ * Verify network connectivity (e.g., using `ping` or `netcat`) between the FortiAuthenticator and the Elastic Agent host.
+ * Ensure there are no firewalls or network ACLs blocking the syslog port.
+ * Confirm that the syslog listening port configured in the Elastic integration matches the destination port configured on the FortiAuthenticator.
+
+### Vendor Resources
+
+- [Fortinet Fortiauthenticator - Log configuration](https://docs.fortinet.com/document/fortiauthenticator/8.0.2/administration-guide/964220/log-configuration)
+- [Fortinet Documentation Library](https://docs.fortinet.com/)
+- [Fortiauthenticator Guide](https://docs.fortinet.com/product/fortiauthenticator)
+
+## Performance and Scaling
+
+For more information on architectures that can be used for scaling this integration, check the [Ingest Architectures](https://www.elastic.co/docs/manage-data/ingest/ingest-reference-architectures) documentation.
+
+## Reference
+
+### log
+
+The `log` data stream collects all log types from the FortiAuthenticator.
+
+#### log fields
+
+{{ fields "log" }}
+
+#### log sample event
+
+{{ event "log" }}
+
+### Inputs used
+
+{{ inputDocs }}
diff --git a/packages/fortinet_fortiauthenticator/_dev/deploy/docker/docker-compose.yml b/packages/fortinet_fortiauthenticator/_dev/deploy/docker/docker-compose.yml
new file mode 100644
index 00000000000..2838a379261
--- /dev/null
+++ b/packages/fortinet_fortiauthenticator/_dev/deploy/docker/docker-compose.yml
@@ -0,0 +1,6 @@
+services:
+ fortinet_fortiauthenticator:
+ image: docker.elastic.co/observability/stream:v0.20.0
+ volumes:
+ - ./sample_logs:/sample_logs:ro
+ command: log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9514 -p=udp /sample_logs/fortinet-fortiauthenticator.log
diff --git a/packages/fortinet_fortiauthenticator/_dev/deploy/docker/sample_logs/fortinet-fortiauthenticator.log b/packages/fortinet_fortiauthenticator/_dev/deploy/docker/sample_logs/fortinet-fortiauthenticator.log
new file mode 100644
index 00000000000..c3f6943be85
--- /dev/null
+++ b/packages/fortinet_fortiauthenticator/_dev/deploy/docker/sample_logs/fortinet-fortiauthenticator.log
@@ -0,0 +1,51 @@
+Apr 7 15:00:59 fortiauthenticator category="Event" subcategory="System" typeid=30908 level="information" user="admin" nas="" userip="" action="" status="" smtp mail: send to test01@corp.contoso.com via 192.168.1.10:25 ok
+Apr 7 15:00:59 fortiauthenticator category="Event" subcategory="System" typeid=30303 level="information" user="" nas="" userip="" action="" status="" Assigning remote LDAP user test01 with FortiToken Mobile FTKMOBDEADBEEF, activation code DEADBEEF.
+Apr 7 15:00:59 fortiauthenticator category="Event" subcategory="Admin Configuration" typeid=10002 level="information" user="" nas="" userip="" action="Edit" status="" Edited Remote LDAP User: test01 (changed fields: enabled and FortiToken)
+Apr 7 15:00:59 fortiauthenticator category="Event" subcategory="System" typeid=30303 level="information" user="test01" nas="" userip="" action="Add" status="" Successfully assigned token to test01 (rule: vpn_users) @ AD (corp.contoso.com) with FortiToken Mobile ("FTKMOBDEADBEEF") token-based authentication. User unlocked as previously locked due to FTM activation expired.
+Apr 7 15:03:01 fortiauthenticator category="Event" subcategory="System" typeid=31001 level="information" user="" nas="" userip="" action="" status="" SNMP Trap (HA status has changed) sent to configured recipients
+Apr 7 15:03:02 fortiauthenticator category="Event" subcategory="High Availability" typeid=40001 level="information" user="" nas="" userip="" action="" status="" FAC-VMDEADBEEF has joined the HA cluster
+Apr 7 15:03:35 fortiauthenticator category="Event" subcategory="High Availability" typeid=40004 level="information" user="" nas="" userip="" action="" status="" LB device failed to connect from 192.168.1.2
+Apr 7 15:07:37 fortiauthenticator category="Event" subcategory="High Availability" typeid=40004 level="information" user="" nas="" userip="" action="" status="" LB device failed to connect from 192.168.1.2
+Apr 7 15:07:46 fortiauthenticator category="Event" subcategory="System" typeid=30101 level="information" user="admin" nas="" userip="" action="" status="" RADIUS server running in full edition
+Apr 7 15:24:21 fortiauthenticator category="Event" subcategory="System" typeid=30350 level="information" user="admin" nas="" userip="" action="" status="" Joined Windows AD network: corp.contoso.com
+Apr 7 15:24:37 fortiauthenticator category="Event" subcategory="Authentication" typeid=20430 level="information" user="test01" nas="192.168.1.1" userip="" action="EAP Login" status="Start" EAP session start from 192.0.2.100
+Apr 7 15:24:38 fortiauthenticator category="Event" subcategory="Authentication" typeid=20334 level="information" user="test01" nas="192.168.1.1" userip="192.0.2.100" action="" status="" Windows AD user authentication from 192.0.2.100 (mschap) with FortiToken failed: AD auth error: .The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)
+Apr 7 15:25:08 fortiauthenticator category="Event" subcategory="Authentication" typeid=20430 level="information" user="test01" nas="192.168.1.1" userip="" action="EAP Login" status="Start" EAP session start from 192.0.2.100
+Apr 7 15:25:08 fortiauthenticator category="Event" subcategory="Authentication" typeid=20300 level="information" user="test01" nas="192.168.1.1" userip="192.0.2.100" action="" status="" Windows AD user authentication(mschap) partially done, expecting FortiToken
+Apr 7 15:25:09 fortiauthenticator category="Event" subcategory="Authentication" typeid=20422 level="information" user="test01" nas="192.168.1.1" userip="" action="Authentication" status="Success" 802.1x authentication (EAP-MSCHAPv2) partially successful
+Apr 7 15:25:09 fortiauthenticator category="Event" subcategory="Authentication" typeid=20431 level="information" user="test01" nas="192.168.1.1" userip="" action="EAP Login" status="Success" EAP-MSCHAPv2 login successful by test01 from 192.0.2.100
+Apr 7 15:25:09 fortiauthenticator category="Event" subcategory="Authentication" typeid=20430 level="information" user="test01" nas="192.168.1.1" userip="" action="EAP Login" status="Start" EAP session start from 192.0.2.100
+Apr 7 15:25:26 fortiauthenticator category="Event" subcategory="Authentication" typeid=20002 level="information" user="test01" nas="192.168.1.1" userip="192.0.2.100" action="" status="" Windows AD user authentication from 192.0.2.100 with FortiToken successful
+Apr 7 15:25:26 fortiauthenticator category="Event" subcategory="Authentication" typeid=20004 level="notice" user="test01" nas="192.0.2.100" userip="" action="Login" status="Success" Successful FWVPN login from a new location.
+Apr 7 15:25:26 fortiauthenticator category="Event" subcategory="Authentication" typeid=20420 level="information" user="test01" nas="192.168.1.1" userip="" action="Authentication" status="Success" 802.1x authentication (EAP-GTC) successful
+Apr 7 15:25:26 fortiauthenticator category="Event" subcategory="Authentication" typeid=20431 level="information" user="test01" nas="192.168.1.1" userip="" action="EAP Login" status="Success" EAP-GTC login successful by test01 from 192.0.2.100
+Apr 7 15:25:33 fortiauthenticator category="Event" subcategory="Authentication" typeid=20001 level="information" user="test02" nas="FAC_TAC_PLUS:192.168.2.1" userip="192.0.2.100" action="Authentication" status="Success" Windows AD user authentication from 192.0.2.100 with no token successful
+Apr 7 15:30:37 fortiauthenticator category="Event" subcategory="Authentication" typeid=20334 level="information" user="test02" nas="FAC_TAC_PLUS:192.168.2.1" userip="192.0.2.100" action="Authentication" status="Failed" Windows AD user authentication from 192.0.2.100 with no token failed: AD auth error: .{Access Denied} A process has requested access to an object but has not been granted those access rights. (0xc0000022)
+Apr 7 15:32:50 fortiauthenticator category="Event" subcategory="System" typeid=30011 level="information" user="" nas="" userip="" action="" status="" status=update msg="FortiAuthenticator scheduled update fcni=yes fdni=yes from 12.34.97.16:443"
+Apr 7 15:42:37 fortiauthenticator category="Event" subcategory="Authentication" typeid=20114 level="notice" user="test02" nas="192.0.2.100" userip="" action="Login" status="Failed" Failed 'FAC_TAC_PLUS' login attempt was not followed by a successful login
+Apr 7 16:05:54 fortiauthenticator category="Event" subcategory="Authentication" typeid=20334 level="information" user="test02" nas="FAC_TAC_PLUS:192.168.2.1" userip="192.0.2.100" action="Authentication" status="Failed" Windows AD user authentication from 192.0.2.100 with no token failed: AD auth error: .When trying to update a password, this return status indicates that the value provided as the current password is not correct. (0xc000006a)
+Apr 7 16:34:36 fortiauthenticator category="Event" subcategory="Authentication" typeid=20994 level="information" user="admin" nas="" userip="192.0.2.100" action="Login" status="Success" Local administrator authentication from 192.0.2.100 with no token successful
+Apr 7 16:34:36 fortiauthenticator category="Event" subcategory="Authentication" typeid=20994 level="information" user="admin" nas="" userip="" action="Login" status="Success" Administrator 'admin' logged in
+Apr 7 16:34:36 fortiauthenticator category="Event" subcategory="Authentication" typeid=20994 level="information" user="admin" nas="192.0.2.100" userip="" action="Login" status="Success" Web access granted to 'admin'
+Apr 7 16:35:09 fortiauthenticator category="Event" subcategory="System" typeid=30303 level="information" user="" nas="" userip="" action="" status="" Performing remote LDAP user sync (rule: vpn_users) with AD (corp.contoso.com).
+Apr 7 16:35:09 fortiauthenticator category="Event" subcategory="System" typeid=30303 level="information" user="" nas="" userip="" action="" status="" Retrieved 15 user(s) from the remote LDAP vpn_users "AD (corp.contoso.com)". (sync rule: vpn_users)
+Apr 7 16:35:10 fortiauthenticator category="Event" subcategory="System" typeid=30303 level="information" user="" nas="" userip="" action="" status="" Found 0 modified FTC users for sync (rule: vpn_users) with AD (corp.contoso.com)
+Apr 7 16:35:10 fortiauthenticator category="Event" subcategory="System" typeid=30303 level="information" user="" nas="" userip="" action="" status="" Successfully synced (rule: vpn_users) with AD on Tue Apr 7 16:35:10 2026.
+<14>1 2026-04-08T08:13:29+02:00 fortiauthenticator db 6260 - - category="Event" subcategory="Authentication" typeid=20101 level="information" user="test01" nas="192.168.10.1" userip="" action="Authentication" status="Failed" Windows AD user authentication from (null) with no token failed: invalid user.
+<14>1 2026-04-08T10:17:40+02:00 fortiauthenticator db 11356 - - category="Event" subcategory="Authentication" typeid=20994 level="information" user="admin" nas="192.0.2.100" userip="" action="Login" status="Failed" Web access denied to 'admin'
+Apr 15 00:37:04 fortiauthenticator db[23948]: category="Event" subcategory="Authentication" typeid=20001 level="information" user="test01" nas="FAC_TAC_PLUS:192.168.2.1" userip="192.0.2.100" action="Authentication" status="Success" Windows AD user authentication from 192.0.2.100 with no token successful
+Apr 15 13:29:01 fortiauthenticator db[23948]: category="Event" subcategory="Authentication" typeid=20430 level="information" user="test02" nas="192.168.1.1" userip="" action="EAP Login" status="Start" EAP session start from 192.0.2.100
+Apr 15 13:29:02 fortiauthenticator db[23948]: category="Event" subcategory="Authentication" typeid=20300 level="information" user="test02" nas="192.168.1.1" userip="192.0.2.100" action="" status="" Windows AD user authentication(mschap) partially done, expecting FortiToken
+Apr 15 13:29:02 fortiauthenticator db[23948]: category="Event" subcategory="Authentication" typeid=20422 level="information" user="test02" nas="192.168.1.1" userip="" action="Authentication" status="Success" 802.1x authentication (EAP-MSCHAPv2) partially successful
+Apr 15 13:29:02 fortiauthenticator db[23948]: category="Event" subcategory="Authentication" typeid=20431 level="information" user="test02" nas="192.168.1.1" userip="" action="EAP Login" status="Success" EAP-MSCHAPv2 login successful by test02 from 192.0.2.100
+Apr 15 13:29:02 fortiauthenticator db[23948]: category="Event" subcategory="Authentication" typeid=20430 level="information" user="test02" nas="192.168.1.1" userip="" action="EAP Login" status="Start" EAP session start from 192.0.2.100
+Apr 15 14:26:41 fortiauthenticator db[23948]: category="Event" subcategory="Authentication" typeid=20101 level="information" user="test01" nas="FAC_TAC_PLUS:192.168.2.1" userip="192.0.2.100" action="Authentication" status="Failed" Windows AD user authentication from 192.0.2.100 with no token failed: invalid user.
+Apr 16 10:56:30 fortiauthenticator db[11356]: category="Event" subcategory="Admin Configuration" typeid=10001 level="information" user="admin" nas="" userip="" action="Add" status="" Added Local User: test03
+Apr 13 10:05:12 fortiauthenticator db[37558]: category="Event" subcategory="Admin Configuration" typeid=10001 level="information" user="" nas="" userip="" action="Add" status="" Added Remote LDAP User: test04
+Apr 14 09:10:35 fortiauthenticator db[11356]: category="Event" subcategory="Admin Configuration" typeid=10002 level="information" user="admin" nas="" userip="" action="Edit" status="" Edited Remote LDAP User: test04 (changed fields: FortiToken)
+Apr 16 10:56:30 fortiauthenticator db[11356]: category="Event" subcategory="Admin Configuration" typeid=10002 level="information" user="admin" nas="" userip="" action="Edit" status="" Edited Local User: test03 (changed fields: email address and password)
+Apr 16 09:13:53 fortiauthenticator db[11356]: category="Event" subcategory="Admin Configuration" typeid=10002 level="information" user="" nas="" userip="" action="Edit" status="" Releasing FortiToken FTKMOBDEADBEEF from user
+Apr 16 09:14:08 fortiauthenticator db[11356]: category="Event" subcategory="Admin Configuration" typeid=10002 level="information" user="" nas="" userip="" action="Edit" status="" Assigning FortiToken FTKMOBDEADBEEF to remote LDAP user test04
+Apr 16 10:56:12 fortiauthenticator db[11356]: category="Event" subcategory="Admin Configuration" typeid=10003 level="information" user="admin" nas="" userip="" action="Delete" status="" Deleted Local User Profile: test03
+Apr 10 16:20:11 fortiauthenticator db[47243]: category="Event" subcategory="Admin Configuration" typeid=10003 level="information" user="" nas="" userip="" action="Delete" status="" Deleted Remote LDAP User: test04
+Apr 15 18:00:06 fortiauthenticator db[35504]: category="Event" subcategory="Admin Configuration" typeid=10500 level="notice" user="" nas="" userip="" action="" status="" System configuration backup has been uploaded successfully
\ No newline at end of file
diff --git a/packages/fortinet_fortiauthenticator/_dev/shared/kibana/fortinet_fortiauthenticator.yaml b/packages/fortinet_fortiauthenticator/_dev/shared/kibana/fortinet_fortiauthenticator.yaml
new file mode 100644
index 00000000000..8d00f75a733
--- /dev/null
+++ b/packages/fortinet_fortiauthenticator/_dev/shared/kibana/fortinet_fortiauthenticator.yaml
@@ -0,0 +1,738 @@
+dashboards:
+ # ── Overview (Hub) ────────────────────────────────────────────────────
+ - id: fortinet_fortiauthenticator-overview
+ name: "[Logs FortiAuthenticator] Overview"
+ description: >-
+ Hub dashboard for Fortinet FortiAuthenticator. Use the links below to
+ navigate to category-specific dashboards.
+ minimum_kibana_version: "8.14.0"
+
+ settings:
+ margins: true
+
+ filters:
+ - field: data_stream.dataset
+ equals: fortinet_fortiauthenticator.log
+
+ controls:
+ - type: options
+ label: Subcategory
+ data_view: logs-*
+ field: fortinet.fortiauthenticator.log.subcategory
+ - type: options
+ label: Log Level
+ data_view: logs-*
+ field: log.level
+ - type: options
+ label: User
+ data_view: logs-*
+ field: user.name
+ - type: options
+ label: Source IP
+ data_view: logs-*
+ field: source.ip
+
+ panels:
+ - size: {w: whole, h: 3}
+ links:
+ layout: horizontal
+ items:
+ - label: Overview
+ dashboard: fortinet_fortiauthenticator-overview
+ - label: Authentication
+ dashboard: fortinet_fortiauthenticator-authentication
+ - label: Admin Configuration Audit
+ dashboard: fortinet_fortiauthenticator-admin-audit
+ - label: System and HA
+ dashboard: fortinet_fortiauthenticator-system
+
+ # KPI row
+ - hide_title: true
+ size: {w: quarter, h: 4}
+ esql:
+ type: metric
+ query: |
+ FROM logs-*
+ | WHERE data_stream.dataset == "fortinet_fortiauthenticator.log"
+ | STATS total = COUNT(*)
+ primary:
+ field: total
+ label: Total Events
+ format:
+ type: number
+ decimals: 0
+
+ - hide_title: true
+ size: {w: quarter, h: 4}
+ esql:
+ type: metric
+ query: |
+ FROM logs-*
+ | WHERE data_stream.dataset == "fortinet_fortiauthenticator.log"
+ AND user.name IS NOT NULL
+ | STATS users = COUNT_DISTINCT(user.name)
+ primary:
+ field: users
+ label: Unique Users
+ format:
+ type: number
+ decimals: 0
+
+ - hide_title: true
+ size: {w: quarter, h: 4}
+ esql:
+ type: metric
+ query: |
+ FROM logs-*
+ | WHERE data_stream.dataset == "fortinet_fortiauthenticator.log"
+ AND source.ip IS NOT NULL
+ | STATS ips = COUNT_DISTINCT(source.ip)
+ primary:
+ field: ips
+ label: Unique Source IPs
+ format:
+ type: number
+ decimals: 0
+
+ - hide_title: true
+ size: {w: quarter, h: 4}
+ esql:
+ type: metric
+ query: |
+ FROM logs-*
+ | WHERE data_stream.dataset == "fortinet_fortiauthenticator.log"
+ AND event.outcome IS NOT NULL
+ | STATS total = COUNT(*), failed = COUNT(CASE(event.outcome == "failure", 1))
+ | EVAL failure_rate = ROUND(failed * 100.0 / total, 1)
+ primary:
+ field: failure_rate
+ label: Failure Rate (%)
+ format:
+ type: number
+ decimals: 1
+
+ # Focal chart + category split
+ - title: Events Over Time
+ size: {w: 32, h: 10}
+ esql:
+ type: bar
+ query: |
+ FROM logs-*
+ | WHERE data_stream.dataset == "fortinet_fortiauthenticator.log"
+ | STATS count = COUNT(*) BY time_bucket = BUCKET(@timestamp, 20, ?_tstart, ?_tend), subcategory = fortinet.fortiauthenticator.log.subcategory
+ | SORT time_bucket ASC
+ dimension:
+ field: time_bucket
+ data_type: date
+ metrics:
+ - field: count
+ breakdown:
+ field: subcategory
+ legend:
+ visible: show
+ position: right
+
+ - title: Distribution of Events by Subcategory
+ size: {w: third, h: 10}
+ esql:
+ type: pie
+ query: |
+ FROM logs-*
+ | WHERE data_stream.dataset == "fortinet_fortiauthenticator.log"
+ | STATS count = COUNT(*) BY fortinet.fortiauthenticator.log.subcategory
+ | SORT count DESC
+ | LIMIT 7
+ metrics:
+ - field: count
+ label: Events
+ breakdowns:
+ - field: fortinet.fortiauthenticator.log.subcategory
+ appearance:
+ donut: small
+
+ - title: Log Stream
+ size: {w: whole, h: 15}
+ search:
+ saved_search_id: fortinet_fortiauthenticator-all-user-events
+
+ # ── Authentication ────────────────────────────────────────────────────
+ - id: fortinet_fortiauthenticator-authentication
+ name: "[Logs FortiAuthenticator] Authentication"
+ description: >-
+ Authentication events from FortiAuthenticator. Shows only final
+ RADIUS/TACACS+ authentication results — intermediate EAP handshake steps
+ are excluded for accurate logon counts.
+ minimum_kibana_version: "8.14.0"
+
+ settings:
+ margins: true
+
+ filters:
+ - field: data_stream.dataset
+ equals: fortinet_fortiauthenticator.log
+
+ controls:
+ - type: options
+ label: Protocol
+ data_view: logs-*
+ field: network.protocol
+ - type: options
+ label: Outcome
+ data_view: logs-*
+ field: event.outcome
+ - type: options
+ label: User
+ data_view: logs-*
+ field: user.name
+ - type: options
+ label: Source IP
+ data_view: logs-*
+ field: source.ip
+
+ panels:
+ - size: {w: whole, h: 3}
+ links:
+ layout: horizontal
+ items:
+ - label: Overview
+ dashboard: fortinet_fortiauthenticator-overview
+ - label: Authentication
+ dashboard: fortinet_fortiauthenticator-authentication
+ - label: Admin Configuration Audit
+ dashboard: fortinet_fortiauthenticator-admin-audit
+ - label: System and HA
+ dashboard: fortinet_fortiauthenticator-system
+
+ # Row 1: Distribution donuts
+ - title: Distribution of Events by Outcome
+ size: {w: third, h: 10}
+ esql:
+ type: pie
+ query: |
+ FROM logs-*
+ | WHERE data_stream.dataset == "fortinet_fortiauthenticator.log"
+ | WHERE fortinet.fortiauthenticator.log.subcategory == "Authentication"
+ AND NOT event.action LIKE "*admin-gui*"
+ AND NOT event.code IN ("20430", "20431", "20300", "20299", "20422", "20005")
+ | STATS count = COUNT(*) BY event.outcome
+ | SORT count DESC
+ metrics:
+ - field: count
+ label: Events
+ breakdowns:
+ - field: event.outcome
+ appearance:
+ donut: small
+
+ - title: Distribution of Events by Protocol
+ size: {w: third, h: 10}
+ esql:
+ type: pie
+ query: |
+ FROM logs-*
+ | WHERE data_stream.dataset == "fortinet_fortiauthenticator.log"
+ | WHERE fortinet.fortiauthenticator.log.subcategory == "Authentication"
+ AND NOT event.action LIKE "*admin-gui*"
+ AND NOT event.code IN ("20430", "20431", "20300", "20299", "20422", "20005")
+ AND network.protocol IS NOT NULL
+ | STATS count = COUNT(*) BY network.protocol
+ | SORT count DESC
+ | LIMIT 7
+ metrics:
+ - field: count
+ label: Events
+ breakdowns:
+ - field: network.protocol
+ appearance:
+ donut: small
+
+ - title: Distribution of Events by Log Level
+ size: {w: third, h: 10}
+ esql:
+ type: pie
+ query: |
+ FROM logs-*
+ | WHERE data_stream.dataset == "fortinet_fortiauthenticator.log"
+ | WHERE fortinet.fortiauthenticator.log.subcategory == "Authentication"
+ AND NOT event.action LIKE "*admin-gui*"
+ AND NOT event.code IN ("20430", "20431", "20300", "20299", "20422", "20005")
+ | STATS count = COUNT(*) BY log.level
+ | SORT count DESC
+ metrics:
+ - field: count
+ label: Events
+ breakdowns:
+ - field: log.level
+ appearance:
+ donut: small
+
+ # Row 2: Top-N tables
+ - title: Top 10 Users
+ size: {w: third, h: 12}
+ lens:
+ type: datatable
+ data_view: logs-*
+ query:
+ kql: >-
+ data_stream.dataset:fortinet_fortiauthenticator.log
+ AND fortinet.fortiauthenticator.log.subcategory:Authentication
+ AND NOT event.action:*admin-gui*
+ AND NOT event.code:(20430 OR 20431 OR 20300 OR 20299 OR 20422 OR 20005)
+ AND user.name:*
+ metrics:
+ - aggregation: count
+ label: Events
+ breakdowns:
+ - type: values
+ field: user.name
+ label: User
+ size: 10
+
+ - title: Top 10 Source IPs
+ size: {w: third, h: 12}
+ lens:
+ type: datatable
+ data_view: logs-*
+ query:
+ kql: >-
+ data_stream.dataset:fortinet_fortiauthenticator.log
+ AND fortinet.fortiauthenticator.log.subcategory:Authentication
+ AND NOT event.action:*admin-gui*
+ AND NOT event.code:(20430 OR 20431 OR 20300 OR 20299 OR 20422 OR 20005)
+ AND source.ip:*
+ metrics:
+ - aggregation: count
+ label: Events
+ breakdowns:
+ - type: values
+ field: source.ip
+ label: Source IP
+ size: 10
+
+ - title: Top 10 NAS Devices
+ size: {w: third, h: 12}
+ lens:
+ type: datatable
+ data_view: logs-*
+ query:
+ kql: >-
+ data_stream.dataset:fortinet_fortiauthenticator.log
+ AND fortinet.fortiauthenticator.log.subcategory:Authentication
+ AND NOT event.action:*admin-gui*
+ AND NOT event.code:(20430 OR 20431 OR 20300 OR 20299 OR 20422 OR 20005)
+ AND fortinet.fortiauthenticator.log.nas:*
+ metrics:
+ - aggregation: count
+ label: Events
+ breakdowns:
+ - type: values
+ field: fortinet.fortiauthenticator.log.nas
+ label: NAS
+ size: 10
+
+ # Row 3: Failure breakdown
+ - title: Top 10 Users by Failed Logons
+ size: {w: half, h: 12}
+ lens:
+ type: datatable
+ data_view: logs-*
+ query:
+ kql: >-
+ data_stream.dataset:fortinet_fortiauthenticator.log
+ AND fortinet.fortiauthenticator.log.subcategory:Authentication
+ AND NOT event.action:*admin-gui*
+ AND NOT event.code:(20430 OR 20431 OR 20300 OR 20299 OR 20422 OR 20005)
+ AND event.outcome:failure
+ AND user.name:*
+ metrics:
+ - aggregation: count
+ label: Failures
+ breakdowns:
+ - type: values
+ field: user.name
+ label: User
+ size: 10
+
+ - title: Top 10 Source IPs by Failed Logons
+ size: {w: half, h: 12}
+ lens:
+ type: datatable
+ data_view: logs-*
+ query:
+ kql: >-
+ data_stream.dataset:fortinet_fortiauthenticator.log
+ AND fortinet.fortiauthenticator.log.subcategory:Authentication
+ AND NOT event.action:*admin-gui*
+ AND NOT event.code:(20430 OR 20431 OR 20300 OR 20299 OR 20422 OR 20005)
+ AND event.outcome:failure
+ AND source.ip:*
+ metrics:
+ - aggregation: count
+ label: Failures
+ breakdowns:
+ - type: values
+ field: source.ip
+ label: Source IP
+ size: 10
+
+ # Log stream
+ - title: Log Stream
+ size: {w: whole, h: 15}
+ search:
+ saved_search_id: fortinet_fortiauthenticator-authentication-events
+
+ # ── Admin Configuration Audit ────────────────────────────────────────
+ - id: fortinet_fortiauthenticator-admin-audit
+ name: "[Logs FortiAuthenticator] Admin Configuration Audit"
+ description: >-
+ Administrative changes on FortiAuthenticator: user account creation,
+ modification, deletion, and token assignments.
+ minimum_kibana_version: "8.14.0"
+
+ settings:
+ margins: true
+
+ filters:
+ - field: data_stream.dataset
+ equals: fortinet_fortiauthenticator.log
+
+ controls:
+ - type: options
+ label: Event Action
+ data_view: logs-*
+ field: event.action
+ - type: options
+ label: Event Type
+ data_view: logs-*
+ field: event.type
+ - type: options
+ label: Admin
+ data_view: logs-*
+ field: user.name
+
+ panels:
+ - size: {w: whole, h: 3}
+ links:
+ layout: horizontal
+ items:
+ - label: Overview
+ dashboard: fortinet_fortiauthenticator-overview
+ - label: Authentication
+ dashboard: fortinet_fortiauthenticator-authentication
+ - label: Admin Configuration Audit
+ dashboard: fortinet_fortiauthenticator-admin-audit
+ - label: System and HA
+ dashboard: fortinet_fortiauthenticator-system
+
+ # Row 1: Distribution donuts
+ - title: Distribution of Events by Action
+ size: {w: third, h: 10}
+ esql:
+ type: pie
+ query: |
+ FROM logs-*
+ | WHERE data_stream.dataset == "fortinet_fortiauthenticator.log"
+ | WHERE fortinet.fortiauthenticator.log.subcategory == "Admin Configuration"
+ AND fortinet.fortiauthenticator.log.action IS NOT NULL
+ AND fortinet.fortiauthenticator.log.action != ""
+ | STATS count = COUNT(*) BY fortinet.fortiauthenticator.log.action
+ | SORT count DESC
+ | LIMIT 7
+ metrics:
+ - field: count
+ label: Events
+ breakdowns:
+ - field: fortinet.fortiauthenticator.log.action
+ appearance:
+ donut: small
+
+ - title: Distribution of Events by Type
+ size: {w: third, h: 10}
+ esql:
+ type: pie
+ query: |
+ FROM logs-*
+ | WHERE data_stream.dataset == "fortinet_fortiauthenticator.log"
+ | WHERE fortinet.fortiauthenticator.log.subcategory == "Admin Configuration"
+ | MV_EXPAND event.type
+ | STATS count = COUNT(*) BY event.type
+ | SORT count DESC
+ | LIMIT 7
+ metrics:
+ - field: count
+ label: Events
+ breakdowns:
+ - field: event.type
+ appearance:
+ donut: small
+
+ - title: Distribution of Changed Fields
+ size: {w: third, h: 10}
+ esql:
+ type: pie
+ query: |
+ FROM logs-*
+ | WHERE data_stream.dataset == "fortinet_fortiauthenticator.log"
+ | WHERE fortinet.fortiauthenticator.log.subcategory == "Admin Configuration"
+ AND fortinet.fortiauthenticator.log.changes IS NOT NULL
+ | MV_EXPAND fortinet.fortiauthenticator.log.changes
+ | STATS count = COUNT(*) BY fortinet.fortiauthenticator.log.changes
+ | SORT count DESC
+ | LIMIT 7
+ metrics:
+ - field: count
+ label: Events
+ breakdowns:
+ - field: fortinet.fortiauthenticator.log.changes
+ appearance:
+ donut: small
+
+ # Row 2: Top-N tables
+ - title: Top 10 Admins Performing Changes
+ size: {w: half, h: 12}
+ lens:
+ type: datatable
+ data_view: logs-*
+ query:
+ kql: >-
+ data_stream.dataset:fortinet_fortiauthenticator.log
+ AND fortinet.fortiauthenticator.log.subcategory:"Admin Configuration"
+ AND user.name:*
+ metrics:
+ - aggregation: count
+ label: Changes
+ breakdowns:
+ - type: values
+ field: user.name
+ label: Admin
+ size: 10
+
+ - title: Top 10 Target Accounts
+ size: {w: half, h: 12}
+ lens:
+ type: datatable
+ data_view: logs-*
+ query:
+ kql: >-
+ data_stream.dataset:fortinet_fortiauthenticator.log
+ AND fortinet.fortiauthenticator.log.subcategory:"Admin Configuration"
+ AND user.target.name:*
+ metrics:
+ - aggregation: count
+ label: Changes
+ breakdowns:
+ - type: values
+ field: user.target.name
+ label: Target
+ size: 10
+
+ # Detail table + log stream
+ - title: Account Change Details
+ size: {w: whole, h: 12}
+ lens:
+ type: datatable
+ data_view: logs-*
+ query:
+ kql: >-
+ data_stream.dataset:fortinet_fortiauthenticator.log
+ AND fortinet.fortiauthenticator.log.subcategory:"Admin Configuration"
+ metrics:
+ - aggregation: count
+ label: Count
+ breakdowns:
+ - type: values
+ field: event.action
+ label: Event Action
+ size: 20
+ - type: values
+ field: user.name
+ label: Admin
+ size: 20
+ - type: values
+ field: user.target.name
+ label: Target Account
+ size: 20
+
+ - title: Log Stream
+ size: {w: whole, h: 15}
+ search:
+ saved_search_id: fortinet_fortiauthenticator-admin-config-events
+
+ # ── System and HA ──────────────────────────────────────────────────────
+ - id: fortinet_fortiauthenticator-system
+ name: "[Logs FortiAuthenticator] System and HA"
+ description: >-
+ System operations, admin GUI login activity, and high availability
+ cluster events from FortiAuthenticator.
+ minimum_kibana_version: "8.14.0"
+
+ settings:
+ margins: true
+
+ filters:
+ - field: data_stream.dataset
+ equals: fortinet_fortiauthenticator.log
+
+ controls:
+ - type: options
+ label: Subcategory
+ data_view: logs-*
+ field: fortinet.fortiauthenticator.log.subcategory
+ - type: options
+ label: Log Level
+ data_view: logs-*
+ field: log.level
+ - type: options
+ label: Event Action
+ data_view: logs-*
+ field: event.action
+
+ panels:
+ - size: {w: whole, h: 3}
+ links:
+ layout: horizontal
+ items:
+ - label: Overview
+ dashboard: fortinet_fortiauthenticator-overview
+ - label: Authentication
+ dashboard: fortinet_fortiauthenticator-authentication
+ - label: Admin Configuration Audit
+ dashboard: fortinet_fortiauthenticator-admin-audit
+ - label: System and HA
+ dashboard: fortinet_fortiauthenticator-system
+
+ # Row 1: Distribution donuts
+ - title: Distribution of Events by Subcategory
+ size: {w: third, h: 10}
+ esql:
+ type: pie
+ query: |
+ FROM logs-*
+ | WHERE data_stream.dataset == "fortinet_fortiauthenticator.log"
+ | WHERE fortinet.fortiauthenticator.log.subcategory IN ("System", "High Availability")
+ OR event.action LIKE "*admin-gui*"
+ | EVAL area = CASE(
+ event.action LIKE "*admin-gui*", "Admin GUI",
+ fortinet.fortiauthenticator.log.subcategory
+ )
+ | STATS count = COUNT(*) BY area
+ | SORT count DESC
+ metrics:
+ - field: count
+ label: Events
+ breakdowns:
+ - field: area
+ appearance:
+ donut: small
+
+ - title: Distribution of Events by Log Level
+ size: {w: third, h: 10}
+ esql:
+ type: pie
+ query: |
+ FROM logs-*
+ | WHERE data_stream.dataset == "fortinet_fortiauthenticator.log"
+ | WHERE fortinet.fortiauthenticator.log.subcategory IN ("System", "High Availability")
+ OR event.action LIKE "*admin-gui*"
+ | STATS count = COUNT(*) BY log.level
+ | SORT count DESC
+ metrics:
+ - field: count
+ label: Events
+ breakdowns:
+ - field: log.level
+ appearance:
+ donut: small
+
+ - title: Distribution of Admin GUI Login Outcomes
+ size: {w: third, h: 10}
+ esql:
+ type: pie
+ query: |
+ FROM logs-*
+ | WHERE data_stream.dataset == "fortinet_fortiauthenticator.log"
+ | WHERE event.action LIKE "*admin-gui*"
+ | STATS count = COUNT(*) BY event.outcome
+ | SORT count DESC
+ metrics:
+ - field: count
+ label: Logins
+ breakdowns:
+ - field: event.outcome
+ appearance:
+ donut: small
+
+ # Row 2: Top-N tables
+ - title: Top 10 Admin GUI Login Source IPs
+ size: {w: half, h: 12}
+ lens:
+ type: datatable
+ data_view: logs-*
+ query:
+ kql: >-
+ data_stream.dataset:fortinet_fortiauthenticator.log
+ AND event.action:*admin-gui*
+ AND source.ip:*
+ metrics:
+ - aggregation: count
+ label: Logins
+ breakdowns:
+ - type: values
+ field: source.ip
+ label: Source IP
+ size: 10
+ - type: values
+ field: user.name
+ label: Admin
+ size: 10
+
+ - title: Top 10 System Event Actions
+ size: {w: half, h: 12}
+ lens:
+ type: datatable
+ data_view: logs-*
+ query:
+ kql: >-
+ data_stream.dataset:fortinet_fortiauthenticator.log
+ AND fortinet.fortiauthenticator.log.subcategory:(System OR "High Availability")
+ AND event.action:*
+ metrics:
+ - aggregation: count
+ label: Events
+ breakdowns:
+ - type: values
+ field: event.action
+ label: Event Action
+ size: 10
+
+ # Detail table + log stream
+ - title: System and HA Events
+ size: {w: whole, h: 12}
+ lens:
+ type: datatable
+ data_view: logs-*
+ query:
+ kql: >-
+ data_stream.dataset:fortinet_fortiauthenticator.log
+ AND fortinet.fortiauthenticator.log.subcategory:(System OR "High Availability")
+ metrics:
+ - aggregation: count
+ label: Count
+ breakdowns:
+ - type: values
+ field: event.action
+ label: Event Action
+ size: 30
+ - type: values
+ field: fortinet.fortiauthenticator.log.subcategory
+ label: Subcategory
+ size: 10
+ - type: values
+ field: log.level
+ label: Log Level
+ size: 5
+
+ - title: Log Stream
+ size: {w: whole, h: 15}
+ search:
+ saved_search_id: fortinet_fortiauthenticator-system-events
diff --git a/packages/fortinet_fortiauthenticator/changelog.yml b/packages/fortinet_fortiauthenticator/changelog.yml
new file mode 100644
index 00000000000..12f5e95cd89
--- /dev/null
+++ b/packages/fortinet_fortiauthenticator/changelog.yml
@@ -0,0 +1,6 @@
+# newer versions go on top
+- version: "0.1.0"
+ changes:
+ - description: Initial version of Fortinet FortiAuthenticator integration.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/1
diff --git a/packages/fortinet_fortiauthenticator/data_stream/log/_dev/test/pipeline/test-common-config.yml b/packages/fortinet_fortiauthenticator/data_stream/log/_dev/test/pipeline/test-common-config.yml
new file mode 100644
index 00000000000..be41bb0d476
--- /dev/null
+++ b/packages/fortinet_fortiauthenticator/data_stream/log/_dev/test/pipeline/test-common-config.yml
@@ -0,0 +1,4 @@
+fields:
+ tags:
+ - preserve_original_event
+ - preserve_duplicate_custom_fields
diff --git a/packages/fortinet_fortiauthenticator/data_stream/log/_dev/test/pipeline/test-fortinet-fortiauthenticator.log b/packages/fortinet_fortiauthenticator/data_stream/log/_dev/test/pipeline/test-fortinet-fortiauthenticator.log
new file mode 100644
index 00000000000..c3f6943be85
--- /dev/null
+++ b/packages/fortinet_fortiauthenticator/data_stream/log/_dev/test/pipeline/test-fortinet-fortiauthenticator.log
@@ -0,0 +1,51 @@
+Apr 7 15:00:59 fortiauthenticator category="Event" subcategory="System" typeid=30908 level="information" user="admin" nas="" userip="" action="" status="" smtp mail: send to test01@corp.contoso.com via 192.168.1.10:25 ok
+Apr 7 15:00:59 fortiauthenticator category="Event" subcategory="System" typeid=30303 level="information" user="" nas="" userip="" action="" status="" Assigning remote LDAP user test01 with FortiToken Mobile FTKMOBDEADBEEF, activation code DEADBEEF.
+Apr 7 15:00:59 fortiauthenticator category="Event" subcategory="Admin Configuration" typeid=10002 level="information" user="" nas="" userip="" action="Edit" status="" Edited Remote LDAP User: test01 (changed fields: enabled and FortiToken)
+Apr 7 15:00:59 fortiauthenticator category="Event" subcategory="System" typeid=30303 level="information" user="test01" nas="" userip="" action="Add" status="" Successfully assigned token to test01 (rule: vpn_users) @ AD (corp.contoso.com) with FortiToken Mobile ("FTKMOBDEADBEEF") token-based authentication. User unlocked as previously locked due to FTM activation expired.
+Apr 7 15:03:01 fortiauthenticator category="Event" subcategory="System" typeid=31001 level="information" user="" nas="" userip="" action="" status="" SNMP Trap (HA status has changed) sent to configured recipients
+Apr 7 15:03:02 fortiauthenticator category="Event" subcategory="High Availability" typeid=40001 level="information" user="" nas="" userip="" action="" status="" FAC-VMDEADBEEF has joined the HA cluster
+Apr 7 15:03:35 fortiauthenticator category="Event" subcategory="High Availability" typeid=40004 level="information" user="" nas="" userip="" action="" status="" LB device failed to connect from 192.168.1.2
+Apr 7 15:07:37 fortiauthenticator category="Event" subcategory="High Availability" typeid=40004 level="information" user="" nas="" userip="" action="" status="" LB device failed to connect from 192.168.1.2
+Apr 7 15:07:46 fortiauthenticator category="Event" subcategory="System" typeid=30101 level="information" user="admin" nas="" userip="" action="" status="" RADIUS server running in full edition
+Apr 7 15:24:21 fortiauthenticator category="Event" subcategory="System" typeid=30350 level="information" user="admin" nas="" userip="" action="" status="" Joined Windows AD network: corp.contoso.com
+Apr 7 15:24:37 fortiauthenticator category="Event" subcategory="Authentication" typeid=20430 level="information" user="test01" nas="192.168.1.1" userip="" action="EAP Login" status="Start" EAP session start from 192.0.2.100
+Apr 7 15:24:38 fortiauthenticator category="Event" subcategory="Authentication" typeid=20334 level="information" user="test01" nas="192.168.1.1" userip="192.0.2.100" action="" status="" Windows AD user authentication from 192.0.2.100 (mschap) with FortiToken failed: AD auth error: .The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)
+Apr 7 15:25:08 fortiauthenticator category="Event" subcategory="Authentication" typeid=20430 level="information" user="test01" nas="192.168.1.1" userip="" action="EAP Login" status="Start" EAP session start from 192.0.2.100
+Apr 7 15:25:08 fortiauthenticator category="Event" subcategory="Authentication" typeid=20300 level="information" user="test01" nas="192.168.1.1" userip="192.0.2.100" action="" status="" Windows AD user authentication(mschap) partially done, expecting FortiToken
+Apr 7 15:25:09 fortiauthenticator category="Event" subcategory="Authentication" typeid=20422 level="information" user="test01" nas="192.168.1.1" userip="" action="Authentication" status="Success" 802.1x authentication (EAP-MSCHAPv2) partially successful
+Apr 7 15:25:09 fortiauthenticator category="Event" subcategory="Authentication" typeid=20431 level="information" user="test01" nas="192.168.1.1" userip="" action="EAP Login" status="Success" EAP-MSCHAPv2 login successful by test01 from 192.0.2.100
+Apr 7 15:25:09 fortiauthenticator category="Event" subcategory="Authentication" typeid=20430 level="information" user="test01" nas="192.168.1.1" userip="" action="EAP Login" status="Start" EAP session start from 192.0.2.100
+Apr 7 15:25:26 fortiauthenticator category="Event" subcategory="Authentication" typeid=20002 level="information" user="test01" nas="192.168.1.1" userip="192.0.2.100" action="" status="" Windows AD user authentication from 192.0.2.100 with FortiToken successful
+Apr 7 15:25:26 fortiauthenticator category="Event" subcategory="Authentication" typeid=20004 level="notice" user="test01" nas="192.0.2.100" userip="" action="Login" status="Success" Successful FWVPN login from a new location.
+Apr 7 15:25:26 fortiauthenticator category="Event" subcategory="Authentication" typeid=20420 level="information" user="test01" nas="192.168.1.1" userip="" action="Authentication" status="Success" 802.1x authentication (EAP-GTC) successful
+Apr 7 15:25:26 fortiauthenticator category="Event" subcategory="Authentication" typeid=20431 level="information" user="test01" nas="192.168.1.1" userip="" action="EAP Login" status="Success" EAP-GTC login successful by test01 from 192.0.2.100
+Apr 7 15:25:33 fortiauthenticator category="Event" subcategory="Authentication" typeid=20001 level="information" user="test02" nas="FAC_TAC_PLUS:192.168.2.1" userip="192.0.2.100" action="Authentication" status="Success" Windows AD user authentication from 192.0.2.100 with no token successful
+Apr 7 15:30:37 fortiauthenticator category="Event" subcategory="Authentication" typeid=20334 level="information" user="test02" nas="FAC_TAC_PLUS:192.168.2.1" userip="192.0.2.100" action="Authentication" status="Failed" Windows AD user authentication from 192.0.2.100 with no token failed: AD auth error: .{Access Denied} A process has requested access to an object but has not been granted those access rights. (0xc0000022)
+Apr 7 15:32:50 fortiauthenticator category="Event" subcategory="System" typeid=30011 level="information" user="" nas="" userip="" action="" status="" status=update msg="FortiAuthenticator scheduled update fcni=yes fdni=yes from 12.34.97.16:443"
+Apr 7 15:42:37 fortiauthenticator category="Event" subcategory="Authentication" typeid=20114 level="notice" user="test02" nas="192.0.2.100" userip="" action="Login" status="Failed" Failed 'FAC_TAC_PLUS' login attempt was not followed by a successful login
+Apr 7 16:05:54 fortiauthenticator category="Event" subcategory="Authentication" typeid=20334 level="information" user="test02" nas="FAC_TAC_PLUS:192.168.2.1" userip="192.0.2.100" action="Authentication" status="Failed" Windows AD user authentication from 192.0.2.100 with no token failed: AD auth error: .When trying to update a password, this return status indicates that the value provided as the current password is not correct. (0xc000006a)
+Apr 7 16:34:36 fortiauthenticator category="Event" subcategory="Authentication" typeid=20994 level="information" user="admin" nas="" userip="192.0.2.100" action="Login" status="Success" Local administrator authentication from 192.0.2.100 with no token successful
+Apr 7 16:34:36 fortiauthenticator category="Event" subcategory="Authentication" typeid=20994 level="information" user="admin" nas="" userip="" action="Login" status="Success" Administrator 'admin' logged in
+Apr 7 16:34:36 fortiauthenticator category="Event" subcategory="Authentication" typeid=20994 level="information" user="admin" nas="192.0.2.100" userip="" action="Login" status="Success" Web access granted to 'admin'
+Apr 7 16:35:09 fortiauthenticator category="Event" subcategory="System" typeid=30303 level="information" user="" nas="" userip="" action="" status="" Performing remote LDAP user sync (rule: vpn_users) with AD (corp.contoso.com).
+Apr 7 16:35:09 fortiauthenticator category="Event" subcategory="System" typeid=30303 level="information" user="" nas="" userip="" action="" status="" Retrieved 15 user(s) from the remote LDAP vpn_users "AD (corp.contoso.com)". (sync rule: vpn_users)
+Apr 7 16:35:10 fortiauthenticator category="Event" subcategory="System" typeid=30303 level="information" user="" nas="" userip="" action="" status="" Found 0 modified FTC users for sync (rule: vpn_users) with AD (corp.contoso.com)
+Apr 7 16:35:10 fortiauthenticator category="Event" subcategory="System" typeid=30303 level="information" user="" nas="" userip="" action="" status="" Successfully synced (rule: vpn_users) with AD on Tue Apr 7 16:35:10 2026.
+<14>1 2026-04-08T08:13:29+02:00 fortiauthenticator db 6260 - - category="Event" subcategory="Authentication" typeid=20101 level="information" user="test01" nas="192.168.10.1" userip="" action="Authentication" status="Failed" Windows AD user authentication from (null) with no token failed: invalid user.
+<14>1 2026-04-08T10:17:40+02:00 fortiauthenticator db 11356 - - category="Event" subcategory="Authentication" typeid=20994 level="information" user="admin" nas="192.0.2.100" userip="" action="Login" status="Failed" Web access denied to 'admin'
+Apr 15 00:37:04 fortiauthenticator db[23948]: category="Event" subcategory="Authentication" typeid=20001 level="information" user="test01" nas="FAC_TAC_PLUS:192.168.2.1" userip="192.0.2.100" action="Authentication" status="Success" Windows AD user authentication from 192.0.2.100 with no token successful
+Apr 15 13:29:01 fortiauthenticator db[23948]: category="Event" subcategory="Authentication" typeid=20430 level="information" user="test02" nas="192.168.1.1" userip="" action="EAP Login" status="Start" EAP session start from 192.0.2.100
+Apr 15 13:29:02 fortiauthenticator db[23948]: category="Event" subcategory="Authentication" typeid=20300 level="information" user="test02" nas="192.168.1.1" userip="192.0.2.100" action="" status="" Windows AD user authentication(mschap) partially done, expecting FortiToken
+Apr 15 13:29:02 fortiauthenticator db[23948]: category="Event" subcategory="Authentication" typeid=20422 level="information" user="test02" nas="192.168.1.1" userip="" action="Authentication" status="Success" 802.1x authentication (EAP-MSCHAPv2) partially successful
+Apr 15 13:29:02 fortiauthenticator db[23948]: category="Event" subcategory="Authentication" typeid=20431 level="information" user="test02" nas="192.168.1.1" userip="" action="EAP Login" status="Success" EAP-MSCHAPv2 login successful by test02 from 192.0.2.100
+Apr 15 13:29:02 fortiauthenticator db[23948]: category="Event" subcategory="Authentication" typeid=20430 level="information" user="test02" nas="192.168.1.1" userip="" action="EAP Login" status="Start" EAP session start from 192.0.2.100
+Apr 15 14:26:41 fortiauthenticator db[23948]: category="Event" subcategory="Authentication" typeid=20101 level="information" user="test01" nas="FAC_TAC_PLUS:192.168.2.1" userip="192.0.2.100" action="Authentication" status="Failed" Windows AD user authentication from 192.0.2.100 with no token failed: invalid user.
+Apr 16 10:56:30 fortiauthenticator db[11356]: category="Event" subcategory="Admin Configuration" typeid=10001 level="information" user="admin" nas="" userip="" action="Add" status="" Added Local User: test03
+Apr 13 10:05:12 fortiauthenticator db[37558]: category="Event" subcategory="Admin Configuration" typeid=10001 level="information" user="" nas="" userip="" action="Add" status="" Added Remote LDAP User: test04
+Apr 14 09:10:35 fortiauthenticator db[11356]: category="Event" subcategory="Admin Configuration" typeid=10002 level="information" user="admin" nas="" userip="" action="Edit" status="" Edited Remote LDAP User: test04 (changed fields: FortiToken)
+Apr 16 10:56:30 fortiauthenticator db[11356]: category="Event" subcategory="Admin Configuration" typeid=10002 level="information" user="admin" nas="" userip="" action="Edit" status="" Edited Local User: test03 (changed fields: email address and password)
+Apr 16 09:13:53 fortiauthenticator db[11356]: category="Event" subcategory="Admin Configuration" typeid=10002 level="information" user="" nas="" userip="" action="Edit" status="" Releasing FortiToken FTKMOBDEADBEEF from user
+Apr 16 09:14:08 fortiauthenticator db[11356]: category="Event" subcategory="Admin Configuration" typeid=10002 level="information" user="" nas="" userip="" action="Edit" status="" Assigning FortiToken FTKMOBDEADBEEF to remote LDAP user test04
+Apr 16 10:56:12 fortiauthenticator db[11356]: category="Event" subcategory="Admin Configuration" typeid=10003 level="information" user="admin" nas="" userip="" action="Delete" status="" Deleted Local User Profile: test03
+Apr 10 16:20:11 fortiauthenticator db[47243]: category="Event" subcategory="Admin Configuration" typeid=10003 level="information" user="" nas="" userip="" action="Delete" status="" Deleted Remote LDAP User: test04
+Apr 15 18:00:06 fortiauthenticator db[35504]: category="Event" subcategory="Admin Configuration" typeid=10500 level="notice" user="" nas="" userip="" action="" status="" System configuration backup has been uploaded successfully
\ No newline at end of file
diff --git a/packages/fortinet_fortiauthenticator/data_stream/log/_dev/test/pipeline/test-fortinet-fortiauthenticator.log-expected.json b/packages/fortinet_fortiauthenticator/data_stream/log/_dev/test/pipeline/test-fortinet-fortiauthenticator.log-expected.json
new file mode 100644
index 00000000000..319629bc652
--- /dev/null
+++ b/packages/fortinet_fortiauthenticator/data_stream/log/_dev/test/pipeline/test-fortinet-fortiauthenticator.log-expected.json
@@ -0,0 +1,3131 @@
+{
+ "expected": [
+ {
+ "@timestamp": "2026-04-07T15:00:59.000Z",
+ "ecs": {
+ "version": "8.17.0"
+ },
+ "event": {
+ "action": "FortiAuthenticator-smtp-send-mail-service",
+ "category": [
+ "host"
+ ],
+ "code": "30908",
+ "kind": "event",
+ "original": "Apr 7 15:00:59 fortiauthenticator category=\"Event\" subcategory=\"System\" typeid=30908 level=\"information\" user=\"admin\" nas=\"\" userip=\"\" action=\"\" status=\"\" smtp mail: send to test01@corp.contoso.com via 192.168.1.10:25 ok",
+ "type": [
+ "info"
+ ]
+ },
+ "fortinet": {
+ "fortiauthenticator": {
+ "log": {
+ "category": "Event",
+ "level": "information",
+ "subcategory": "System",
+ "typeid": 30908,
+ "user": "admin"
+ }
+ }
+ },
+ "log": {
+ "level": "information"
+ },
+ "message": "smtp mail: send to test01@corp.contoso.com via 192.168.1.10:25 ok",
+ "observer": {
+ "hostname": "fortiauthenticator",
+ "product": "FortiAuthenticator",
+ "type": "authentication-server",
+ "vendor": "Fortinet"
+ },
+ "related": {
+ "user": [
+ "admin"
+ ]
+ },
+ "source": {
+ "user": {
+ "name": "admin"
+ }
+ },
+ "tags": [
+ "preserve_original_event",
+ "preserve_duplicate_custom_fields"
+ ],
+ "user": {
+ "name": "admin"
+ }
+ },
+ {
+ "@timestamp": "2026-04-07T15:00:59.000Z",
+ "ecs": {
+ "version": "8.17.0"
+ },
+ "event": {
+ "action": "FortiAuthenticator-ldap-user-sync",
+ "category": [
+ "iam"
+ ],
+ "code": "30303",
+ "kind": "event",
+ "original": "Apr 7 15:00:59 fortiauthenticator category=\"Event\" subcategory=\"System\" typeid=30303 level=\"information\" user=\"\" nas=\"\" userip=\"\" action=\"\" status=\"\" Assigning remote LDAP user test01 with FortiToken Mobile FTKMOBDEADBEEF, activation code DEADBEEF.",
+ "type": [
+ "info"
+ ]
+ },
+ "fortinet": {
+ "fortiauthenticator": {
+ "log": {
+ "category": "Event",
+ "level": "information",
+ "subcategory": "System",
+ "typeid": 30303
+ }
+ }
+ },
+ "log": {
+ "level": "information"
+ },
+ "message": "Assigning remote LDAP user test01 with FortiToken Mobile FTKMOBDEADBEEF, activation code DEADBEEF.",
+ "observer": {
+ "hostname": "fortiauthenticator",
+ "product": "FortiAuthenticator",
+ "type": "authentication-server",
+ "vendor": "Fortinet"
+ },
+ "tags": [
+ "preserve_original_event",
+ "preserve_duplicate_custom_fields"
+ ]
+ },
+ {
+ "@timestamp": "2026-04-07T15:00:59.000Z",
+ "ecs": {
+ "version": "8.17.0"
+ },
+ "event": {
+ "action": "FortiAuthenticator-entry-change",
+ "category": [
+ "iam",
+ "configuration"
+ ],
+ "code": "10002",
+ "kind": "event",
+ "original": "Apr 7 15:00:59 fortiauthenticator category=\"Event\" subcategory=\"Admin Configuration\" typeid=10002 level=\"information\" user=\"\" nas=\"\" userip=\"\" action=\"Edit\" status=\"\" Edited Remote LDAP User: test01 (changed fields: enabled and FortiToken)",
+ "type": [
+ "change"
+ ]
+ },
+ "fortinet": {
+ "fortiauthenticator": {
+ "log": {
+ "action": "Edit",
+ "category": "Event",
+ "changes": [
+ "enabled",
+ "FortiToken"
+ ],
+ "level": "information",
+ "subcategory": "Admin Configuration",
+ "typeid": 10002
+ }
+ }
+ },
+ "log": {
+ "level": "information"
+ },
+ "message": "Edited Remote LDAP User: test01 (changed fields: enabled and FortiToken)",
+ "observer": {
+ "hostname": "fortiauthenticator",
+ "product": "FortiAuthenticator",
+ "type": "authentication-server",
+ "vendor": "Fortinet"
+ },
+ "related": {
+ "user": [
+ "test01"
+ ]
+ },
+ "tags": [
+ "preserve_original_event",
+ "preserve_duplicate_custom_fields"
+ ],
+ "user": {
+ "target": {
+ "name": "test01"
+ }
+ }
+ },
+ {
+ "@timestamp": "2026-04-07T15:00:59.000Z",
+ "ecs": {
+ "version": "8.17.0"
+ },
+ "event": {
+ "action": "FortiAuthenticator-ldap-user-sync",
+ "category": [
+ "iam"
+ ],
+ "code": "30303",
+ "kind": "event",
+ "original": "Apr 7 15:00:59 fortiauthenticator category=\"Event\" subcategory=\"System\" typeid=30303 level=\"information\" user=\"test01\" nas=\"\" userip=\"\" action=\"Add\" status=\"\" Successfully assigned token to test01 (rule: vpn_users) @ AD (corp.contoso.com) with FortiToken Mobile (\"FTKMOBDEADBEEF\") token-based authentication. User unlocked as previously locked due to FTM activation expired.",
+ "type": [
+ "info"
+ ]
+ },
+ "fortinet": {
+ "fortiauthenticator": {
+ "log": {
+ "action": "Add",
+ "category": "Event",
+ "level": "information",
+ "subcategory": "System",
+ "typeid": 30303,
+ "user": "test01"
+ }
+ }
+ },
+ "log": {
+ "level": "information"
+ },
+ "message": "Successfully assigned token to test01 (rule: vpn_users) @ AD (corp.contoso.com) with FortiToken Mobile (\"FTKMOBDEADBEEF\") token-based authentication. User unlocked as previously locked due to FTM activation expired.",
+ "observer": {
+ "hostname": "fortiauthenticator",
+ "product": "FortiAuthenticator",
+ "type": "authentication-server",
+ "vendor": "Fortinet"
+ },
+ "related": {
+ "user": [
+ "test01"
+ ]
+ },
+ "source": {
+ "user": {
+ "name": "test01"
+ }
+ },
+ "tags": [
+ "preserve_original_event",
+ "preserve_duplicate_custom_fields"
+ ],
+ "user": {
+ "name": "test01"
+ }
+ },
+ {
+ "@timestamp": "2026-04-07T15:03:01.000Z",
+ "ecs": {
+ "version": "8.17.0"
+ },
+ "event": {
+ "action": "FortiAuthenticator-snmp-trap-sent",
+ "code": "31001",
+ "kind": "event",
+ "original": "Apr 7 15:03:01 fortiauthenticator category=\"Event\" subcategory=\"System\" typeid=31001 level=\"information\" user=\"\" nas=\"\" userip=\"\" action=\"\" status=\"\" SNMP Trap (HA status has changed) sent to configured recipients",
+ "type": [
+ "info"
+ ]
+ },
+ "fortinet": {
+ "fortiauthenticator": {
+ "log": {
+ "category": "Event",
+ "level": "information",
+ "subcategory": "System",
+ "typeid": 31001
+ }
+ }
+ },
+ "log": {
+ "level": "information"
+ },
+ "message": "SNMP Trap (HA status has changed) sent to configured recipients",
+ "observer": {
+ "hostname": "fortiauthenticator",
+ "product": "FortiAuthenticator",
+ "type": "authentication-server",
+ "vendor": "Fortinet"
+ },
+ "tags": [
+ "preserve_original_event",
+ "preserve_duplicate_custom_fields"
+ ]
+ },
+ {
+ "@timestamp": "2026-04-07T15:03:02.000Z",
+ "ecs": {
+ "version": "8.17.0"
+ },
+ "event": {
+ "action": "FortiAuthenticator-ha-cluster-member-change",
+ "category": [
+ "host"
+ ],
+ "code": "40001",
+ "kind": "event",
+ "original": "Apr 7 15:03:02 fortiauthenticator category=\"Event\" subcategory=\"High Availability\" typeid=40001 level=\"information\" user=\"\" nas=\"\" userip=\"\" action=\"\" status=\"\" FAC-VMDEADBEEF has joined the HA cluster",
+ "type": [
+ "info"
+ ]
+ },
+ "fortinet": {
+ "fortiauthenticator": {
+ "log": {
+ "category": "Event",
+ "level": "information",
+ "subcategory": "High Availability",
+ "typeid": 40001
+ }
+ }
+ },
+ "log": {
+ "level": "information"
+ },
+ "message": "FAC-VMDEADBEEF has joined the HA cluster",
+ "observer": {
+ "hostname": "fortiauthenticator",
+ "product": "FortiAuthenticator",
+ "type": "authentication-server",
+ "vendor": "Fortinet"
+ },
+ "tags": [
+ "preserve_original_event",
+ "preserve_duplicate_custom_fields"
+ ]
+ },
+ {
+ "@timestamp": "2026-04-07T15:03:35.000Z",
+ "ecs": {
+ "version": "8.17.0"
+ },
+ "event": {
+ "action": "FortiAuthenticator-lb-connection-failure",
+ "category": [
+ "host"
+ ],
+ "code": "40004",
+ "kind": "event",
+ "original": "Apr 7 15:03:35 fortiauthenticator category=\"Event\" subcategory=\"High Availability\" typeid=40004 level=\"information\" user=\"\" nas=\"\" userip=\"\" action=\"\" status=\"\" LB device failed to connect from 192.168.1.2",
+ "type": [
+ "info"
+ ]
+ },
+ "fortinet": {
+ "fortiauthenticator": {
+ "log": {
+ "category": "Event",
+ "level": "information",
+ "subcategory": "High Availability",
+ "typeid": 40004
+ }
+ }
+ },
+ "log": {
+ "level": "information"
+ },
+ "message": "LB device failed to connect from 192.168.1.2",
+ "observer": {
+ "hostname": "fortiauthenticator",
+ "product": "FortiAuthenticator",
+ "type": "authentication-server",
+ "vendor": "Fortinet"
+ },
+ "tags": [
+ "preserve_original_event",
+ "preserve_duplicate_custom_fields"
+ ]
+ },
+ {
+ "@timestamp": "2026-04-07T15:07:37.000Z",
+ "ecs": {
+ "version": "8.17.0"
+ },
+ "event": {
+ "action": "FortiAuthenticator-lb-connection-failure",
+ "category": [
+ "host"
+ ],
+ "code": "40004",
+ "kind": "event",
+ "original": "Apr 7 15:07:37 fortiauthenticator category=\"Event\" subcategory=\"High Availability\" typeid=40004 level=\"information\" user=\"\" nas=\"\" userip=\"\" action=\"\" status=\"\" LB device failed to connect from 192.168.1.2",
+ "type": [
+ "info"
+ ]
+ },
+ "fortinet": {
+ "fortiauthenticator": {
+ "log": {
+ "category": "Event",
+ "level": "information",
+ "subcategory": "High Availability",
+ "typeid": 40004
+ }
+ }
+ },
+ "log": {
+ "level": "information"
+ },
+ "message": "LB device failed to connect from 192.168.1.2",
+ "observer": {
+ "hostname": "fortiauthenticator",
+ "product": "FortiAuthenticator",
+ "type": "authentication-server",
+ "vendor": "Fortinet"
+ },
+ "tags": [
+ "preserve_original_event",
+ "preserve_duplicate_custom_fields"
+ ]
+ },
+ {
+ "@timestamp": "2026-04-07T15:07:46.000Z",
+ "ecs": {
+ "version": "8.17.0"
+ },
+ "event": {
+ "action": "FortiAuthenticator-radius-server-running-mode",
+ "category": [
+ "process"
+ ],
+ "code": "30101",
+ "kind": "event",
+ "original": "Apr 7 15:07:46 fortiauthenticator category=\"Event\" subcategory=\"System\" typeid=30101 level=\"information\" user=\"admin\" nas=\"\" userip=\"\" action=\"\" status=\"\" RADIUS server running in full edition",
+ "type": [
+ "info"
+ ]
+ },
+ "fortinet": {
+ "fortiauthenticator": {
+ "log": {
+ "category": "Event",
+ "level": "information",
+ "subcategory": "System",
+ "typeid": 30101,
+ "user": "admin"
+ }
+ }
+ },
+ "log": {
+ "level": "information"
+ },
+ "message": "RADIUS server running in full edition",
+ "observer": {
+ "hostname": "fortiauthenticator",
+ "product": "FortiAuthenticator",
+ "type": "authentication-server",
+ "vendor": "Fortinet"
+ },
+ "related": {
+ "user": [
+ "admin"
+ ]
+ },
+ "source": {
+ "user": {
+ "name": "admin"
+ }
+ },
+ "tags": [
+ "preserve_original_event",
+ "preserve_duplicate_custom_fields"
+ ],
+ "user": {
+ "name": "admin"
+ }
+ },
+ {
+ "@timestamp": "2026-04-07T15:24:21.000Z",
+ "ecs": {
+ "version": "8.17.0"
+ },
+ "event": {
+ "action": "FortiAuthenticator-windows-ad-domain-join",
+ "category": [
+ "configuration"
+ ],
+ "code": "30350",
+ "kind": "event",
+ "original": "Apr 7 15:24:21 fortiauthenticator category=\"Event\" subcategory=\"System\" typeid=30350 level=\"information\" user=\"admin\" nas=\"\" userip=\"\" action=\"\" status=\"\" Joined Windows AD network: corp.contoso.com",
+ "type": [
+ "change",
+ "info"
+ ]
+ },
+ "fortinet": {
+ "fortiauthenticator": {
+ "log": {
+ "category": "Event",
+ "level": "information",
+ "subcategory": "System",
+ "typeid": 30350,
+ "user": "admin"
+ }
+ }
+ },
+ "log": {
+ "level": "information"
+ },
+ "message": "Joined Windows AD network: corp.contoso.com",
+ "observer": {
+ "hostname": "fortiauthenticator",
+ "product": "FortiAuthenticator",
+ "type": "authentication-server",
+ "vendor": "Fortinet"
+ },
+ "related": {
+ "user": [
+ "admin"
+ ]
+ },
+ "source": {
+ "user": {
+ "name": "admin"
+ }
+ },
+ "tags": [
+ "preserve_original_event",
+ "preserve_duplicate_custom_fields"
+ ],
+ "user": {
+ "name": "admin"
+ }
+ },
+ {
+ "@timestamp": "2026-04-07T15:24:37.000Z",
+ "ecs": {
+ "version": "8.17.0"
+ },
+ "event": {
+ "action": "FortiAuthenticator-eap-authentication-start",
+ "category": [
+ "authentication"
+ ],
+ "code": "20430",
+ "kind": "event",
+ "original": "Apr 7 15:24:37 fortiauthenticator category=\"Event\" subcategory=\"Authentication\" typeid=20430 level=\"information\" user=\"test01\" nas=\"192.168.1.1\" userip=\"\" action=\"EAP Login\" status=\"Start\" EAP session start from 192.0.2.100",
+ "type": [
+ "info",
+ "start"
+ ]
+ },
+ "fortinet": {
+ "fortiauthenticator": {
+ "log": {
+ "action": "EAP Login",
+ "category": "Event",
+ "level": "information",
+ "nas": "192.168.1.1",
+ "status": "Start",
+ "subcategory": "Authentication",
+ "typeid": 20430,
+ "user": "test01"
+ }
+ }
+ },
+ "log": {
+ "level": "information"
+ },
+ "message": "EAP session start from 192.0.2.100",
+ "network": {
+ "protocol": "radius"
+ },
+ "observer": {
+ "hostname": "fortiauthenticator",
+ "product": "FortiAuthenticator",
+ "type": "authentication-server",
+ "vendor": "Fortinet"
+ },
+ "related": {
+ "ip": [
+ "192.0.2.100",
+ "192.168.1.1"
+ ],
+ "user": [
+ "test01"
+ ]
+ },
+ "source": {
+ "ip": "192.0.2.100",
+ "user": {
+ "name": "test01"
+ }
+ },
+ "tags": [
+ "preserve_original_event",
+ "preserve_duplicate_custom_fields"
+ ],
+ "user": {
+ "name": "test01"
+ }
+ },
+ {
+ "@timestamp": "2026-04-07T15:24:38.000Z",
+ "ecs": {
+ "version": "8.17.0"
+ },
+ "error": {
+ "code": "0xc000006d"
+ },
+ "event": {
+ "action": "FortiAuthenticator-authentication-failed-user-ad-auth-error",
+ "category": [
+ "authentication",
+ "iam"
+ ],
+ "code": "20334",
+ "kind": "event",
+ "original": "Apr 7 15:24:38 fortiauthenticator category=\"Event\" subcategory=\"Authentication\" typeid=20334 level=\"information\" user=\"test01\" nas=\"192.168.1.1\" userip=\"192.0.2.100\" action=\"\" status=\"\" Windows AD user authentication from 192.0.2.100 (mschap) with FortiToken failed: AD auth error: .The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)",
+ "outcome": "failure",
+ "type": [
+ "info"
+ ]
+ },
+ "fortinet": {
+ "fortiauthenticator": {
+ "log": {
+ "category": "Event",
+ "level": "information",
+ "mfa_method": "FortiToken",
+ "nas": "192.168.1.1",
+ "reason": "AD auth error: .The attempted logon is invalid. This is either due to a bad username or authentication information.",
+ "subcategory": "Authentication",
+ "typeid": 20334,
+ "user": "test01",
+ "userip": "192.0.2.100"
+ }
+ }
+ },
+ "log": {
+ "level": "information"
+ },
+ "message": "Windows AD user authentication from 192.0.2.100 (mschap) with FortiToken failed: AD auth error: .The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)",
+ "network": {
+ "protocol": "mschap"
+ },
+ "observer": {
+ "hostname": "fortiauthenticator",
+ "product": "FortiAuthenticator",
+ "type": "authentication-server",
+ "vendor": "Fortinet"
+ },
+ "related": {
+ "ip": [
+ "192.0.2.100",
+ "192.168.1.1"
+ ],
+ "user": [
+ "test01"
+ ]
+ },
+ "source": {
+ "ip": "192.0.2.100",
+ "user": {
+ "name": "test01"
+ }
+ },
+ "tags": [
+ "preserve_original_event",
+ "preserve_duplicate_custom_fields"
+ ],
+ "user": {
+ "name": "test01"
+ }
+ },
+ {
+ "@timestamp": "2026-04-07T15:25:08.000Z",
+ "ecs": {
+ "version": "8.17.0"
+ },
+ "event": {
+ "action": "FortiAuthenticator-eap-authentication-start",
+ "category": [
+ "authentication"
+ ],
+ "code": "20430",
+ "kind": "event",
+ "original": "Apr 7 15:25:08 fortiauthenticator category=\"Event\" subcategory=\"Authentication\" typeid=20430 level=\"information\" user=\"test01\" nas=\"192.168.1.1\" userip=\"\" action=\"EAP Login\" status=\"Start\" EAP session start from 192.0.2.100",
+ "type": [
+ "info",
+ "start"
+ ]
+ },
+ "fortinet": {
+ "fortiauthenticator": {
+ "log": {
+ "action": "EAP Login",
+ "category": "Event",
+ "level": "information",
+ "nas": "192.168.1.1",
+ "status": "Start",
+ "subcategory": "Authentication",
+ "typeid": 20430,
+ "user": "test01"
+ }
+ }
+ },
+ "log": {
+ "level": "information"
+ },
+ "message": "EAP session start from 192.0.2.100",
+ "network": {
+ "protocol": "radius"
+ },
+ "observer": {
+ "hostname": "fortiauthenticator",
+ "product": "FortiAuthenticator",
+ "type": "authentication-server",
+ "vendor": "Fortinet"
+ },
+ "related": {
+ "ip": [
+ "192.0.2.100",
+ "192.168.1.1"
+ ],
+ "user": [
+ "test01"
+ ]
+ },
+ "source": {
+ "ip": "192.0.2.100",
+ "user": {
+ "name": "test01"
+ }
+ },
+ "tags": [
+ "preserve_original_event",
+ "preserve_duplicate_custom_fields"
+ ],
+ "user": {
+ "name": "test01"
+ }
+ },
+ {
+ "@timestamp": "2026-04-07T15:25:08.000Z",
+ "ecs": {
+ "version": "8.17.0"
+ },
+ "event": {
+ "action": "FortiAuthenticator-authentication-partially-ok",
+ "category": [
+ "authentication",
+ "iam"
+ ],
+ "code": "20300",
+ "kind": "event",
+ "original": "Apr 7 15:25:08 fortiauthenticator category=\"Event\" subcategory=\"Authentication\" typeid=20300 level=\"information\" user=\"test01\" nas=\"192.168.1.1\" userip=\"192.0.2.100\" action=\"\" status=\"\" Windows AD user authentication(mschap) partially done, expecting FortiToken",
+ "type": [
+ "info",
+ "start"
+ ]
+ },
+ "fortinet": {
+ "fortiauthenticator": {
+ "log": {
+ "category": "Event",
+ "level": "information",
+ "mfa_method": "FortiToken",
+ "nas": "192.168.1.1",
+ "subcategory": "Authentication",
+ "typeid": 20300,
+ "user": "test01",
+ "userip": "192.0.2.100"
+ }
+ }
+ },
+ "log": {
+ "level": "information"
+ },
+ "message": "Windows AD user authentication(mschap) partially done, expecting FortiToken",
+ "network": {
+ "protocol": "mschap"
+ },
+ "observer": {
+ "hostname": "fortiauthenticator",
+ "product": "FortiAuthenticator",
+ "type": "authentication-server",
+ "vendor": "Fortinet"
+ },
+ "related": {
+ "ip": [
+ "192.0.2.100",
+ "192.168.1.1"
+ ],
+ "user": [
+ "test01"
+ ]
+ },
+ "source": {
+ "ip": "192.0.2.100",
+ "user": {
+ "name": "test01"
+ }
+ },
+ "tags": [
+ "preserve_original_event",
+ "preserve_duplicate_custom_fields"
+ ],
+ "user": {
+ "name": "test01"
+ }
+ },
+ {
+ "@timestamp": "2026-04-07T15:25:09.000Z",
+ "ecs": {
+ "version": "8.17.0"
+ },
+ "event": {
+ "action": "FortiAuthenticator-802-1x-authentication-partial-ok",
+ "category": [
+ "authentication"
+ ],
+ "code": "20422",
+ "kind": "event",
+ "original": "Apr 7 15:25:09 fortiauthenticator category=\"Event\" subcategory=\"Authentication\" typeid=20422 level=\"information\" user=\"test01\" nas=\"192.168.1.1\" userip=\"\" action=\"Authentication\" status=\"Success\" 802.1x authentication (EAP-MSCHAPv2) partially successful",
+ "outcome": "success",
+ "type": [
+ "info"
+ ]
+ },
+ "fortinet": {
+ "fortiauthenticator": {
+ "log": {
+ "action": "Authentication",
+ "category": "Event",
+ "level": "information",
+ "nas": "192.168.1.1",
+ "status": "Success",
+ "subcategory": "Authentication",
+ "typeid": 20422,
+ "user": "test01"
+ }
+ }
+ },
+ "log": {
+ "level": "information"
+ },
+ "message": "802.1x authentication (EAP-MSCHAPv2) partially successful",
+ "network": {
+ "protocol": "eap-mschapv2"
+ },
+ "observer": {
+ "hostname": "fortiauthenticator",
+ "product": "FortiAuthenticator",
+ "type": "authentication-server",
+ "vendor": "Fortinet"
+ },
+ "related": {
+ "ip": [
+ "192.168.1.1"
+ ],
+ "user": [
+ "test01"
+ ]
+ },
+ "source": {
+ "ip": "192.168.1.1",
+ "user": {
+ "name": "test01"
+ }
+ },
+ "tags": [
+ "preserve_original_event",
+ "preserve_duplicate_custom_fields"
+ ],
+ "user": {
+ "name": "test01"
+ }
+ },
+ {
+ "@timestamp": "2026-04-07T15:25:09.000Z",
+ "ecs": {
+ "version": "8.17.0"
+ },
+ "event": {
+ "action": "FortiAuthenticator-eap-authentication-result",
+ "category": [
+ "authentication"
+ ],
+ "code": "20431",
+ "kind": "event",
+ "original": "Apr 7 15:25:09 fortiauthenticator category=\"Event\" subcategory=\"Authentication\" typeid=20431 level=\"information\" user=\"test01\" nas=\"192.168.1.1\" userip=\"\" action=\"EAP Login\" status=\"Success\" EAP-MSCHAPv2 login successful by test01 from 192.0.2.100",
+ "outcome": "success",
+ "type": [
+ "info",
+ "end"
+ ]
+ },
+ "fortinet": {
+ "fortiauthenticator": {
+ "log": {
+ "action": "EAP Login",
+ "category": "Event",
+ "level": "information",
+ "nas": "192.168.1.1",
+ "reason": "EAP-MSCHAPv2 login successful by test01 from 192.0.2.100",
+ "status": "Success",
+ "subcategory": "Authentication",
+ "typeid": 20431,
+ "user": "test01"
+ }
+ }
+ },
+ "log": {
+ "level": "information"
+ },
+ "message": "EAP-MSCHAPv2 login successful by test01 from 192.0.2.100",
+ "network": {
+ "protocol": "radius"
+ },
+ "observer": {
+ "hostname": "fortiauthenticator",
+ "product": "FortiAuthenticator",
+ "type": "authentication-server",
+ "vendor": "Fortinet"
+ },
+ "related": {
+ "ip": [
+ "192.168.1.1"
+ ],
+ "user": [
+ "test01"
+ ]
+ },
+ "source": {
+ "ip": "192.168.1.1",
+ "user": {
+ "name": "test01"
+ }
+ },
+ "tags": [
+ "preserve_original_event",
+ "preserve_duplicate_custom_fields"
+ ],
+ "user": {
+ "name": "test01"
+ }
+ },
+ {
+ "@timestamp": "2026-04-07T15:25:09.000Z",
+ "ecs": {
+ "version": "8.17.0"
+ },
+ "event": {
+ "action": "FortiAuthenticator-eap-authentication-start",
+ "category": [
+ "authentication"
+ ],
+ "code": "20430",
+ "kind": "event",
+ "original": "Apr 7 15:25:09 fortiauthenticator category=\"Event\" subcategory=\"Authentication\" typeid=20430 level=\"information\" user=\"test01\" nas=\"192.168.1.1\" userip=\"\" action=\"EAP Login\" status=\"Start\" EAP session start from 192.0.2.100",
+ "type": [
+ "info",
+ "start"
+ ]
+ },
+ "fortinet": {
+ "fortiauthenticator": {
+ "log": {
+ "action": "EAP Login",
+ "category": "Event",
+ "level": "information",
+ "nas": "192.168.1.1",
+ "status": "Start",
+ "subcategory": "Authentication",
+ "typeid": 20430,
+ "user": "test01"
+ }
+ }
+ },
+ "log": {
+ "level": "information"
+ },
+ "message": "EAP session start from 192.0.2.100",
+ "network": {
+ "protocol": "radius"
+ },
+ "observer": {
+ "hostname": "fortiauthenticator",
+ "product": "FortiAuthenticator",
+ "type": "authentication-server",
+ "vendor": "Fortinet"
+ },
+ "related": {
+ "ip": [
+ "192.0.2.100",
+ "192.168.1.1"
+ ],
+ "user": [
+ "test01"
+ ]
+ },
+ "source": {
+ "ip": "192.0.2.100",
+ "user": {
+ "name": "test01"
+ }
+ },
+ "tags": [
+ "preserve_original_event",
+ "preserve_duplicate_custom_fields"
+ ],
+ "user": {
+ "name": "test01"
+ }
+ },
+ {
+ "@timestamp": "2026-04-07T15:25:26.000Z",
+ "ecs": {
+ "version": "8.17.0"
+ },
+ "event": {
+ "action": "FortiAuthenticator-authentication-ok-with-ftk",
+ "category": [
+ "authentication",
+ "iam"
+ ],
+ "code": "20002",
+ "kind": "event",
+ "original": "Apr 7 15:25:26 fortiauthenticator category=\"Event\" subcategory=\"Authentication\" typeid=20002 level=\"information\" user=\"test01\" nas=\"192.168.1.1\" userip=\"192.0.2.100\" action=\"\" status=\"\" Windows AD user authentication from 192.0.2.100 with FortiToken successful",
+ "outcome": "success",
+ "type": [
+ "info"
+ ]
+ },
+ "fortinet": {
+ "fortiauthenticator": {
+ "log": {
+ "category": "Event",
+ "level": "information",
+ "mfa_method": "FortiToken",
+ "nas": "192.168.1.1",
+ "subcategory": "Authentication",
+ "typeid": 20002,
+ "user": "test01",
+ "userip": "192.0.2.100"
+ }
+ }
+ },
+ "log": {
+ "level": "information"
+ },
+ "message": "Windows AD user authentication from 192.0.2.100 with FortiToken successful",
+ "network": {
+ "protocol": "radius"
+ },
+ "observer": {
+ "hostname": "fortiauthenticator",
+ "product": "FortiAuthenticator",
+ "type": "authentication-server",
+ "vendor": "Fortinet"
+ },
+ "related": {
+ "ip": [
+ "192.0.2.100",
+ "192.168.1.1"
+ ],
+ "user": [
+ "test01"
+ ]
+ },
+ "source": {
+ "ip": "192.0.2.100",
+ "user": {
+ "name": "test01"
+ }
+ },
+ "tags": [
+ "preserve_original_event",
+ "preserve_duplicate_custom_fields"
+ ],
+ "user": {
+ "name": "test01"
+ }
+ },
+ {
+ "@timestamp": "2026-04-07T15:25:26.000Z",
+ "ecs": {
+ "version": "8.17.0"
+ },
+ "event": {
+ "action": "FortiAuthenticator-authentication-ok-from-new-location",
+ "category": [
+ "authentication"
+ ],
+ "code": "20004",
+ "kind": "event",
+ "original": "Apr 7 15:25:26 fortiauthenticator category=\"Event\" subcategory=\"Authentication\" typeid=20004 level=\"notice\" user=\"test01\" nas=\"192.0.2.100\" userip=\"\" action=\"Login\" status=\"Success\" Successful FWVPN login from a new location.",
+ "outcome": "success",
+ "type": [
+ "info"
+ ]
+ },
+ "fortinet": {
+ "fortiauthenticator": {
+ "log": {
+ "action": "Login",
+ "category": "Event",
+ "level": "notice",
+ "nas": "192.0.2.100",
+ "reason": "FWVPN login from a new location.",
+ "status": "Success",
+ "subcategory": "Authentication",
+ "typeid": 20004,
+ "user": "test01"
+ }
+ }
+ },
+ "log": {
+ "level": "notice"
+ },
+ "message": "Successful FWVPN login from a new location.",
+ "network": {
+ "protocol": "radius"
+ },
+ "observer": {
+ "hostname": "fortiauthenticator",
+ "product": "FortiAuthenticator",
+ "type": "authentication-server",
+ "vendor": "Fortinet"
+ },
+ "related": {
+ "ip": [
+ "192.0.2.100"
+ ],
+ "user": [
+ "test01"
+ ]
+ },
+ "source": {
+ "ip": "192.0.2.100",
+ "user": {
+ "name": "test01"
+ }
+ },
+ "tags": [
+ "preserve_original_event",
+ "preserve_duplicate_custom_fields"
+ ],
+ "user": {
+ "name": "test01"
+ }
+ },
+ {
+ "@timestamp": "2026-04-07T15:25:26.000Z",
+ "ecs": {
+ "version": "8.17.0"
+ },
+ "event": {
+ "action": "FortiAuthenticator-802-1x-authentication-ok",
+ "category": [
+ "authentication"
+ ],
+ "code": "20420",
+ "kind": "event",
+ "original": "Apr 7 15:25:26 fortiauthenticator category=\"Event\" subcategory=\"Authentication\" typeid=20420 level=\"information\" user=\"test01\" nas=\"192.168.1.1\" userip=\"\" action=\"Authentication\" status=\"Success\" 802.1x authentication (EAP-GTC) successful",
+ "outcome": "success",
+ "type": [
+ "info"
+ ]
+ },
+ "fortinet": {
+ "fortiauthenticator": {
+ "log": {
+ "action": "Authentication",
+ "category": "Event",
+ "level": "information",
+ "nas": "192.168.1.1",
+ "status": "Success",
+ "subcategory": "Authentication",
+ "typeid": 20420,
+ "user": "test01"
+ }
+ }
+ },
+ "log": {
+ "level": "information"
+ },
+ "message": "802.1x authentication (EAP-GTC) successful",
+ "network": {
+ "protocol": "eap-gtc"
+ },
+ "observer": {
+ "hostname": "fortiauthenticator",
+ "product": "FortiAuthenticator",
+ "type": "authentication-server",
+ "vendor": "Fortinet"
+ },
+ "related": {
+ "ip": [
+ "192.168.1.1"
+ ],
+ "user": [
+ "test01"
+ ]
+ },
+ "source": {
+ "ip": "192.168.1.1",
+ "user": {
+ "name": "test01"
+ }
+ },
+ "tags": [
+ "preserve_original_event",
+ "preserve_duplicate_custom_fields"
+ ],
+ "user": {
+ "name": "test01"
+ }
+ },
+ {
+ "@timestamp": "2026-04-07T15:25:26.000Z",
+ "ecs": {
+ "version": "8.17.0"
+ },
+ "event": {
+ "action": "FortiAuthenticator-eap-authentication-result",
+ "category": [
+ "authentication"
+ ],
+ "code": "20431",
+ "kind": "event",
+ "original": "Apr 7 15:25:26 fortiauthenticator category=\"Event\" subcategory=\"Authentication\" typeid=20431 level=\"information\" user=\"test01\" nas=\"192.168.1.1\" userip=\"\" action=\"EAP Login\" status=\"Success\" EAP-GTC login successful by test01 from 192.0.2.100",
+ "outcome": "success",
+ "type": [
+ "info",
+ "end"
+ ]
+ },
+ "fortinet": {
+ "fortiauthenticator": {
+ "log": {
+ "action": "EAP Login",
+ "category": "Event",
+ "level": "information",
+ "nas": "192.168.1.1",
+ "reason": "EAP-GTC login successful by test01 from 192.0.2.100",
+ "status": "Success",
+ "subcategory": "Authentication",
+ "typeid": 20431,
+ "user": "test01"
+ }
+ }
+ },
+ "log": {
+ "level": "information"
+ },
+ "message": "EAP-GTC login successful by test01 from 192.0.2.100",
+ "network": {
+ "protocol": "radius"
+ },
+ "observer": {
+ "hostname": "fortiauthenticator",
+ "product": "FortiAuthenticator",
+ "type": "authentication-server",
+ "vendor": "Fortinet"
+ },
+ "related": {
+ "ip": [
+ "192.168.1.1"
+ ],
+ "user": [
+ "test01"
+ ]
+ },
+ "source": {
+ "ip": "192.168.1.1",
+ "user": {
+ "name": "test01"
+ }
+ },
+ "tags": [
+ "preserve_original_event",
+ "preserve_duplicate_custom_fields"
+ ],
+ "user": {
+ "name": "test01"
+ }
+ },
+ {
+ "@timestamp": "2026-04-07T15:25:33.000Z",
+ "ecs": {
+ "version": "8.17.0"
+ },
+ "event": {
+ "action": "FortiAuthenticator-authentication-ok-no-ftk",
+ "category": [
+ "authentication"
+ ],
+ "code": "20001",
+ "kind": "event",
+ "original": "Apr 7 15:25:33 fortiauthenticator category=\"Event\" subcategory=\"Authentication\" typeid=20001 level=\"information\" user=\"test02\" nas=\"FAC_TAC_PLUS:192.168.2.1\" userip=\"192.0.2.100\" action=\"Authentication\" status=\"Success\" Windows AD user authentication from 192.0.2.100 with no token successful",
+ "outcome": "success",
+ "type": [
+ "info"
+ ]
+ },
+ "fortinet": {
+ "fortiauthenticator": {
+ "log": {
+ "action": "Authentication",
+ "category": "Event",
+ "level": "information",
+ "mfa_method": "no token",
+ "nas": "192.168.2.1",
+ "status": "Success",
+ "subcategory": "Authentication",
+ "typeid": 20001,
+ "user": "test02",
+ "userip": "192.0.2.100"
+ }
+ }
+ },
+ "log": {
+ "level": "information"
+ },
+ "message": "Windows AD user authentication from 192.0.2.100 with no token successful",
+ "network": {
+ "protocol": "tacacs+"
+ },
+ "observer": {
+ "hostname": "fortiauthenticator",
+ "product": "FortiAuthenticator",
+ "type": "authentication-server",
+ "vendor": "Fortinet"
+ },
+ "related": {
+ "ip": [
+ "192.0.2.100",
+ "192.168.2.1"
+ ],
+ "user": [
+ "test02"
+ ]
+ },
+ "source": {
+ "ip": "192.0.2.100",
+ "user": {
+ "name": "test02"
+ }
+ },
+ "tags": [
+ "preserve_original_event",
+ "preserve_duplicate_custom_fields"
+ ],
+ "user": {
+ "name": "test02"
+ }
+ },
+ {
+ "@timestamp": "2026-04-07T15:30:37.000Z",
+ "ecs": {
+ "version": "8.17.0"
+ },
+ "error": {
+ "code": "0xc0000022"
+ },
+ "event": {
+ "action": "FortiAuthenticator-authentication-failed-user-ad-auth-error",
+ "category": [
+ "authentication"
+ ],
+ "code": "20334",
+ "kind": "event",
+ "original": "Apr 7 15:30:37 fortiauthenticator category=\"Event\" subcategory=\"Authentication\" typeid=20334 level=\"information\" user=\"test02\" nas=\"FAC_TAC_PLUS:192.168.2.1\" userip=\"192.0.2.100\" action=\"Authentication\" status=\"Failed\" Windows AD user authentication from 192.0.2.100 with no token failed: AD auth error: .{Access Denied} A process has requested access to an object but has not been granted those access rights. (0xc0000022)",
+ "outcome": "failure",
+ "type": [
+ "info"
+ ]
+ },
+ "fortinet": {
+ "fortiauthenticator": {
+ "log": {
+ "action": "Authentication",
+ "category": "Event",
+ "level": "information",
+ "mfa_method": "no token",
+ "nas": "192.168.2.1",
+ "reason": "AD auth error: .{Access Denied} A process has requested access to an object but has not been granted those access rights.",
+ "status": "Failed",
+ "subcategory": "Authentication",
+ "typeid": 20334,
+ "user": "test02",
+ "userip": "192.0.2.100"
+ }
+ }
+ },
+ "log": {
+ "level": "information"
+ },
+ "message": "Windows AD user authentication from 192.0.2.100 with no token failed: AD auth error: .{Access Denied} A process has requested access to an object but has not been granted those access rights. (0xc0000022)",
+ "network": {
+ "protocol": "tacacs+"
+ },
+ "observer": {
+ "hostname": "fortiauthenticator",
+ "product": "FortiAuthenticator",
+ "type": "authentication-server",
+ "vendor": "Fortinet"
+ },
+ "related": {
+ "ip": [
+ "192.0.2.100",
+ "192.168.2.1"
+ ],
+ "user": [
+ "test02"
+ ]
+ },
+ "source": {
+ "ip": "192.0.2.100",
+ "user": {
+ "name": "test02"
+ }
+ },
+ "tags": [
+ "preserve_original_event",
+ "preserve_duplicate_custom_fields"
+ ],
+ "user": {
+ "name": "test02"
+ }
+ },
+ {
+ "@timestamp": "2026-04-07T15:32:50.000Z",
+ "ecs": {
+ "version": "8.17.0"
+ },
+ "event": {
+ "action": "FortiAuthenticator-updated-operation-succeeded",
+ "code": "30011",
+ "kind": "event",
+ "original": "Apr 7 15:32:50 fortiauthenticator category=\"Event\" subcategory=\"System\" typeid=30011 level=\"information\" user=\"\" nas=\"\" userip=\"\" action=\"\" status=\"\" status=update msg=\"FortiAuthenticator scheduled update fcni=yes fdni=yes from 12.34.97.16:443\"",
+ "type": [
+ "info"
+ ]
+ },
+ "fortinet": {
+ "fortiauthenticator": {
+ "log": {
+ "category": "Event",
+ "level": "information",
+ "msg": "FortiAuthenticator scheduled update fcni=yes fdni=yes from 12.34.97.16:443",
+ "status": "update",
+ "subcategory": "System",
+ "typeid": 30011
+ }
+ }
+ },
+ "log": {
+ "level": "information"
+ },
+ "message": "FortiAuthenticator scheduled update fcni=yes fdni=yes from 12.34.97.16:443",
+ "observer": {
+ "hostname": "fortiauthenticator",
+ "product": "FortiAuthenticator",
+ "type": "authentication-server",
+ "vendor": "Fortinet"
+ },
+ "tags": [
+ "preserve_original_event",
+ "preserve_duplicate_custom_fields"
+ ]
+ },
+ {
+ "@timestamp": "2026-04-07T15:42:37.000Z",
+ "ecs": {
+ "version": "8.17.0"
+ },
+ "event": {
+ "action": "FortiAuthenticator-authentication-failed-without-followup-login",
+ "category": [
+ "authentication"
+ ],
+ "code": "20114",
+ "kind": "event",
+ "original": "Apr 7 15:42:37 fortiauthenticator category=\"Event\" subcategory=\"Authentication\" typeid=20114 level=\"notice\" user=\"test02\" nas=\"192.0.2.100\" userip=\"\" action=\"Login\" status=\"Failed\" Failed 'FAC_TAC_PLUS' login attempt was not followed by a successful login",
+ "outcome": "failure",
+ "type": [
+ "info"
+ ]
+ },
+ "fortinet": {
+ "fortiauthenticator": {
+ "log": {
+ "action": "Login",
+ "category": "Event",
+ "level": "notice",
+ "nas": "192.0.2.100",
+ "reason": "'FAC_TAC_PLUS' login attempt was not followed by a successful login",
+ "status": "Failed",
+ "subcategory": "Authentication",
+ "typeid": 20114,
+ "user": "test02"
+ }
+ }
+ },
+ "log": {
+ "level": "notice"
+ },
+ "message": "Failed 'FAC_TAC_PLUS' login attempt was not followed by a successful login",
+ "network": {
+ "protocol": "radius"
+ },
+ "observer": {
+ "hostname": "fortiauthenticator",
+ "product": "FortiAuthenticator",
+ "type": "authentication-server",
+ "vendor": "Fortinet"
+ },
+ "related": {
+ "ip": [
+ "192.0.2.100"
+ ],
+ "user": [
+ "test02"
+ ]
+ },
+ "source": {
+ "ip": "192.0.2.100",
+ "user": {
+ "name": "test02"
+ }
+ },
+ "tags": [
+ "preserve_original_event",
+ "preserve_duplicate_custom_fields"
+ ],
+ "user": {
+ "name": "test02"
+ }
+ },
+ {
+ "@timestamp": "2026-04-07T16:05:54.000Z",
+ "ecs": {
+ "version": "8.17.0"
+ },
+ "error": {
+ "code": "0xc000006a"
+ },
+ "event": {
+ "action": "FortiAuthenticator-authentication-failed-user-ad-auth-error",
+ "category": [
+ "authentication"
+ ],
+ "code": "20334",
+ "kind": "event",
+ "original": "Apr 7 16:05:54 fortiauthenticator category=\"Event\" subcategory=\"Authentication\" typeid=20334 level=\"information\" user=\"test02\" nas=\"FAC_TAC_PLUS:192.168.2.1\" userip=\"192.0.2.100\" action=\"Authentication\" status=\"Failed\" Windows AD user authentication from 192.0.2.100 with no token failed: AD auth error: .When trying to update a password, this return status indicates that the value provided as the current password is not correct. (0xc000006a)",
+ "outcome": "failure",
+ "type": [
+ "info"
+ ]
+ },
+ "fortinet": {
+ "fortiauthenticator": {
+ "log": {
+ "action": "Authentication",
+ "category": "Event",
+ "level": "information",
+ "mfa_method": "no token",
+ "nas": "192.168.2.1",
+ "reason": "AD auth error: .When trying to update a password, this return status indicates that the value provided as the current password is not correct.",
+ "status": "Failed",
+ "subcategory": "Authentication",
+ "typeid": 20334,
+ "user": "test02",
+ "userip": "192.0.2.100"
+ }
+ }
+ },
+ "log": {
+ "level": "information"
+ },
+ "message": "Windows AD user authentication from 192.0.2.100 with no token failed: AD auth error: .When trying to update a password, this return status indicates that the value provided as the current password is not correct. (0xc000006a)",
+ "network": {
+ "protocol": "tacacs+"
+ },
+ "observer": {
+ "hostname": "fortiauthenticator",
+ "product": "FortiAuthenticator",
+ "type": "authentication-server",
+ "vendor": "Fortinet"
+ },
+ "related": {
+ "ip": [
+ "192.0.2.100",
+ "192.168.2.1"
+ ],
+ "user": [
+ "test02"
+ ]
+ },
+ "source": {
+ "ip": "192.0.2.100",
+ "user": {
+ "name": "test02"
+ }
+ },
+ "tags": [
+ "preserve_original_event",
+ "preserve_duplicate_custom_fields"
+ ],
+ "user": {
+ "name": "test02"
+ }
+ },
+ {
+ "@timestamp": "2026-04-07T16:34:36.000Z",
+ "ecs": {
+ "version": "8.17.0"
+ },
+ "event": {
+ "action": "FortiAuthenticator-admin-gui-authentication",
+ "category": [
+ "authentication",
+ "iam"
+ ],
+ "code": "20994",
+ "kind": "event",
+ "original": "Apr 7 16:34:36 fortiauthenticator category=\"Event\" subcategory=\"Authentication\" typeid=20994 level=\"information\" user=\"admin\" nas=\"\" userip=\"192.0.2.100\" action=\"Login\" status=\"Success\" Local administrator authentication from 192.0.2.100 with no token successful",
+ "outcome": "success",
+ "type": [
+ "admin",
+ "info"
+ ]
+ },
+ "fortinet": {
+ "fortiauthenticator": {
+ "log": {
+ "action": "Login",
+ "category": "Event",
+ "level": "information",
+ "mfa_method": "no token",
+ "status": "Success",
+ "subcategory": "Authentication",
+ "typeid": 20994,
+ "user": "admin",
+ "userip": "192.0.2.100"
+ }
+ }
+ },
+ "log": {
+ "level": "information"
+ },
+ "message": "Local administrator authentication from 192.0.2.100 with no token successful",
+ "observer": {
+ "hostname": "fortiauthenticator",
+ "product": "FortiAuthenticator",
+ "type": "authentication-server",
+ "vendor": "Fortinet"
+ },
+ "related": {
+ "ip": [
+ "192.0.2.100"
+ ],
+ "user": [
+ "admin"
+ ]
+ },
+ "source": {
+ "ip": "192.0.2.100",
+ "user": {
+ "name": "admin"
+ }
+ },
+ "tags": [
+ "preserve_original_event",
+ "preserve_duplicate_custom_fields"
+ ],
+ "user": {
+ "name": "admin"
+ }
+ },
+ {
+ "@timestamp": "2026-04-07T16:34:36.000Z",
+ "ecs": {
+ "version": "8.17.0"
+ },
+ "event": {
+ "action": "FortiAuthenticator-admin-gui-login",
+ "category": [
+ "authentication",
+ "iam"
+ ],
+ "code": "20994",
+ "kind": "event",
+ "original": "Apr 7 16:34:36 fortiauthenticator category=\"Event\" subcategory=\"Authentication\" typeid=20994 level=\"information\" user=\"admin\" nas=\"\" userip=\"\" action=\"Login\" status=\"Success\" Administrator 'admin' logged in",
+ "outcome": "success",
+ "type": [
+ "admin",
+ "info"
+ ]
+ },
+ "fortinet": {
+ "fortiauthenticator": {
+ "log": {
+ "action": "Login",
+ "category": "Event",
+ "level": "information",
+ "reason": "Administrator 'admin' logged in",
+ "status": "Success",
+ "subcategory": "Authentication",
+ "typeid": 20994,
+ "user": "admin"
+ }
+ }
+ },
+ "log": {
+ "level": "information"
+ },
+ "message": "Administrator 'admin' logged in",
+ "observer": {
+ "hostname": "fortiauthenticator",
+ "product": "FortiAuthenticator",
+ "type": "authentication-server",
+ "vendor": "Fortinet"
+ },
+ "related": {
+ "user": [
+ "admin"
+ ]
+ },
+ "source": {
+ "user": {
+ "name": "admin"
+ }
+ },
+ "tags": [
+ "preserve_original_event",
+ "preserve_duplicate_custom_fields"
+ ],
+ "user": {
+ "name": "admin"
+ }
+ },
+ {
+ "@timestamp": "2026-04-07T16:34:36.000Z",
+ "ecs": {
+ "version": "8.17.0"
+ },
+ "event": {
+ "action": "FortiAuthenticator-admin-gui-web-access-granted",
+ "category": [
+ "authentication",
+ "iam"
+ ],
+ "code": "20994",
+ "kind": "event",
+ "original": "Apr 7 16:34:36 fortiauthenticator category=\"Event\" subcategory=\"Authentication\" typeid=20994 level=\"information\" user=\"admin\" nas=\"192.0.2.100\" userip=\"\" action=\"Login\" status=\"Success\" Web access granted to 'admin'",
+ "outcome": "success",
+ "type": [
+ "admin",
+ "info"
+ ]
+ },
+ "fortinet": {
+ "fortiauthenticator": {
+ "log": {
+ "action": "Login",
+ "category": "Event",
+ "level": "information",
+ "nas": "192.0.2.100",
+ "reason": "Web access granted to 'admin'",
+ "status": "Success",
+ "subcategory": "Authentication",
+ "typeid": 20994,
+ "user": "admin"
+ }
+ }
+ },
+ "log": {
+ "level": "information"
+ },
+ "message": "Web access granted to 'admin'",
+ "network": {
+ "protocol": "radius"
+ },
+ "observer": {
+ "hostname": "fortiauthenticator",
+ "product": "FortiAuthenticator",
+ "type": "authentication-server",
+ "vendor": "Fortinet"
+ },
+ "related": {
+ "ip": [
+ "192.0.2.100"
+ ],
+ "user": [
+ "admin"
+ ]
+ },
+ "source": {
+ "ip": "192.0.2.100",
+ "user": {
+ "name": "admin"
+ }
+ },
+ "tags": [
+ "preserve_original_event",
+ "preserve_duplicate_custom_fields"
+ ],
+ "user": {
+ "name": "admin"
+ }
+ },
+ {
+ "@timestamp": "2026-04-07T16:35:09.000Z",
+ "ecs": {
+ "version": "8.17.0"
+ },
+ "event": {
+ "action": "FortiAuthenticator-ldap-user-sync",
+ "category": [
+ "iam"
+ ],
+ "code": "30303",
+ "kind": "event",
+ "original": "Apr 7 16:35:09 fortiauthenticator category=\"Event\" subcategory=\"System\" typeid=30303 level=\"information\" user=\"\" nas=\"\" userip=\"\" action=\"\" status=\"\" Performing remote LDAP user sync (rule: vpn_users) with AD (corp.contoso.com).",
+ "type": [
+ "info"
+ ]
+ },
+ "fortinet": {
+ "fortiauthenticator": {
+ "log": {
+ "category": "Event",
+ "level": "information",
+ "subcategory": "System",
+ "typeid": 30303
+ }
+ }
+ },
+ "log": {
+ "level": "information"
+ },
+ "message": "Performing remote LDAP user sync (rule: vpn_users) with AD (corp.contoso.com).",
+ "observer": {
+ "hostname": "fortiauthenticator",
+ "product": "FortiAuthenticator",
+ "type": "authentication-server",
+ "vendor": "Fortinet"
+ },
+ "tags": [
+ "preserve_original_event",
+ "preserve_duplicate_custom_fields"
+ ]
+ },
+ {
+ "@timestamp": "2026-04-07T16:35:09.000Z",
+ "ecs": {
+ "version": "8.17.0"
+ },
+ "event": {
+ "action": "FortiAuthenticator-ldap-user-sync",
+ "category": [
+ "iam"
+ ],
+ "code": "30303",
+ "kind": "event",
+ "original": "Apr 7 16:35:09 fortiauthenticator category=\"Event\" subcategory=\"System\" typeid=30303 level=\"information\" user=\"\" nas=\"\" userip=\"\" action=\"\" status=\"\" Retrieved 15 user(s) from the remote LDAP vpn_users \"AD (corp.contoso.com)\". (sync rule: vpn_users)",
+ "type": [
+ "info"
+ ]
+ },
+ "fortinet": {
+ "fortiauthenticator": {
+ "log": {
+ "category": "Event",
+ "level": "information",
+ "subcategory": "System",
+ "typeid": 30303
+ }
+ }
+ },
+ "log": {
+ "level": "information"
+ },
+ "message": "Retrieved 15 user(s) from the remote LDAP vpn_users \"AD (corp.contoso.com)\". (sync rule: vpn_users)",
+ "observer": {
+ "hostname": "fortiauthenticator",
+ "product": "FortiAuthenticator",
+ "type": "authentication-server",
+ "vendor": "Fortinet"
+ },
+ "tags": [
+ "preserve_original_event",
+ "preserve_duplicate_custom_fields"
+ ]
+ },
+ {
+ "@timestamp": "2026-04-07T16:35:10.000Z",
+ "ecs": {
+ "version": "8.17.0"
+ },
+ "event": {
+ "action": "FortiAuthenticator-ldap-user-sync",
+ "category": [
+ "iam"
+ ],
+ "code": "30303",
+ "kind": "event",
+ "original": "Apr 7 16:35:10 fortiauthenticator category=\"Event\" subcategory=\"System\" typeid=30303 level=\"information\" user=\"\" nas=\"\" userip=\"\" action=\"\" status=\"\" Found 0 modified FTC users for sync (rule: vpn_users) with AD (corp.contoso.com)",
+ "type": [
+ "info"
+ ]
+ },
+ "fortinet": {
+ "fortiauthenticator": {
+ "log": {
+ "category": "Event",
+ "level": "information",
+ "subcategory": "System",
+ "typeid": 30303
+ }
+ }
+ },
+ "log": {
+ "level": "information"
+ },
+ "message": "Found 0 modified FTC users for sync (rule: vpn_users) with AD (corp.contoso.com)",
+ "observer": {
+ "hostname": "fortiauthenticator",
+ "product": "FortiAuthenticator",
+ "type": "authentication-server",
+ "vendor": "Fortinet"
+ },
+ "tags": [
+ "preserve_original_event",
+ "preserve_duplicate_custom_fields"
+ ]
+ },
+ {
+ "@timestamp": "2026-04-07T16:35:10.000Z",
+ "ecs": {
+ "version": "8.17.0"
+ },
+ "event": {
+ "action": "FortiAuthenticator-ldap-user-sync",
+ "category": [
+ "iam"
+ ],
+ "code": "30303",
+ "kind": "event",
+ "original": "Apr 7 16:35:10 fortiauthenticator category=\"Event\" subcategory=\"System\" typeid=30303 level=\"information\" user=\"\" nas=\"\" userip=\"\" action=\"\" status=\"\" Successfully synced (rule: vpn_users) with AD on Tue Apr 7 16:35:10 2026.",
+ "type": [
+ "info"
+ ]
+ },
+ "fortinet": {
+ "fortiauthenticator": {
+ "log": {
+ "category": "Event",
+ "level": "information",
+ "subcategory": "System",
+ "typeid": 30303
+ }
+ }
+ },
+ "log": {
+ "level": "information"
+ },
+ "message": "Successfully synced (rule: vpn_users) with AD on Tue Apr 7 16:35:10 2026.",
+ "observer": {
+ "hostname": "fortiauthenticator",
+ "product": "FortiAuthenticator",
+ "type": "authentication-server",
+ "vendor": "Fortinet"
+ },
+ "tags": [
+ "preserve_original_event",
+ "preserve_duplicate_custom_fields"
+ ]
+ },
+ {
+ "@timestamp": "2026-04-08T06:13:29.000Z",
+ "ecs": {
+ "version": "8.17.0"
+ },
+ "event": {
+ "action": "FortiAuthenticator-authentication-failed-no-user",
+ "category": [
+ "authentication"
+ ],
+ "code": "20101",
+ "kind": "event",
+ "original": "<14>1 2026-04-08T08:13:29+02:00 fortiauthenticator db 6260 - - category=\"Event\" subcategory=\"Authentication\" typeid=20101 level=\"information\" user=\"test01\" nas=\"192.168.10.1\" userip=\"\" action=\"Authentication\" status=\"Failed\" Windows AD user authentication from (null) with no token failed: invalid user.",
+ "outcome": "failure",
+ "type": [
+ "info"
+ ]
+ },
+ "fortinet": {
+ "fortiauthenticator": {
+ "log": {
+ "action": "Authentication",
+ "category": "Event",
+ "level": "information",
+ "nas": "192.168.10.1",
+ "reason": "Windows AD user authentication from (null) with no token failed: invalid user.",
+ "status": "Failed",
+ "subcategory": "Authentication",
+ "typeid": 20101,
+ "user": "test01"
+ }
+ }
+ },
+ "log": {
+ "level": "information"
+ },
+ "message": "Windows AD user authentication from (null) with no token failed: invalid user.",
+ "network": {
+ "protocol": "radius"
+ },
+ "observer": {
+ "hostname": "fortiauthenticator",
+ "product": "FortiAuthenticator",
+ "type": "authentication-server",
+ "vendor": "Fortinet"
+ },
+ "related": {
+ "ip": [
+ "192.168.10.1"
+ ],
+ "user": [
+ "test01"
+ ]
+ },
+ "source": {
+ "ip": "192.168.10.1",
+ "user": {
+ "name": "test01"
+ }
+ },
+ "tags": [
+ "preserve_original_event",
+ "preserve_duplicate_custom_fields"
+ ],
+ "user": {
+ "name": "test01"
+ }
+ },
+ {
+ "@timestamp": "2026-04-08T08:17:40.000Z",
+ "ecs": {
+ "version": "8.17.0"
+ },
+ "event": {
+ "action": "FortiAuthenticator-admin-gui-web-access-denied",
+ "category": [
+ "authentication",
+ "iam"
+ ],
+ "code": "20994",
+ "kind": "event",
+ "original": "<14>1 2026-04-08T10:17:40+02:00 fortiauthenticator db 11356 - - category=\"Event\" subcategory=\"Authentication\" typeid=20994 level=\"information\" user=\"admin\" nas=\"192.0.2.100\" userip=\"\" action=\"Login\" status=\"Failed\" Web access denied to 'admin'",
+ "outcome": "success",
+ "type": [
+ "admin",
+ "info"
+ ]
+ },
+ "fortinet": {
+ "fortiauthenticator": {
+ "log": {
+ "action": "Login",
+ "category": "Event",
+ "level": "information",
+ "nas": "192.0.2.100",
+ "reason": "Web access denied to 'admin'",
+ "status": "Failed",
+ "subcategory": "Authentication",
+ "typeid": 20994,
+ "user": "admin"
+ }
+ }
+ },
+ "log": {
+ "level": "information"
+ },
+ "message": "Web access denied to 'admin'",
+ "network": {
+ "protocol": "radius"
+ },
+ "observer": {
+ "hostname": "fortiauthenticator",
+ "product": "FortiAuthenticator",
+ "type": "authentication-server",
+ "vendor": "Fortinet"
+ },
+ "related": {
+ "ip": [
+ "192.0.2.100"
+ ],
+ "user": [
+ "admin"
+ ]
+ },
+ "source": {
+ "ip": "192.0.2.100",
+ "user": {
+ "name": "admin"
+ }
+ },
+ "tags": [
+ "preserve_original_event",
+ "preserve_duplicate_custom_fields"
+ ],
+ "user": {
+ "name": "admin"
+ }
+ },
+ {
+ "@timestamp": "2026-04-15T00:37:04.000Z",
+ "ecs": {
+ "version": "8.17.0"
+ },
+ "event": {
+ "action": "FortiAuthenticator-authentication-ok-no-ftk",
+ "category": [
+ "authentication"
+ ],
+ "code": "20001",
+ "kind": "event",
+ "original": "Apr 15 00:37:04 fortiauthenticator db[23948]: category=\"Event\" subcategory=\"Authentication\" typeid=20001 level=\"information\" user=\"test01\" nas=\"FAC_TAC_PLUS:192.168.2.1\" userip=\"192.0.2.100\" action=\"Authentication\" status=\"Success\" Windows AD user authentication from 192.0.2.100 with no token successful",
+ "outcome": "success",
+ "type": [
+ "info"
+ ]
+ },
+ "fortinet": {
+ "fortiauthenticator": {
+ "log": {
+ "action": "Authentication",
+ "category": "Event",
+ "level": "information",
+ "mfa_method": "no token",
+ "nas": "192.168.2.1",
+ "status": "Success",
+ "subcategory": "Authentication",
+ "typeid": 20001,
+ "user": "test01",
+ "userip": "192.0.2.100"
+ }
+ }
+ },
+ "log": {
+ "level": "information",
+ "syslog": {
+ "appname": "db",
+ "procid": "23948"
+ }
+ },
+ "message": "Windows AD user authentication from 192.0.2.100 with no token successful",
+ "network": {
+ "protocol": "tacacs+"
+ },
+ "observer": {
+ "hostname": "fortiauthenticator",
+ "product": "FortiAuthenticator",
+ "type": "authentication-server",
+ "vendor": "Fortinet"
+ },
+ "related": {
+ "ip": [
+ "192.0.2.100",
+ "192.168.2.1"
+ ],
+ "user": [
+ "test01"
+ ]
+ },
+ "source": {
+ "ip": "192.0.2.100",
+ "user": {
+ "name": "test01"
+ }
+ },
+ "tags": [
+ "preserve_original_event",
+ "preserve_duplicate_custom_fields"
+ ],
+ "user": {
+ "name": "test01"
+ }
+ },
+ {
+ "@timestamp": "2026-04-15T13:29:01.000Z",
+ "ecs": {
+ "version": "8.17.0"
+ },
+ "event": {
+ "action": "FortiAuthenticator-eap-authentication-start",
+ "category": [
+ "authentication"
+ ],
+ "code": "20430",
+ "kind": "event",
+ "original": "Apr 15 13:29:01 fortiauthenticator db[23948]: category=\"Event\" subcategory=\"Authentication\" typeid=20430 level=\"information\" user=\"test02\" nas=\"192.168.1.1\" userip=\"\" action=\"EAP Login\" status=\"Start\" EAP session start from 192.0.2.100",
+ "type": [
+ "info",
+ "start"
+ ]
+ },
+ "fortinet": {
+ "fortiauthenticator": {
+ "log": {
+ "action": "EAP Login",
+ "category": "Event",
+ "level": "information",
+ "nas": "192.168.1.1",
+ "status": "Start",
+ "subcategory": "Authentication",
+ "typeid": 20430,
+ "user": "test02"
+ }
+ }
+ },
+ "log": {
+ "level": "information",
+ "syslog": {
+ "appname": "db",
+ "procid": "23948"
+ }
+ },
+ "message": "EAP session start from 192.0.2.100",
+ "network": {
+ "protocol": "radius"
+ },
+ "observer": {
+ "hostname": "fortiauthenticator",
+ "product": "FortiAuthenticator",
+ "type": "authentication-server",
+ "vendor": "Fortinet"
+ },
+ "related": {
+ "ip": [
+ "192.0.2.100",
+ "192.168.1.1"
+ ],
+ "user": [
+ "test02"
+ ]
+ },
+ "source": {
+ "ip": "192.0.2.100",
+ "user": {
+ "name": "test02"
+ }
+ },
+ "tags": [
+ "preserve_original_event",
+ "preserve_duplicate_custom_fields"
+ ],
+ "user": {
+ "name": "test02"
+ }
+ },
+ {
+ "@timestamp": "2026-04-15T13:29:02.000Z",
+ "ecs": {
+ "version": "8.17.0"
+ },
+ "event": {
+ "action": "FortiAuthenticator-authentication-partially-ok",
+ "category": [
+ "authentication",
+ "iam"
+ ],
+ "code": "20300",
+ "kind": "event",
+ "original": "Apr 15 13:29:02 fortiauthenticator db[23948]: category=\"Event\" subcategory=\"Authentication\" typeid=20300 level=\"information\" user=\"test02\" nas=\"192.168.1.1\" userip=\"192.0.2.100\" action=\"\" status=\"\" Windows AD user authentication(mschap) partially done, expecting FortiToken",
+ "type": [
+ "info",
+ "start"
+ ]
+ },
+ "fortinet": {
+ "fortiauthenticator": {
+ "log": {
+ "category": "Event",
+ "level": "information",
+ "mfa_method": "FortiToken",
+ "nas": "192.168.1.1",
+ "subcategory": "Authentication",
+ "typeid": 20300,
+ "user": "test02",
+ "userip": "192.0.2.100"
+ }
+ }
+ },
+ "log": {
+ "level": "information",
+ "syslog": {
+ "appname": "db",
+ "procid": "23948"
+ }
+ },
+ "message": "Windows AD user authentication(mschap) partially done, expecting FortiToken",
+ "network": {
+ "protocol": "mschap"
+ },
+ "observer": {
+ "hostname": "fortiauthenticator",
+ "product": "FortiAuthenticator",
+ "type": "authentication-server",
+ "vendor": "Fortinet"
+ },
+ "related": {
+ "ip": [
+ "192.0.2.100",
+ "192.168.1.1"
+ ],
+ "user": [
+ "test02"
+ ]
+ },
+ "source": {
+ "ip": "192.0.2.100",
+ "user": {
+ "name": "test02"
+ }
+ },
+ "tags": [
+ "preserve_original_event",
+ "preserve_duplicate_custom_fields"
+ ],
+ "user": {
+ "name": "test02"
+ }
+ },
+ {
+ "@timestamp": "2026-04-15T13:29:02.000Z",
+ "ecs": {
+ "version": "8.17.0"
+ },
+ "event": {
+ "action": "FortiAuthenticator-802-1x-authentication-partial-ok",
+ "category": [
+ "authentication"
+ ],
+ "code": "20422",
+ "kind": "event",
+ "original": "Apr 15 13:29:02 fortiauthenticator db[23948]: category=\"Event\" subcategory=\"Authentication\" typeid=20422 level=\"information\" user=\"test02\" nas=\"192.168.1.1\" userip=\"\" action=\"Authentication\" status=\"Success\" 802.1x authentication (EAP-MSCHAPv2) partially successful",
+ "outcome": "success",
+ "type": [
+ "info"
+ ]
+ },
+ "fortinet": {
+ "fortiauthenticator": {
+ "log": {
+ "action": "Authentication",
+ "category": "Event",
+ "level": "information",
+ "nas": "192.168.1.1",
+ "status": "Success",
+ "subcategory": "Authentication",
+ "typeid": 20422,
+ "user": "test02"
+ }
+ }
+ },
+ "log": {
+ "level": "information",
+ "syslog": {
+ "appname": "db",
+ "procid": "23948"
+ }
+ },
+ "message": "802.1x authentication (EAP-MSCHAPv2) partially successful",
+ "network": {
+ "protocol": "eap-mschapv2"
+ },
+ "observer": {
+ "hostname": "fortiauthenticator",
+ "product": "FortiAuthenticator",
+ "type": "authentication-server",
+ "vendor": "Fortinet"
+ },
+ "related": {
+ "ip": [
+ "192.168.1.1"
+ ],
+ "user": [
+ "test02"
+ ]
+ },
+ "source": {
+ "ip": "192.168.1.1",
+ "user": {
+ "name": "test02"
+ }
+ },
+ "tags": [
+ "preserve_original_event",
+ "preserve_duplicate_custom_fields"
+ ],
+ "user": {
+ "name": "test02"
+ }
+ },
+ {
+ "@timestamp": "2026-04-15T13:29:02.000Z",
+ "ecs": {
+ "version": "8.17.0"
+ },
+ "event": {
+ "action": "FortiAuthenticator-eap-authentication-result",
+ "category": [
+ "authentication"
+ ],
+ "code": "20431",
+ "kind": "event",
+ "original": "Apr 15 13:29:02 fortiauthenticator db[23948]: category=\"Event\" subcategory=\"Authentication\" typeid=20431 level=\"information\" user=\"test02\" nas=\"192.168.1.1\" userip=\"\" action=\"EAP Login\" status=\"Success\" EAP-MSCHAPv2 login successful by test02 from 192.0.2.100",
+ "outcome": "success",
+ "type": [
+ "info",
+ "end"
+ ]
+ },
+ "fortinet": {
+ "fortiauthenticator": {
+ "log": {
+ "action": "EAP Login",
+ "category": "Event",
+ "level": "information",
+ "nas": "192.168.1.1",
+ "reason": "EAP-MSCHAPv2 login successful by test02 from 192.0.2.100",
+ "status": "Success",
+ "subcategory": "Authentication",
+ "typeid": 20431,
+ "user": "test02"
+ }
+ }
+ },
+ "log": {
+ "level": "information",
+ "syslog": {
+ "appname": "db",
+ "procid": "23948"
+ }
+ },
+ "message": "EAP-MSCHAPv2 login successful by test02 from 192.0.2.100",
+ "network": {
+ "protocol": "radius"
+ },
+ "observer": {
+ "hostname": "fortiauthenticator",
+ "product": "FortiAuthenticator",
+ "type": "authentication-server",
+ "vendor": "Fortinet"
+ },
+ "related": {
+ "ip": [
+ "192.168.1.1"
+ ],
+ "user": [
+ "test02"
+ ]
+ },
+ "source": {
+ "ip": "192.168.1.1",
+ "user": {
+ "name": "test02"
+ }
+ },
+ "tags": [
+ "preserve_original_event",
+ "preserve_duplicate_custom_fields"
+ ],
+ "user": {
+ "name": "test02"
+ }
+ },
+ {
+ "@timestamp": "2026-04-15T13:29:02.000Z",
+ "ecs": {
+ "version": "8.17.0"
+ },
+ "event": {
+ "action": "FortiAuthenticator-eap-authentication-start",
+ "category": [
+ "authentication"
+ ],
+ "code": "20430",
+ "kind": "event",
+ "original": "Apr 15 13:29:02 fortiauthenticator db[23948]: category=\"Event\" subcategory=\"Authentication\" typeid=20430 level=\"information\" user=\"test02\" nas=\"192.168.1.1\" userip=\"\" action=\"EAP Login\" status=\"Start\" EAP session start from 192.0.2.100",
+ "type": [
+ "info",
+ "start"
+ ]
+ },
+ "fortinet": {
+ "fortiauthenticator": {
+ "log": {
+ "action": "EAP Login",
+ "category": "Event",
+ "level": "information",
+ "nas": "192.168.1.1",
+ "status": "Start",
+ "subcategory": "Authentication",
+ "typeid": 20430,
+ "user": "test02"
+ }
+ }
+ },
+ "log": {
+ "level": "information",
+ "syslog": {
+ "appname": "db",
+ "procid": "23948"
+ }
+ },
+ "message": "EAP session start from 192.0.2.100",
+ "network": {
+ "protocol": "radius"
+ },
+ "observer": {
+ "hostname": "fortiauthenticator",
+ "product": "FortiAuthenticator",
+ "type": "authentication-server",
+ "vendor": "Fortinet"
+ },
+ "related": {
+ "ip": [
+ "192.0.2.100",
+ "192.168.1.1"
+ ],
+ "user": [
+ "test02"
+ ]
+ },
+ "source": {
+ "ip": "192.0.2.100",
+ "user": {
+ "name": "test02"
+ }
+ },
+ "tags": [
+ "preserve_original_event",
+ "preserve_duplicate_custom_fields"
+ ],
+ "user": {
+ "name": "test02"
+ }
+ },
+ {
+ "@timestamp": "2026-04-15T14:26:41.000Z",
+ "ecs": {
+ "version": "8.17.0"
+ },
+ "event": {
+ "action": "FortiAuthenticator-authentication-failed-no-user",
+ "category": [
+ "authentication"
+ ],
+ "code": "20101",
+ "kind": "event",
+ "original": "Apr 15 14:26:41 fortiauthenticator db[23948]: category=\"Event\" subcategory=\"Authentication\" typeid=20101 level=\"information\" user=\"test01\" nas=\"FAC_TAC_PLUS:192.168.2.1\" userip=\"192.0.2.100\" action=\"Authentication\" status=\"Failed\" Windows AD user authentication from 192.0.2.100 with no token failed: invalid user.",
+ "outcome": "failure",
+ "type": [
+ "info"
+ ]
+ },
+ "fortinet": {
+ "fortiauthenticator": {
+ "log": {
+ "action": "Authentication",
+ "category": "Event",
+ "level": "information",
+ "nas": "192.168.2.1",
+ "reason": "Windows AD user authentication from 192.0.2.100 with no token failed: invalid user.",
+ "status": "Failed",
+ "subcategory": "Authentication",
+ "typeid": 20101,
+ "user": "test01",
+ "userip": "192.0.2.100"
+ }
+ }
+ },
+ "log": {
+ "level": "information",
+ "syslog": {
+ "appname": "db",
+ "procid": "23948"
+ }
+ },
+ "message": "Windows AD user authentication from 192.0.2.100 with no token failed: invalid user.",
+ "network": {
+ "protocol": "tacacs+"
+ },
+ "observer": {
+ "hostname": "fortiauthenticator",
+ "product": "FortiAuthenticator",
+ "type": "authentication-server",
+ "vendor": "Fortinet"
+ },
+ "related": {
+ "ip": [
+ "192.0.2.100",
+ "192.168.2.1"
+ ],
+ "user": [
+ "test01"
+ ]
+ },
+ "source": {
+ "ip": "192.0.2.100",
+ "user": {
+ "name": "test01"
+ }
+ },
+ "tags": [
+ "preserve_original_event",
+ "preserve_duplicate_custom_fields"
+ ],
+ "user": {
+ "name": "test01"
+ }
+ },
+ {
+ "@timestamp": "2026-04-16T10:56:30.000Z",
+ "ecs": {
+ "version": "8.17.0"
+ },
+ "event": {
+ "action": "FortiAuthenticator-entry-addition",
+ "category": [
+ "iam",
+ "configuration"
+ ],
+ "code": "10001",
+ "kind": "event",
+ "original": "Apr 16 10:56:30 fortiauthenticator db[11356]: category=\"Event\" subcategory=\"Admin Configuration\" typeid=10001 level=\"information\" user=\"admin\" nas=\"\" userip=\"\" action=\"Add\" status=\"\" Added Local User: test03",
+ "type": [
+ "creation"
+ ]
+ },
+ "fortinet": {
+ "fortiauthenticator": {
+ "log": {
+ "action": "Add",
+ "category": "Event",
+ "level": "information",
+ "subcategory": "Admin Configuration",
+ "typeid": 10001,
+ "user": "admin"
+ }
+ }
+ },
+ "log": {
+ "level": "information",
+ "syslog": {
+ "appname": "db",
+ "procid": "11356"
+ }
+ },
+ "message": "Added Local User: test03",
+ "observer": {
+ "hostname": "fortiauthenticator",
+ "product": "FortiAuthenticator",
+ "type": "authentication-server",
+ "vendor": "Fortinet"
+ },
+ "related": {
+ "user": [
+ "test03",
+ "admin"
+ ]
+ },
+ "source": {
+ "user": {
+ "name": "admin"
+ }
+ },
+ "tags": [
+ "preserve_original_event",
+ "preserve_duplicate_custom_fields"
+ ],
+ "user": {
+ "name": "admin",
+ "target": {
+ "name": "test03"
+ }
+ }
+ },
+ {
+ "@timestamp": "2026-04-13T10:05:12.000Z",
+ "ecs": {
+ "version": "8.17.0"
+ },
+ "event": {
+ "action": "FortiAuthenticator-entry-addition",
+ "category": [
+ "iam",
+ "configuration"
+ ],
+ "code": "10001",
+ "kind": "event",
+ "original": "Apr 13 10:05:12 fortiauthenticator db[37558]: category=\"Event\" subcategory=\"Admin Configuration\" typeid=10001 level=\"information\" user=\"\" nas=\"\" userip=\"\" action=\"Add\" status=\"\" Added Remote LDAP User: test04",
+ "type": [
+ "creation"
+ ]
+ },
+ "fortinet": {
+ "fortiauthenticator": {
+ "log": {
+ "action": "Add",
+ "category": "Event",
+ "level": "information",
+ "subcategory": "Admin Configuration",
+ "typeid": 10001
+ }
+ }
+ },
+ "log": {
+ "level": "information",
+ "syslog": {
+ "appname": "db",
+ "procid": "37558"
+ }
+ },
+ "message": "Added Remote LDAP User: test04",
+ "observer": {
+ "hostname": "fortiauthenticator",
+ "product": "FortiAuthenticator",
+ "type": "authentication-server",
+ "vendor": "Fortinet"
+ },
+ "related": {
+ "user": [
+ "test04"
+ ]
+ },
+ "tags": [
+ "preserve_original_event",
+ "preserve_duplicate_custom_fields"
+ ],
+ "user": {
+ "target": {
+ "name": "test04"
+ }
+ }
+ },
+ {
+ "@timestamp": "2026-04-14T09:10:35.000Z",
+ "ecs": {
+ "version": "8.17.0"
+ },
+ "event": {
+ "action": "FortiAuthenticator-entry-change",
+ "category": [
+ "iam",
+ "configuration"
+ ],
+ "code": "10002",
+ "kind": "event",
+ "original": "Apr 14 09:10:35 fortiauthenticator db[11356]: category=\"Event\" subcategory=\"Admin Configuration\" typeid=10002 level=\"information\" user=\"admin\" nas=\"\" userip=\"\" action=\"Edit\" status=\"\" Edited Remote LDAP User: test04 (changed fields: FortiToken)",
+ "type": [
+ "change"
+ ]
+ },
+ "fortinet": {
+ "fortiauthenticator": {
+ "log": {
+ "action": "Edit",
+ "category": "Event",
+ "changes": [
+ "FortiToken"
+ ],
+ "level": "information",
+ "subcategory": "Admin Configuration",
+ "typeid": 10002,
+ "user": "admin"
+ }
+ }
+ },
+ "log": {
+ "level": "information",
+ "syslog": {
+ "appname": "db",
+ "procid": "11356"
+ }
+ },
+ "message": "Edited Remote LDAP User: test04 (changed fields: FortiToken)",
+ "observer": {
+ "hostname": "fortiauthenticator",
+ "product": "FortiAuthenticator",
+ "type": "authentication-server",
+ "vendor": "Fortinet"
+ },
+ "related": {
+ "user": [
+ "test04",
+ "admin"
+ ]
+ },
+ "source": {
+ "user": {
+ "name": "admin"
+ }
+ },
+ "tags": [
+ "preserve_original_event",
+ "preserve_duplicate_custom_fields"
+ ],
+ "user": {
+ "name": "admin",
+ "target": {
+ "name": "test04"
+ }
+ }
+ },
+ {
+ "@timestamp": "2026-04-16T10:56:30.000Z",
+ "ecs": {
+ "version": "8.17.0"
+ },
+ "event": {
+ "action": "FortiAuthenticator-entry-change",
+ "category": [
+ "iam",
+ "configuration"
+ ],
+ "code": "10002",
+ "kind": "event",
+ "original": "Apr 16 10:56:30 fortiauthenticator db[11356]: category=\"Event\" subcategory=\"Admin Configuration\" typeid=10002 level=\"information\" user=\"admin\" nas=\"\" userip=\"\" action=\"Edit\" status=\"\" Edited Local User: test03 (changed fields: email address and password)",
+ "type": [
+ "change"
+ ]
+ },
+ "fortinet": {
+ "fortiauthenticator": {
+ "log": {
+ "action": "Edit",
+ "category": "Event",
+ "changes": [
+ "email address",
+ "password"
+ ],
+ "level": "information",
+ "subcategory": "Admin Configuration",
+ "typeid": 10002,
+ "user": "admin"
+ }
+ }
+ },
+ "log": {
+ "level": "information",
+ "syslog": {
+ "appname": "db",
+ "procid": "11356"
+ }
+ },
+ "message": "Edited Local User: test03 (changed fields: email address and password)",
+ "observer": {
+ "hostname": "fortiauthenticator",
+ "product": "FortiAuthenticator",
+ "type": "authentication-server",
+ "vendor": "Fortinet"
+ },
+ "related": {
+ "user": [
+ "test03",
+ "admin"
+ ]
+ },
+ "source": {
+ "user": {
+ "name": "admin"
+ }
+ },
+ "tags": [
+ "preserve_original_event",
+ "preserve_duplicate_custom_fields"
+ ],
+ "user": {
+ "name": "admin",
+ "target": {
+ "name": "test03"
+ }
+ }
+ },
+ {
+ "@timestamp": "2026-04-16T09:13:53.000Z",
+ "ecs": {
+ "version": "8.17.0"
+ },
+ "event": {
+ "action": "FortiAuthenticator-entry-change",
+ "category": [
+ "configuration",
+ "iam"
+ ],
+ "code": "10002",
+ "kind": "event",
+ "original": "Apr 16 09:13:53 fortiauthenticator db[11356]: category=\"Event\" subcategory=\"Admin Configuration\" typeid=10002 level=\"information\" user=\"\" nas=\"\" userip=\"\" action=\"Edit\" status=\"\" Releasing FortiToken FTKMOBDEADBEEF from user",
+ "type": [
+ "change"
+ ]
+ },
+ "fortinet": {
+ "fortiauthenticator": {
+ "log": {
+ "action": "Edit",
+ "category": "Event",
+ "level": "information",
+ "subcategory": "Admin Configuration",
+ "typeid": 10002
+ }
+ }
+ },
+ "log": {
+ "level": "information",
+ "syslog": {
+ "appname": "db",
+ "procid": "11356"
+ }
+ },
+ "message": "Releasing FortiToken FTKMOBDEADBEEF from user",
+ "observer": {
+ "hostname": "fortiauthenticator",
+ "product": "FortiAuthenticator",
+ "type": "authentication-server",
+ "vendor": "Fortinet"
+ },
+ "tags": [
+ "preserve_original_event",
+ "preserve_duplicate_custom_fields"
+ ]
+ },
+ {
+ "@timestamp": "2026-04-16T09:14:08.000Z",
+ "ecs": {
+ "version": "8.17.0"
+ },
+ "event": {
+ "action": "FortiAuthenticator-entry-change",
+ "category": [
+ "iam",
+ "configuration"
+ ],
+ "code": "10002",
+ "kind": "event",
+ "original": "Apr 16 09:14:08 fortiauthenticator db[11356]: category=\"Event\" subcategory=\"Admin Configuration\" typeid=10002 level=\"information\" user=\"\" nas=\"\" userip=\"\" action=\"Edit\" status=\"\" Assigning FortiToken FTKMOBDEADBEEF to remote LDAP user test04",
+ "type": [
+ "change"
+ ]
+ },
+ "fortinet": {
+ "fortiauthenticator": {
+ "log": {
+ "action": "Edit",
+ "category": "Event",
+ "level": "information",
+ "subcategory": "Admin Configuration",
+ "typeid": 10002
+ }
+ }
+ },
+ "log": {
+ "level": "information",
+ "syslog": {
+ "appname": "db",
+ "procid": "11356"
+ }
+ },
+ "message": "Assigning FortiToken FTKMOBDEADBEEF to remote LDAP user test04",
+ "observer": {
+ "hostname": "fortiauthenticator",
+ "product": "FortiAuthenticator",
+ "type": "authentication-server",
+ "vendor": "Fortinet"
+ },
+ "related": {
+ "user": [
+ "test04"
+ ]
+ },
+ "tags": [
+ "preserve_original_event",
+ "preserve_duplicate_custom_fields"
+ ],
+ "user": {
+ "target": {
+ "name": "test04"
+ }
+ }
+ },
+ {
+ "@timestamp": "2026-04-16T10:56:12.000Z",
+ "ecs": {
+ "version": "8.17.0"
+ },
+ "event": {
+ "action": "FortiAuthenticator-entry-deletion",
+ "category": [
+ "iam",
+ "configuration"
+ ],
+ "code": "10003",
+ "kind": "event",
+ "original": "Apr 16 10:56:12 fortiauthenticator db[11356]: category=\"Event\" subcategory=\"Admin Configuration\" typeid=10003 level=\"information\" user=\"admin\" nas=\"\" userip=\"\" action=\"Delete\" status=\"\" Deleted Local User Profile: test03",
+ "type": [
+ "deletion"
+ ]
+ },
+ "fortinet": {
+ "fortiauthenticator": {
+ "log": {
+ "action": "Delete",
+ "category": "Event",
+ "level": "information",
+ "subcategory": "Admin Configuration",
+ "typeid": 10003,
+ "user": "admin"
+ }
+ }
+ },
+ "log": {
+ "level": "information",
+ "syslog": {
+ "appname": "db",
+ "procid": "11356"
+ }
+ },
+ "message": "Deleted Local User Profile: test03",
+ "observer": {
+ "hostname": "fortiauthenticator",
+ "product": "FortiAuthenticator",
+ "type": "authentication-server",
+ "vendor": "Fortinet"
+ },
+ "related": {
+ "user": [
+ "test03",
+ "admin"
+ ]
+ },
+ "source": {
+ "user": {
+ "name": "admin"
+ }
+ },
+ "tags": [
+ "preserve_original_event",
+ "preserve_duplicate_custom_fields"
+ ],
+ "user": {
+ "name": "admin",
+ "target": {
+ "name": "test03"
+ }
+ }
+ },
+ {
+ "@timestamp": "2026-04-10T16:20:11.000Z",
+ "ecs": {
+ "version": "8.17.0"
+ },
+ "event": {
+ "action": "FortiAuthenticator-entry-deletion",
+ "category": [
+ "iam",
+ "configuration"
+ ],
+ "code": "10003",
+ "kind": "event",
+ "original": "Apr 10 16:20:11 fortiauthenticator db[47243]: category=\"Event\" subcategory=\"Admin Configuration\" typeid=10003 level=\"information\" user=\"\" nas=\"\" userip=\"\" action=\"Delete\" status=\"\" Deleted Remote LDAP User: test04",
+ "type": [
+ "deletion"
+ ]
+ },
+ "fortinet": {
+ "fortiauthenticator": {
+ "log": {
+ "action": "Delete",
+ "category": "Event",
+ "level": "information",
+ "subcategory": "Admin Configuration",
+ "typeid": 10003
+ }
+ }
+ },
+ "log": {
+ "level": "information",
+ "syslog": {
+ "appname": "db",
+ "procid": "47243"
+ }
+ },
+ "message": "Deleted Remote LDAP User: test04",
+ "observer": {
+ "hostname": "fortiauthenticator",
+ "product": "FortiAuthenticator",
+ "type": "authentication-server",
+ "vendor": "Fortinet"
+ },
+ "related": {
+ "user": [
+ "test04"
+ ]
+ },
+ "tags": [
+ "preserve_original_event",
+ "preserve_duplicate_custom_fields"
+ ],
+ "user": {
+ "target": {
+ "name": "test04"
+ }
+ }
+ },
+ {
+ "@timestamp": "2026-04-15T18:00:06.000Z",
+ "ecs": {
+ "version": "8.17.0"
+ },
+ "event": {
+ "action": "FortiAuthenticator-data-backup",
+ "category": [
+ "configuration",
+ "database"
+ ],
+ "code": "10500",
+ "kind": "event",
+ "original": "Apr 15 18:00:06 fortiauthenticator db[35504]: category=\"Event\" subcategory=\"Admin Configuration\" typeid=10500 level=\"notice\" user=\"\" nas=\"\" userip=\"\" action=\"\" status=\"\" System configuration backup has been uploaded successfully",
+ "type": [
+ "info"
+ ]
+ },
+ "fortinet": {
+ "fortiauthenticator": {
+ "log": {
+ "category": "Event",
+ "level": "notice",
+ "subcategory": "Admin Configuration",
+ "typeid": 10500
+ }
+ }
+ },
+ "log": {
+ "level": "notice",
+ "syslog": {
+ "appname": "db",
+ "procid": "35504"
+ }
+ },
+ "message": "System configuration backup has been uploaded successfully",
+ "observer": {
+ "hostname": "fortiauthenticator",
+ "product": "FortiAuthenticator",
+ "type": "authentication-server",
+ "vendor": "Fortinet"
+ },
+ "tags": [
+ "preserve_original_event",
+ "preserve_duplicate_custom_fields"
+ ]
+ }
+ ]
+}
diff --git a/packages/fortinet_fortiauthenticator/data_stream/log/_dev/test/system/test-udp-config.yml b/packages/fortinet_fortiauthenticator/data_stream/log/_dev/test/system/test-udp-config.yml
new file mode 100644
index 00000000000..049adf21493
--- /dev/null
+++ b/packages/fortinet_fortiauthenticator/data_stream/log/_dev/test/system/test-udp-config.yml
@@ -0,0 +1,8 @@
+service: fortinet_fortiauthenticator
+service_notify_signal: SIGHUP
+input: udp
+data_stream:
+ vars:
+ listen_address: 0.0.0.0
+ listen_port: 9514
+ preserve_original_event: true
\ No newline at end of file
diff --git a/packages/fortinet_fortiauthenticator/data_stream/log/agent/stream/filestream.yml.hbs b/packages/fortinet_fortiauthenticator/data_stream/log/agent/stream/filestream.yml.hbs
new file mode 100644
index 00000000000..876d024e581
--- /dev/null
+++ b/packages/fortinet_fortiauthenticator/data_stream/log/agent/stream/filestream.yml.hbs
@@ -0,0 +1,28 @@
+paths:
+{{#each paths as |path|}}
+ - {{path}}
+{{/each}}
+exclude_files: ['\.gz$']
+tags:
+{{#if preserve_original_event}}
+ - preserve_original_event
+{{/if}}
+{{#if preserve_duplicate_custom_fields}}
+ - preserve_duplicate_custom_fields
+{{/if}}
+{{#each tags as |tag|}}
+ - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+{{#if tz_offset}}
+fields_under_root: true
+fields:
+ _conf:
+ tz_offset: {{tz_offset}}
+{{/if}}
+{{#if processors}}
+processors:
+{{processors}}
+{{/if}}
diff --git a/packages/fortinet_fortiauthenticator/data_stream/log/agent/stream/tcp.yml.hbs b/packages/fortinet_fortiauthenticator/data_stream/log/agent/stream/tcp.yml.hbs
new file mode 100644
index 00000000000..a55757b09e2
--- /dev/null
+++ b/packages/fortinet_fortiauthenticator/data_stream/log/agent/stream/tcp.yml.hbs
@@ -0,0 +1,30 @@
+host: "{{listen_address}}:{{listen_port}}"
+{{#if tcp_options}}
+{{tcp_options}}
+{{/if}}
+{{#if ssl}}
+ssl: {{ssl}}
+{{/if}}
+tags:
+{{#if preserve_original_event}}
+ - preserve_original_event
+{{/if}}
+{{#if preserve_duplicate_custom_fields}}
+ - preserve_duplicate_custom_fields
+{{/if}}
+{{#each tags as |tag|}}
+ - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+{{#if tz_offset}}
+fields_under_root: true
+fields:
+ _conf:
+ tz_offset: {{tz_offset}}
+{{/if}}
+{{#if processors}}
+processors:
+{{processors}}
+{{/if}}
diff --git a/packages/fortinet_fortiauthenticator/data_stream/log/agent/stream/udp.yml.hbs b/packages/fortinet_fortiauthenticator/data_stream/log/agent/stream/udp.yml.hbs
new file mode 100644
index 00000000000..f56dcc2c0c6
--- /dev/null
+++ b/packages/fortinet_fortiauthenticator/data_stream/log/agent/stream/udp.yml.hbs
@@ -0,0 +1,27 @@
+host: "{{listen_address}}:{{listen_port}}"
+{{#if udp_options}}
+{{udp_options}}
+{{/if}}
+tags:
+{{#if preserve_original_event}}
+ - preserve_original_event
+{{/if}}
+{{#if preserve_duplicate_custom_fields}}
+ - preserve_duplicate_custom_fields
+{{/if}}
+{{#each tags as |tag|}}
+ - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+{{#if tz_offset}}
+fields_under_root: true
+fields:
+ _conf:
+ tz_offset: {{tz_offset}}
+{{/if}}
+{{#if processors}}
+processors:
+{{processors}}
+{{/if}}
diff --git a/packages/fortinet_fortiauthenticator/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/fortinet_fortiauthenticator/data_stream/log/elasticsearch/ingest_pipeline/default.yml
new file mode 100644
index 00000000000..903a9cfbed2
--- /dev/null
+++ b/packages/fortinet_fortiauthenticator/data_stream/log/elasticsearch/ingest_pipeline/default.yml
@@ -0,0 +1,614 @@
+---
+description: Pipeline for processing Fortinet FortiAuthenticator logs.
+processors:
+ - set:
+ tag: set_ecs_version
+ field: ecs.version
+ value: '8.17.0'
+ - set:
+ tag: set_observer_vendor
+ field: observer.vendor
+ value: Fortinet
+ - set:
+ tag: set_observer_product
+ field: observer.product
+ value: FortiAuthenticator
+ - set:
+ tag: set_observer_type
+ field: observer.type
+ value: authentication-server
+ - rename:
+ tag: rename_message_to_event_original
+ field: message
+ target_field: event.original
+ ignore_missing: true
+ if: ctx.event?.original == null
+ - set:
+ tag: set_event_kind
+ field: event.kind
+ value: event
+ - set:
+ tag: set_event_timezone
+ field: event.timezone
+ copy_from: _conf.tz_offset
+ if: ctx._conf?.tz_offset != null && ctx._conf.tz_offset != 'local'
+ ignore_empty_value: true
+ - grok:
+ tag: grok_syslog_header
+ field: event.original
+ patterns:
+ - '<%{NONNEGINT}>%{NONNEGINT}\s+%{TIMESTAMP_ISO8601:_tmp.timestamp}\s+%{HOSTNAME:_tmp.hostname}\s+%{NOTSPACE}\s+%{NOTSPACE}\s+%{NOTSPACE}\s+%{NOTSPACE}\s+%{GREEDYDATA:_tmp.body}'
+ - '^%{SYSLOGTIMESTAMP:_tmp.timestamp}\s+%{HOSTNAME:_tmp.hostname}\s+(?[^\s\[]+)\[(?[^\]]+)\]:\s*%{GREEDYDATA:_tmp.body}'
+ - '^%{SYSLOGTIMESTAMP:_tmp.timestamp}\s+%{HOSTNAME:_tmp.hostname}\s+%{GREEDYDATA:_tmp.body}'
+ - date:
+ tag: date_timestamp_iso8601
+ field: _tmp.timestamp
+ if: ctx._tmp?.timestamp != null && ctx._tmp.timestamp.length() > 15
+ formats:
+ - ISO8601
+ - date:
+ tag: date_timestamp_with_tz
+ field: _tmp.timestamp
+ timezone: '{{{event.timezone}}}'
+ if: ctx._tmp?.timestamp != null && ctx._tmp.timestamp.length() <= 15 && ctx.event?.timezone != null
+ formats:
+ - 'MMM d HH:mm:ss'
+ - 'MMM d HH:mm:ss'
+ - 'MMM dd HH:mm:ss'
+ - date:
+ tag: date_timestamp_no_tz
+ field: _tmp.timestamp
+ if: ctx._tmp?.timestamp != null && ctx._tmp.timestamp.length() <= 15 && ctx.event?.timezone == null
+ formats:
+ - 'MMM d HH:mm:ss'
+ - 'MMM d HH:mm:ss'
+ - 'MMM dd HH:mm:ss'
+ - set:
+ tag: set_observer_hostname
+ field: observer.hostname
+ copy_from: _tmp.hostname
+ ignore_empty_value: true
+ - gsub:
+ tag: gsub_strip_empty_quoted_pairs
+ field: _tmp.body
+ pattern: '\S+=""'
+ replacement: ''
+ ignore_missing: true
+ ignore_failure: true
+ - trim:
+ tag: trim_body_before_kv
+ field: _tmp.body
+ ignore_missing: true
+ - script:
+ tag: script_kv_parse
+ lang: painless
+ description: |
+ Splits syslog5424_msg KV list by space and then each by "=" taking into account quoted values.
+ source: |-
+ def splitOnceByToken(String input, String sep) {
+ def tokens = ["", ""];
+ def startPosition = 0;
+ def isInQuotes = false;
+ char quote = (char)"\"";
+ for (def currentPosition = 0; currentPosition < input.length(); currentPosition++) {
+ if (input.charAt(currentPosition) == quote) {
+ isInQuotes = !isInQuotes;
+ } else if (input.charAt(currentPosition) == (char)sep && !isInQuotes) {
+ def token = input.substring(startPosition, currentPosition).trim();
+ if (!token.equals("")) { tokens[0] = token; }
+ startPosition = currentPosition + 1;
+ break;
+ }
+ }
+ def lastToken = input.substring(startPosition);
+ if (!lastToken.equals(sep) && !lastToken.equals("")) { tokens[1] = lastToken.trim(); }
+ return tokens;
+ }
+ def splitUnquoted(String input, String sep) {
+ def tokens = [];
+ def cur = input;
+ while (cur.length() > 0) {
+ def res = splitOnceByToken(cur, sep);
+ def token = res[0].trim();
+ cur = res[1].trim();
+ if (token.length() > 0) { tokens.add(token); }
+ else { if (cur.length() > 0) { tokens.add(cur); } break; }
+ }
+ return tokens;
+ }
+ if (ctx._tmp?.body == null || ctx._tmp.body == '') return;
+ def arr = splitUnquoted(ctx._tmp.body, ' ');
+ Map kvMap = new HashMap();
+ Pattern pattern = /^\"|\"$/;
+ for (def i = 0; i < arr.size(); i++) {
+ def kv = splitOnceByToken(arr[i], '=');
+ if (kv[0].length() > 0 && kv[1].length() > 0) {
+ kvMap[kv[0]] = pattern.matcher(kv[1]).replaceAll('');
+ }
+ }
+ if (ctx.fortinet == null) {
+ ctx.fortinet = new HashMap();
+ }
+ if (ctx.fortinet.fortiauthenticator == null) {
+ ctx.fortinet.fortiauthenticator = new HashMap();
+ }
+ ctx.fortinet.fortiauthenticator['log'] = kvMap;
+ - set:
+ tag: set_network_protocol_tacacs
+ field: network.protocol
+ value: tacacs+
+ if: ctx.fortinet?.fortiauthenticator?.log?.nas != null && ctx.fortinet.fortiauthenticator.log.nas.startsWith('FAC_TAC_PLUS:')
+ override: false
+ - set:
+ tag: set_network_protocol_radius
+ field: network.protocol
+ value: radius
+ if: >-
+ ctx.fortinet?.fortiauthenticator?.log?.subcategory == 'Authentication' &&
+ ctx.fortinet?.fortiauthenticator?.log?.nas != null &&
+ ctx.fortinet.fortiauthenticator.log.nas != '' &&
+ !ctx.fortinet.fortiauthenticator.log.nas.startsWith('FAC_TAC_PLUS:') &&
+ ctx.network?.protocol == null
+ override: false
+ - gsub:
+ tag: gsub_strip_nas_prefix
+ field: fortinet.fortiauthenticator.log.nas
+ pattern: '^\w+:'
+ replacement: ''
+ ignore_missing: true
+ ignore_failure: true
+ - gsub:
+ tag: gsub_strip_kv_from_body
+ field: _tmp.body
+ pattern: '(?:\S+="[^"]*"|\S+=\S+)'
+ replacement: ''
+ ignore_missing: true
+ ignore_failure: true
+ - trim:
+ tag: trim_body_after_kv
+ field: _tmp.body
+ ignore_missing: true
+ - set:
+ tag: set_message_from_body
+ field: message
+ copy_from: _tmp.body
+ if: ctx._tmp?.body != null && ctx._tmp.body != ''
+ ignore_empty_value: true
+ - set:
+ tag: set_message_from_msg_field
+ field: message
+ copy_from: fortinet.fortiauthenticator.log.msg
+ if: (ctx.message == null || ctx.message == '') && ctx.fortinet?.fortiauthenticator?.log?.msg != null
+ ignore_empty_value: true
+ - set:
+ tag: set_event_code
+ field: event.code
+ copy_from: fortinet.fortiauthenticator.log.typeid
+ ignore_empty_value: true
+ - convert:
+ tag: convert_typeid_to_integer
+ field: fortinet.fortiauthenticator.log.typeid
+ type: integer
+ ignore_missing: true
+ - pipeline:
+ tag: pipeline_logid_event_action
+ name: '{{ IngestPipeline "logid" }}'
+ if: ctx.event?.code != null && ctx.event?.action == null
+ - set:
+ tag: set_log_level
+ field: log.level
+ copy_from: fortinet.fortiauthenticator.log.level
+ ignore_empty_value: true
+ - set:
+ tag: set_user_name
+ field: user.name
+ copy_from: fortinet.fortiauthenticator.log.user
+ ignore_empty_value: true
+ - set:
+ tag: set_source_user_name
+ field: source.user.name
+ copy_from: fortinet.fortiauthenticator.log.user
+ ignore_empty_value: true
+ - set:
+ tag: set_source_ip_from_userip
+ field: source.ip
+ copy_from: fortinet.fortiauthenticator.log.userip
+ ignore_empty_value: true
+ - grok:
+ tag: grok_admin_config_user_management
+ field: message
+ if: >-
+ ctx.fortinet?.fortiauthenticator?.log?.subcategory == 'Admin Configuration' &&
+ ctx.message != null &&
+ ctx.fortinet?.fortiauthenticator?.log?.typeid != null &&
+ [10001, 10002, 10003].contains(ctx.fortinet.fortiauthenticator.log.typeid)
+ patterns:
+ - '^(?:Added|Edited|Deleted) (?:Local User Profile|Local User|Remote LDAP User):?\s+%{USERNAME:user.target.name}(?:\s+\(changed fields:\s+%{DATA:fortinet.fortiauthenticator.log.changes}\))?'
+ - '^(?:Assigning|Releasing) FortiToken %{NOTSPACE}(?:\s+(?:to|from)\s+(?:remote LDAP )?user\s+%{USERNAME:user.target.name})?'
+ ignore_failure: true
+ - split:
+ tag: split_changes_field
+ field: fortinet.fortiauthenticator.log.changes
+ separator: '\s+and\s+'
+ if: ctx.fortinet?.fortiauthenticator?.log?.changes != null
+ ignore_failure: true
+ - foreach:
+ tag: foreach_trim_changes
+ field: fortinet.fortiauthenticator.log.changes
+ if: ctx.fortinet?.fortiauthenticator?.log?.changes instanceof List
+ ignore_failure: true
+ processor:
+ trim:
+ field: _ingest._value
+ ignore_failure: true
+ - append:
+ tag: append_related_user_target
+ field: related.user
+ allow_duplicates: false
+ value: '{{{user.target.name}}}'
+ if: ctx.user?.target?.name != null
+ ignore_failure: true
+ - append:
+ tag: append_category_iam_user_mgmt
+ field: event.category
+ allow_duplicates: false
+ value: iam
+ if: >-
+ ctx.user?.target?.name != null &&
+ ctx.fortinet?.fortiauthenticator?.log?.subcategory == 'Admin Configuration'
+ ignore_failure: true
+ - append:
+ tag: append_category_configuration
+ field: event.category
+ allow_duplicates: false
+ value: configuration
+ if: >-
+ ctx.fortinet?.fortiauthenticator?.log?.subcategory == 'Admin Configuration' ||
+ (ctx.fortinet?.fortiauthenticator?.log?.typeid != null &&
+ ((ctx.fortinet.fortiauthenticator.log.typeid >= 10001 && ctx.fortinet.fortiauthenticator.log.typeid <= 10616) ||
+ [30200, 30201, 30202, 30203, 30350].contains(ctx.fortinet.fortiauthenticator.log.typeid)))
+ - append:
+ tag: append_category_authentication
+ field: event.category
+ allow_duplicates: false
+ value: authentication
+ if: >-
+ ctx.fortinet?.fortiauthenticator?.log?.subcategory == 'Authentication' ||
+ (ctx.fortinet?.fortiauthenticator?.log?.typeid != null &&
+ ((ctx.fortinet.fortiauthenticator.log.typeid >= 20000 && ctx.fortinet.fortiauthenticator.log.typeid <= 20999) ||
+ (ctx.fortinet.fortiauthenticator.log.typeid >= 50000 && ctx.fortinet.fortiauthenticator.log.typeid <= 50008)))
+ - append:
+ tag: append_category_network
+ field: event.category
+ allow_duplicates: false
+ value: network
+ if: >-
+ ctx.fortinet?.fortiauthenticator?.log?.subcategory == 'Accounting' ||
+ (ctx.fortinet?.fortiauthenticator?.log?.typeid != null &&
+ ctx.fortinet.fortiauthenticator.log.typeid >= 25000 &&
+ ctx.fortinet.fortiauthenticator.log.typeid <= 25002)
+ - append:
+ tag: append_category_web
+ field: event.category
+ allow_duplicates: false
+ value: web
+ if: >-
+ ctx.fortinet?.fortiauthenticator?.log?.subcategory == 'Web Service' ||
+ ctx.fortinet?.fortiauthenticator?.log?.subcategory == 'User Portal' ||
+ (ctx.fortinet?.fortiauthenticator?.log?.typeid != null &&
+ ctx.fortinet.fortiauthenticator.log.typeid >= 50000 &&
+ ctx.fortinet.fortiauthenticator.log.typeid <= 50505)
+ - append:
+ tag: append_category_iam
+ field: event.category
+ allow_duplicates: false
+ value: iam
+ if: >-
+ (ctx.fortinet?.fortiauthenticator?.log?.typeid != null &&
+ ([30303, 30306, 50002, 50003].contains(ctx.fortinet.fortiauthenticator.log.typeid) ||
+ (ctx.fortinet.fortiauthenticator.log.typeid >= 20994 && ctx.fortinet.fortiauthenticator.log.typeid <= 20999) ||
+ (ctx.fortinet.fortiauthenticator.log.typeid >= 10201 && ctx.fortinet.fortiauthenticator.log.typeid <= 10209) ||
+ (ctx.fortinet.fortiauthenticator.log.typeid >= 10301 && ctx.fortinet.fortiauthenticator.log.typeid <= 10303))) ||
+ (ctx.message != null && (
+ ctx.message.contains('Remote LDAP User') ||
+ ctx.message.contains('FTM provision') ||
+ ctx.message.contains('FortiToken')))
+ ignore_failure: true
+ - append:
+ tag: append_category_database
+ field: event.category
+ allow_duplicates: false
+ value: database
+ if: >-
+ ctx.fortinet?.fortiauthenticator?.log?.typeid != null &&
+ [10500, 10501, 10502].contains(ctx.fortinet.fortiauthenticator.log.typeid)
+ ignore_failure: true
+ - append:
+ tag: append_category_process
+ field: event.category
+ allow_duplicates: false
+ value: process
+ if: >-
+ ctx.fortinet?.fortiauthenticator?.log?.typeid != null &&
+ [30000, 30001, 30002, 30003, 30100, 30101, 30150].contains(ctx.fortinet.fortiauthenticator.log.typeid)
+ ignore_failure: true
+ - append:
+ tag: append_category_host
+ field: event.category
+ allow_duplicates: false
+ value: host
+ if: >-
+ ctx.fortinet?.fortiauthenticator?.log?.typeid != null &&
+ ((ctx.fortinet.fortiauthenticator.log.typeid >= 30900 && ctx.fortinet.fortiauthenticator.log.typeid <= 30914) ||
+ (ctx.fortinet.fortiauthenticator.log.typeid >= 40000 && ctx.fortinet.fortiauthenticator.log.typeid <= 40007) ||
+ (ctx.fortinet.fortiauthenticator.log.typeid >= 60000 && ctx.fortinet.fortiauthenticator.log.typeid <= 60001))
+ ignore_failure: true
+ - append:
+ tag: append_type_creation
+ field: event.type
+ allow_duplicates: false
+ value: creation
+ if: >-
+ ctx.fortinet?.fortiauthenticator?.log?.typeid != null &&
+ [10001, 10050, 10052, 10054, 10101, 10102, 10104, 10105,
+ 10127, 10131, 10139, 10203, 10204, 10209].contains(ctx.fortinet.fortiauthenticator.log.typeid)
+ ignore_failure: true
+ - append:
+ tag: append_type_change
+ field: event.type
+ allow_duplicates: false
+ value: change
+ if: >-
+ ctx.fortinet?.fortiauthenticator?.log?.typeid != null &&
+ [10002, 10051, 10053, 10055, 10103, 10110, 10113, 10114, 10142, 10157,
+ 10201, 10205, 10208, 10250, 10501, 10503, 10504, 10505, 10506, 10507, 10508, 10610,
+ 30200, 30201, 30202, 30203, 30350,
+ 30900, 30903, 30905, 40000,
+ 50002, 50003, 60000].contains(ctx.fortinet.fortiauthenticator.log.typeid)
+ ignore_failure: true
+ - append:
+ tag: append_type_deletion
+ field: event.type
+ allow_duplicates: false
+ value: deletion
+ if: >-
+ ctx.fortinet?.fortiauthenticator?.log?.typeid != null &&
+ [10003, 10056, 10057, 10058, 10109, 10126, 10132, 10141].contains(ctx.fortinet.fortiauthenticator.log.typeid)
+ ignore_failure: true
+ - append:
+ tag: append_type_admin
+ field: event.type
+ allow_duplicates: false
+ value: admin
+ if: >-
+ ctx.fortinet?.fortiauthenticator?.log?.typeid != null &&
+ ctx.fortinet.fortiauthenticator.log.typeid >= 20994 &&
+ ctx.fortinet.fortiauthenticator.log.typeid <= 20999
+ ignore_failure: true
+ - append:
+ tag: append_type_info
+ field: event.type
+ allow_duplicates: false
+ value: info
+ if: >-
+ ctx.fortinet?.fortiauthenticator?.log?.subcategory == 'System' ||
+ ctx.fortinet?.fortiauthenticator?.log?.subcategory == 'Authentication' ||
+ (ctx.fortinet?.fortiauthenticator?.log?.typeid != null &&
+ [10106, 10107, 10108, 10111, 10112, 10121, 10122, 10123, 10124, 10125, 10128, 10129, 10130,
+ 10206, 10207, 10251, 10301, 10302, 10303, 10500, 10509,
+ 10611, 10612, 10613, 10614, 10615, 10616,
+ 40001, 40003, 40005, 40006,
+ 50000, 50004, 50005, 50006, 50007, 50500, 50503, 50505,
+ 60001].contains(ctx.fortinet.fortiauthenticator.log.typeid))
+ ignore_failure: true
+ - append:
+ tag: append_type_error
+ field: event.type
+ allow_duplicates: false
+ value: error
+ if: >-
+ ctx.fortinet?.fortiauthenticator?.log?.typeid != null &&
+ [10502, 30400, 50504].contains(ctx.fortinet.fortiauthenticator.log.typeid)
+ ignore_failure: true
+ - append:
+ tag: append_type_start
+ field: event.type
+ allow_duplicates: false
+ value: start
+ if: >-
+ (ctx.fortinet?.fortiauthenticator?.log?.typeid != null &&
+ [20299, 20300, 20430, 25000, 30000, 30001, 30002, 30003, 30100, 30150,
+ 50000, 50005, 50006, 50007].contains(ctx.fortinet.fortiauthenticator.log.typeid)) ||
+ ctx.fortinet?.fortiauthenticator?.log?.status == 'Start'
+ ignore_failure: true
+ - append:
+ tag: append_type_start
+ field: event.type
+ allow_duplicates: false
+ value: end
+ if: >-
+ (ctx.fortinet?.fortiauthenticator?.log?.typeid != null &&
+ [20431, 25001, 50001, 50008].contains(ctx.fortinet.fortiauthenticator.log.typeid))
+ ignore_failure: true
+ - append:
+ tag: append_type_change_device
+ field: event.type
+ allow_duplicates: false
+ value: change
+ if: >-
+ ctx.fortinet?.fortiauthenticator?.log?.typeid != null &&
+ [30900, 30901, 30902, 30903, 30905, 40000, 40006].contains(ctx.fortinet.fortiauthenticator.log.typeid)
+ ignore_failure: true
+ - append:
+ tag: append_type_info_device
+ field: event.type
+ allow_duplicates: false
+ value: info
+ if: >-
+ ctx.fortinet?.fortiauthenticator?.log?.typeid != null &&
+ [40001, 40002, 40003, 40004].contains(ctx.fortinet.fortiauthenticator.log.typeid)
+ ignore_failure: true
+ - append:
+ tag: append_type_access
+ field: event.type
+ allow_duplicates: false
+ value: access
+ if: >-
+ ctx.fortinet?.fortiauthenticator?.log?.typeid != null &&
+ [10154, 10155, 10156, 10158, 10202, 10509, 50501, 50502].contains(ctx.fortinet.fortiauthenticator.log.typeid)
+ ignore_failure: true
+ - append:
+ tag: append_type_user
+ field: event.type
+ allow_duplicates: false
+ value: user
+ if: >-
+ ctx.fortinet?.fortiauthenticator?.log?.typeid != null &&
+ [50002, 50003].contains(ctx.fortinet.fortiauthenticator.log.typeid)
+ ignore_failure: true
+ - set:
+ tag: set_outcome_success_typeid
+ field: event.outcome
+ value: success
+ if: >-
+ ctx.fortinet?.fortiauthenticator?.log?.typeid != null &&
+ ([20000, 20001, 20002, 20003, 20004, 20111,
+ 20400, 20420, 20500, 20502,
+ 20601, 20602, 20604, 20610, 20701,
+ 20994, 20995, 20998, 20999].contains(ctx.fortinet.fortiauthenticator.log.typeid) ||
+ (ctx.fortinet.fortiauthenticator.log.typeid >= 50000 && ctx.fortinet.fortiauthenticator.log.typeid <= 50008))
+ ignore_failure: true
+ - set:
+ tag: set_outcome_failure_typeid
+ field: event.outcome
+ value: failure
+ if: >-
+ ctx.fortinet?.fortiauthenticator?.log?.typeid != null &&
+ ([20151, 20112, 20113, 20114,
+ 20421, 20423, 20501, 20503,
+ 20603, 20605, 20611, 20702,
+ 20996, 20997].contains(ctx.fortinet.fortiauthenticator.log.typeid) ||
+ (ctx.fortinet.fortiauthenticator.log.typeid >= 20100 && ctx.fortinet.fortiauthenticator.log.typeid <= 20110) ||
+ (ctx.fortinet.fortiauthenticator.log.typeid >= 20301 && ctx.fortinet.fortiauthenticator.log.typeid <= 20371) ||
+ (ctx.fortinet.fortiauthenticator.log.typeid >= 20401 && ctx.fortinet.fortiauthenticator.log.typeid <= 20404))
+ ignore_failure: true
+ - set:
+ tag: set_outcome_success_from_status
+ field: event.outcome
+ value: success
+ if: ctx.event?.outcome == null && ctx.fortinet?.fortiauthenticator?.log?.status == 'Success'
+ ignore_failure: true
+ - set:
+ tag: set_outcome_failure_from_status
+ field: event.outcome
+ value: failure
+ if: ctx.event?.outcome == null && ctx.fortinet?.fortiauthenticator?.log?.status == 'Failed'
+ ignore_failure: true
+ - pipeline:
+ tag: pipeline_authentication
+ name: '{{ IngestPipeline "pipeline_authentication" }}'
+ if: ctx.fortinet?.fortiauthenticator?.log?.subcategory == 'Authentication'
+ ignore_failure: true
+ - set:
+ tag: set_source_ip_from_nas
+ field: source.ip
+ copy_from: fortinet.fortiauthenticator.log.nas
+ override: false
+ ignore_empty_value: true
+ if: >-
+ ctx.source?.ip == null &&
+ ctx.fortinet?.fortiauthenticator?.log?.nas != null &&
+ ctx.fortinet.fortiauthenticator.log.nas != ctx?.log?.source?.address
+ ignore_failure: true
+ - append:
+ tag: append_related_ip_source
+ field: related.ip
+ allow_duplicates: false
+ value: '{{{source.ip}}}'
+ if: ctx.source?.ip != null
+ ignore_failure: true
+ - append:
+ tag: append_related_ip_nas
+ field: related.ip
+ allow_duplicates: false
+ value: '{{{fortinet.fortiauthenticator.log.nas}}}'
+ if: >-
+ ctx.fortinet?.fortiauthenticator?.log?.nas != null &&
+ ctx.fortinet.fortiauthenticator.log.nas != ctx.source?.ip
+ ignore_failure: true
+ - append:
+ tag: append_related_user
+ field: related.user
+ allow_duplicates: false
+ value: '{{{user.name}}}'
+ if: ctx.user?.name != null
+ ignore_failure: true
+ - remove:
+ tag: remove_duplicate_custom_fields
+ field:
+ - fortinet.fortiauthenticator.log.user
+ - fortinet.fortiauthenticator.log.userip
+ - fortinet.fortiauthenticator.log.nas
+ - fortinet.fortiauthenticator.log.typeid
+ - fortinet.fortiauthenticator.log.level
+ - fortinet.fortiauthenticator.log.action
+ ignore_missing: true
+ if: ctx.tags == null || !(ctx.tags.contains('preserve_duplicate_custom_fields'))
+ - remove:
+ tag: remove_tmp_conf_fields
+ field:
+ - _tmp
+ - _conf
+ ignore_missing: true
+ - remove:
+ tag: remove_event_original
+ field: event.original
+ ignore_missing: true
+ if: ctx.tags == null || !(ctx.tags.contains('preserve_original_event'))
+ - script:
+ tag: script_drop_null_empty
+ lang: painless
+ description: Drops null/empty values recursively.
+ source: |-
+ boolean drop(Object o) {
+ if (o == null || o == '') {
+ return true;
+ } else if (o instanceof Map) {
+ ((Map) o).values().removeIf(v -> drop(v));
+ return (((Map) o).size() == 0);
+ } else if (o instanceof List) {
+ ((List) o).removeIf(v -> drop(v));
+ return (((List) o).length == 0);
+ }
+ return false;
+ }
+ drop(ctx);
+ - set:
+ tag: set_event_kind_pipeline_error
+ field: event.kind
+ value: pipeline_error
+ if: ctx.error?.message != null
+ - append:
+ tag: append_preserve_original_on_error
+ field: tags
+ value: preserve_original_event
+ allow_duplicates: false
+ if: ctx.error?.message != null
+on_failure:
+ - append:
+ tag: append_on_failure_error_message
+ field: error.message
+ value: >-
+ Processor '{{{ _ingest.on_failure_processor_type }}}'
+ {{#_ingest.on_failure_processor_tag}}with tag '{{{ _ingest.on_failure_processor_tag }}}'
+ {{/_ingest.on_failure_processor_tag}}in pipeline '{{{ _ingest.pipeline }}}'
+ failed with message '{{{ _ingest.on_failure_message }}}'
+ - set:
+ tag: set_event_kind_pipeline_error
+ field: event.kind
+ value: pipeline_error
+ - append:
+ tag: append_tags_preserve_original_on_failure
+ field: tags
+ value: preserve_original_event
+ allow_duplicates: false
diff --git a/packages/fortinet_fortiauthenticator/data_stream/log/elasticsearch/ingest_pipeline/logid.yml b/packages/fortinet_fortiauthenticator/data_stream/log/elasticsearch/ingest_pipeline/logid.yml
new file mode 100644
index 00000000000..ff6501c0039
--- /dev/null
+++ b/packages/fortinet_fortiauthenticator/data_stream/log/elasticsearch/ingest_pipeline/logid.yml
@@ -0,0 +1,278 @@
+---
+description: Pipeline for FortiAuthenticator log type ID to event.action mapping
+processors:
+ - script:
+ tag: script_typeid_event_action
+ lang: painless
+ description: Map typeid to event.action
+ params:
+ "10001": "FortiAuthenticator-entry-addition"
+ "10002": "FortiAuthenticator-entry-change"
+ "10003": "FortiAuthenticator-entry-deletion"
+ "10050": "FortiAuthenticator-email-set"
+ "10051": "FortiAuthenticator-email-change"
+ "10052": "FortiAuthenticator-alternate-email-set"
+ "10053": "FortiAuthenticator-alternate-email-change"
+ "10054": "FortiAuthenticator-mobile-set"
+ "10055": "FortiAuthenticator-mobile-change"
+ "10056": "FortiAuthenticator-email-delete"
+ "10057": "FortiAuthenticator-alternate-email-delete"
+ "10058": "FortiAuthenticator-mobile-delete"
+ "10101": "FortiAuthenticator-fortitoken-seed-activation"
+ "10102": "FortiAuthenticator-fortitoken-import"
+ "10103": "FortiAuthenticator-fortitoken-status-change"
+ "10104": "FortiAuthenticator-fortitoken-mobile-activation"
+ "10105": "FortiAuthenticator-fortiidentity-cloud-activation"
+ "10106": "FortiAuthenticator-fortitoken-export"
+ "10107": "FortiAuthenticator-fortitoken-synchronization"
+ "10108": "FortiAuthenticator-fortitoken-request"
+ "10109": "FortiAuthenticator-fortitoken-revoke"
+ "10110": "FortiAuthenticator-fortitoken-transfer"
+ "10111": "FortiAuthenticator-fortiidentity-cloud-synchronization"
+ "10112": "FortiAuthenticator-fortiidentity-cloud-request"
+ "10113": "FortiAuthenticator-fortiidentity-cloud-revoke"
+ "10114": "FortiAuthenticator-fortiidentity-cloud-migration"
+ "10121": "FortiAuthenticator-certificate-import"
+ "10122": "FortiAuthenticator-certificate-private-key-download"
+ "10123": "FortiAuthenticator-certificate-revocation-list-import"
+ "10124": "FortiAuthenticator-pkcs12-certificate-export"
+ "10125": "FortiAuthenticator-certificate-signing"
+ "10126": "FortiAuthenticator-certificate-revocation"
+ "10127": "FortiAuthenticator-scep-certificate-enrollment"
+ "10128": "FortiAuthenticator-publish-certificate-revocation-list"
+ "10129": "FortiAuthenticator-certificate-expiration"
+ "10130": "FortiAuthenticator-acme-certificate-management"
+ "10131": "FortiAuthenticator-cmp-certificate-enrollment"
+ "10132": "FortiAuthenticator-certificate-deletion"
+ "10139": "FortiAuthenticator-fido-key-registration"
+ "10141": "FortiAuthenticator-fido-key-revocation"
+ "10142": "FortiAuthenticator-fido-key-reset-request"
+ "10154": "FortiAuthenticator-print-guest-user-credentials"
+ "10155": "FortiAuthenticator-view-guest-user-password"
+ "10156": "FortiAuthenticator-csv-export-guest-user-credentials"
+ "10157": "FortiAuthenticator-reset-guest-user-password"
+ "10158": "FortiAuthenticator-view-guest-user-info"
+ "10201": "FortiAuthenticator-ldap-root-dn-modification"
+ "10202": "FortiAuthenticator-ldap-browsing"
+ "10203": "FortiAuthenticator-ldap-user-import"
+ "10204": "FortiAuthenticator-ldap-group-import"
+ "10205": "FortiAuthenticator-sso-group-mapping"
+ "10206": "FortiAuthenticator-sso-services-refresh"
+ "10207": "FortiAuthenticator-sso-user-logoff"
+ "10208": "FortiAuthenticator-sso-user-update"
+ "10209": "FortiAuthenticator-saml-user-import"
+ "10250": "FortiAuthenticator-ha-setting"
+ "10251": "FortiAuthenticator-password-policy"
+ "10301": "FortiAuthenticator-user-registration"
+ "10302": "FortiAuthenticator-learned-user-migration"
+ "10303": "FortiAuthenticator-radius-user-migration"
+ "10500": "FortiAuthenticator-data-backup"
+ "10501": "FortiAuthenticator-data-restore"
+ "10502": "FortiAuthenticator-data-backup-failure"
+ "10503": "FortiAuthenticator-fortigate-objects-import"
+ "10504": "FortiAuthenticator-local-user-import-export"
+ "10505": "FortiAuthenticator-authentication-client-import"
+ "10506": "FortiAuthenticator-language-file-import"
+ "10507": "FortiAuthenticator-mac-devices-import"
+ "10508": "FortiAuthenticator-guest-user-export"
+ "10509": "FortiAuthenticator-mac-devices-export"
+ "10610": "FortiAuthenticator-license-import"
+ "10611": "FortiAuthenticator-license-expiration"
+ "10612": "FortiAuthenticator-license-status"
+ "10613": "FortiAuthenticator-ldap-user-import-export"
+ "10614": "FortiAuthenticator-radius-user-import-export"
+ "10615": "FortiAuthenticator-saml-user-import-export"
+ "10616": "FortiAuthenticator-fac-group-import-export"
+ "20000": "FortiAuthenticator-authentication-ok"
+ "20001": "FortiAuthenticator-authentication-ok-no-ftk"
+ "20002": "FortiAuthenticator-authentication-ok-with-ftk"
+ "20003": "FortiAuthenticator-authentication-ok-from-new-browser"
+ "20004": "FortiAuthenticator-authentication-ok-from-new-location"
+ "20005": "FortiAuthenticator-disable-temporary-email-sms-token"
+ "20100": "FortiAuthenticator-authentication-failed"
+ "20101": "FortiAuthenticator-authentication-failed-no-user"
+ "20102": "FortiAuthenticator-authentication-failed-bad-pass"
+ "20103": "FortiAuthenticator-authentication-failed-bad-token"
+ "20104": "FortiAuthenticator-authentication-failed-replay"
+ "20105": "FortiAuthenticator-authentication-failed-bad-param"
+ "20106": "FortiAuthenticator-authentication-failed-update-token-error"
+ "20107": "FortiAuthenticator-authentication-failed-token-out-of-sync-error"
+ "20108": "FortiAuthenticator-authentication-failed-need-followup"
+ "20109": "FortiAuthenticator-authentication-failed-no-password-specified"
+ "20110": "FortiAuthenticator-authentication-failed-all-fido-token-s-revoked"
+ "20111": "FortiAuthenticator-fido-preauthentication-ok"
+ "20112": "FortiAuthenticator-authentication-failed-revoked-fido-tokens-and-no-fallback"
+ "20113": "FortiAuthenticator-authentication-failed-push-notification-denied"
+ "20114": "FortiAuthenticator-authentication-failed-without-followup-login"
+ "20150": "FortiAuthenticator-password-expiration"
+ "20151": "FortiAuthenticator-password-change-required"
+ "20299": "FortiAuthenticator-authentication-pending-remote-radius-challenge"
+ "20300": "FortiAuthenticator-authentication-partially-ok"
+ "20301": "FortiAuthenticator-authentication-failed-token-timeout"
+ "20302": "FortiAuthenticator-authentication-failed-state-mismatch"
+ "20303": "FortiAuthenticator-authentication-failed-invalid-nas"
+ "20304": "FortiAuthenticator-authentication-failed-no-sql"
+ "20305": "FortiAuthenticator-authentication-failed-no-clear-token"
+ "20306": "FortiAuthenticator-authentication-failed-unknown-remote"
+ "20307": "FortiAuthenticator-authentication-failed-pap-only"
+ "20310": "FortiAuthenticator-authentication-failed-remote-ldap-search"
+ "20312": "FortiAuthenticator-authentication-failed-remote-connect"
+ "20320": "FortiAuthenticator-authentication-failed-user-not-found"
+ "20321": "FortiAuthenticator-authentication-failed-user-disabled"
+ "20322": "FortiAuthenticator-authentication-failed-not-radius-user"
+ "20323": "FortiAuthenticator-authentication-failed-user-locked"
+ "20324": "FortiAuthenticator-authentication-failed-user-not-filtered"
+ "20325": "FortiAuthenticator-authentication-failed-ftk-disabled"
+ "20326": "FortiAuthenticator-authentication-failed-ftk-only"
+ "20327": "FortiAuthenticator-authentication-failed-no-password"
+ "20328": "FortiAuthenticator-authentication-failed-no-partial-auth"
+ "20329": "FortiAuthenticator-authentication-failed-not-authorized"
+ "20330": "FortiAuthenticator-authentication-failed-user-expired"
+ "20331": "FortiAuthenticator-authentication-failed-lock-user"
+ "20332": "FortiAuthenticator-authentication-failed-user-ftk-unassigned"
+ "20333": "FortiAuthenticator-authentication-failed-user-ftm-pending"
+ "20334": "FortiAuthenticator-authentication-failed-user-ad-auth-error"
+ "20335": "FortiAuthenticator-authentication-failed-user-no-cfgd-tacacs-rule"
+ "20350": "FortiAuthenticator-authentication-failed-nas-not-allowed"
+ "20351": "FortiAuthenticator-authentication-failed-nas-password-only"
+ "20352": "FortiAuthenticator-authentication-failed-nas-need-password"
+ "20353": "FortiAuthenticator-authentication-failed-nas-ftk-only"
+ "20354": "FortiAuthenticator-authentication-failed-nas-need-token"
+ "20355": "FortiAuthenticator-authentication-failed-nas-no-user-realm"
+ "20356": "FortiAuthenticator-authentication-failed-nas-subprofile"
+ "20357": "FortiAuthenticator-authentication-failed-nas-fido-only"
+ "20360": "FortiAuthenticator-authentication-failed-remote-radius-reply-timeout"
+ "20361": "FortiAuthenticator-authentication-failed-remote-radius-reply-unknown"
+ "20362": "FortiAuthenticator-authentication-failed-remote-radius-wrong-secret"
+ "20363": "FortiAuthenticator-authentication-failed-remote-radius-timeout"
+ "20364": "FortiAuthenticator-authentication-failed-remote-radius-reject"
+ "20365": "FortiAuthenticator-authentication-failed-ip-locked"
+ "20366": "FortiAuthenticator-authentication-failed-lock-ip"
+ "20370": "FortiAuthenticator-authentication-failed-limited-edition"
+ "20371": "FortiAuthenticator-authentication-failed-queueing-timeout"
+ "20400": "FortiAuthenticator-mac-authentication-ok"
+ "20401": "FortiAuthenticator-mac-authentication-failed-no-mac-address"
+ "20402": "FortiAuthenticator-mac-authentication-failed-no-nas-permission"
+ "20403": "FortiAuthenticator-mac-authentication-failed-not-filtered"
+ "20404": "FortiAuthenticator-mac-authentication-failed-user-blocked"
+ "20420": "FortiAuthenticator-802-1x-authentication-ok"
+ "20421": "FortiAuthenticator-802-1x-authentication-failed"
+ "20422": "FortiAuthenticator-802-1x-authentication-partial-ok"
+ "20423": "FortiAuthenticator-eap-authentication-failed"
+ "20430": "FortiAuthenticator-eap-authentication-start"
+ "20431": "FortiAuthenticator-eap-authentication-result"
+ "20500": "FortiAuthenticator-saml-idp-authentication-ok"
+ "20501": "FortiAuthenticator-saml-idp-authentication-failed"
+ "20502": "FortiAuthenticator-saml-idp-sprequest-ok"
+ "20503": "FortiAuthenticator-saml-idp-sprequest-failed"
+ "20601": "FortiAuthenticator-guest-portal-user-credentials-authentication"
+ "20602": "FortiAuthenticator-guest-portal-mac-only-authentication"
+ "20603": "FortiAuthenticator-guest-portal-authentication-failed"
+ "20604": "FortiAuthenticator-guest-portal-authentication-ok"
+ "20605": "FortiAuthenticator-guest-portal-authorization-failed"
+ "20610": "FortiAuthenticator-guest-portal-smartconnect-ok"
+ "20611": "FortiAuthenticator-guest-portal-smartconnect-failed"
+ "20701": "FortiAuthenticator-oauth-portal-authentication-ok"
+ "20702": "FortiAuthenticator-oauth-portal-authentication-failed"
+ "20994": "FortiAuthenticator-admin-gui-login"
+ "20995": "FortiAuthenticator-admin-gui-logout"
+ "20996": "FortiAuthenticator-access-denied-to-admin-site"
+ "20997": "FortiAuthenticator-failed-admin-login-attempt"
+ "20998": "FortiAuthenticator-admin-cli-login"
+ "20999": "FortiAuthenticator-admin-cli-logout"
+ "25000": "FortiAuthenticator-radius-accounting-start"
+ "25001": "FortiAuthenticator-radius-accounting-stop"
+ "25002": "FortiAuthenticator-radius-accounting-usage"
+ "30000": "FortiAuthenticator-ldap-server-manual-restart"
+ "30001": "FortiAuthenticator-fsso-restart"
+ "30002": "FortiAuthenticator-web-server-restart"
+ "30003": "FortiAuthenticator-tacacs-server-restart"
+ "30011": "FortiAuthenticator-updated-operation-succeeded"
+ "30012": "FortiAuthenticator-updated-operation-failed"
+ "30013": "FortiAuthenticator-database-updated"
+ "30014": "FortiAuthenticator-database-signature-invalid"
+ "30015": "FortiAuthenticator-database-without-signature-installed"
+ "30020": "FortiAuthenticator-license-will-expire"
+ "30021": "FortiAuthenticator-license-status-change"
+ "30022": "FortiAuthenticator-license-failed-to-validate"
+ "30023": "FortiAuthenticator-license-invalid-duplicated"
+ "30050": "FortiAuthenticator-monthly-active-user-count-update"
+ "30100": "FortiAuthenticator-radius-server-manual-restart"
+ "30101": "FortiAuthenticator-radius-server-running-mode"
+ "30150": "FortiAuthenticator-radius-accounting-server-manual-restart"
+ "30200": "FortiAuthenticator-network-interface-configuration"
+ "30201": "FortiAuthenticator-dns-configuration"
+ "30202": "FortiAuthenticator-default-gateway-configuration"
+ "30203": "FortiAuthenticator-host-name-configuration"
+ "30204": "FortiAuthenticator-packet-capture-event"
+ "30300": "FortiAuthenticator-log-backup"
+ "30301": "FortiAuthenticator-log-autodeletion"
+ "30302": "FortiAuthenticator-user-account-maintenance"
+ "30303": "FortiAuthenticator-ldap-user-sync"
+ "30304": "FortiAuthenticator-scheduled-configuration-backup"
+ "30305": "FortiAuthenticator-configuration-backup"
+ "30306": "FortiAuthenticator-saml-user-sync"
+ "30307": "FortiAuthenticator-debug-report-backup"
+ "30350": "FortiAuthenticator-windows-ad-domain-join"
+ "30400": "FortiAuthenticator-database-table-limit-initialization-failure"
+ "30500": "FortiAuthenticator-remote-server-status"
+ "30900": "FortiAuthenticator-firmware-upgrade"
+ "30901": "FortiAuthenticator-system-reboot"
+ "30902": "FortiAuthenticator-system-shutdown"
+ "30903": "FortiAuthenticator-factory-reset"
+ "30904": "FortiAuthenticator-shell-debugging"
+ "30905": "FortiAuthenticator-time-change"
+ "30906": "FortiAuthenticator-fortiguard-messaging-service-registration-update"
+ "30907": "FortiAuthenticator-fortiguard-messaging-service-sms"
+ "30908": "FortiAuthenticator-smtp-send-mail-service"
+ "30909": "FortiAuthenticator-ftm-provisioning-service"
+ "30910": "FortiAuthenticator-ntp-server-is-unreachable"
+ "30911": "FortiAuthenticator-sms-service"
+ "30913": "FortiAuthenticator-local-user-secure-password-storage"
+ "30914": "FortiAuthenticator-expand-partition"
+ "31001": "FortiAuthenticator-snmp-trap-sent"
+ "40000": "FortiAuthenticator-ha-role-change"
+ "40001": "FortiAuthenticator-ha-cluster-member-change"
+ "40002": "FortiAuthenticator-ha-cluster-peering-failure"
+ "40003": "FortiAuthenticator-lb-connection-event"
+ "40004": "FortiAuthenticator-lb-connection-failure"
+ "40005": "FortiAuthenticator-clock-update-from-primary"
+ "40006": "FortiAuthenticator-ha-state-change"
+ "40007": "FortiAuthenticator-synchronized-sets-update-from-primary"
+ "50000": "FortiAuthenticator-user-portal-login"
+ "50001": "FortiAuthenticator-user-portal-logout"
+ "50002": "FortiAuthenticator-user-portal-password-change"
+ "50003": "FortiAuthenticator-user-portal-password-reset"
+ "50004": "FortiAuthenticator-device-certificate-selfenrollment"
+ "50005": "FortiAuthenticator-kerberos-portal-login"
+ "50006": "FortiAuthenticator-saml-portal-login"
+ "50007": "FortiAuthenticator-saml-idp-portal-login"
+ "50008": "FortiAuthenticator-saml-idp-portal-logout"
+ "50500": "FortiAuthenticator-email-api-secret-key"
+ "50501": "FortiAuthenticator-web-service-access"
+ "50502": "FortiAuthenticator-scep-request"
+ "50503": "FortiAuthenticator-aws-api-secret-key"
+ "50504": "FortiAuthenticator-aws-scim-server-api"
+ "50505": "FortiAuthenticator-scim-user-sync"
+ "60000": "FortiAuthenticator-power-supply-status-change"
+ "60001": "FortiAuthenticator-disk-capacity-warning"
+ source: |
+ def code = ctx.event?.code;
+ def action = params[code];
+ if (action != null) {
+ def message = ctx.message;
+ if (code == '20994' && message != null) {
+ if (message.startsWith('Local administrator authentication')) {
+ action = 'FortiAuthenticator-admin-gui-authentication';
+ } else if (message.startsWith('Web access granted')) {
+ action = 'FortiAuthenticator-admin-gui-web-access-granted';
+ } else if (message.startsWith('Web access denied')) {
+ action = 'FortiAuthenticator-admin-gui-web-access-denied';
+ }
+ }
+ def status = ctx.fortinet?.fortiauthenticator?.log?.status;
+ if (status == 'Failed' && ['20994', '20998'].contains(code) && !action.endsWith('-denied')) {
+ action = action + '-failed';
+ }
+ ctx.event.action = action;
+ }
\ No newline at end of file
diff --git a/packages/fortinet_fortiauthenticator/data_stream/log/elasticsearch/ingest_pipeline/pipeline_authentication.yml b/packages/fortinet_fortiauthenticator/data_stream/log/elasticsearch/ingest_pipeline/pipeline_authentication.yml
new file mode 100644
index 00000000000..4cb4479ac87
--- /dev/null
+++ b/packages/fortinet_fortiauthenticator/data_stream/log/elasticsearch/ingest_pipeline/pipeline_authentication.yml
@@ -0,0 +1,158 @@
+---
+description: Pipeline for parsing FortiAuthenticator authentication event messages.
+processors:
+ # Grok on the trailing plain-text message (set by main pipeline after KV stripping).
+ # Patterns ordered from most to least specific.
+ - grok:
+ tag: grok_auth_message
+ field: message
+ patterns:
+ # Windows AD / Local admin auth: "... from IP (proto) with method failed/successful: reason (0xHEX)"
+ - '^(?:Windows AD user|Local administrator) authentication from %{IP:_tmp.grok_source_ip}\s*(?:\(%{WORD:network.protocol}\))?\s+with\s+(?.+?)\s+(?<_tmp.auth_outcome>failed|successful)(?::\s+(?.+?)\s*\((?0x[0-9A-Fa-f]+)\))?$'
+ # Windows AD partially done: "... (proto) partially done, expecting method"
+ - '^Windows AD user authentication\(%{WORD:network.protocol}\)\s+partially done,?\s*expecting\s+%{GREEDYDATA:fortinet.fortiauthenticator.log.mfa_method}$'
+ # EAP-xxx login: "EAP-GTC login successful by user from IP"
+ - '^(?[A-Za-z0-9-]+)\s+login\s+(?<_tmp.auth_outcome>successful|failed)\s+by\s+%{USERNAME:_tmp.grok_user}\s+from\s+%{IP:_tmp.grok_source_ip}'
+ # EAP session: "EAP session start from IP"
+ - '^EAP session\s+(?<_tmp.eap_event>start|end|stopped|close)\s+from\s+%{IP:_tmp.grok_source_ip}$'
+ # 802.1x: "802.1x authentication (proto) partially successful/successful/failed"
+ - '^802\.1x authentication\s+\(%{DATA:network.protocol}\)\s+(?<_tmp.dot1x_outcome>partially successful|successful|failed)'
+ # Generic success/failure opener: "Successful ...", "Failed ..."
+ - '^(?<_tmp.generic_outcome>Successful|Failed)\b(?.*)'
+ # Fallback: capture entire message as reason
+ - '%{GREEDYDATA:fortinet.fortiauthenticator.log.reason}'
+ ignore_failure: true
+ - trim:
+ tag: trim_reason
+ field: fortinet.fortiauthenticator.log.reason
+ if: ctx.fortinet?.fortiauthenticator?.log?.reason != null
+ ignore_failure: true
+ ignore_missing: true
+ - set:
+ tag: set_source_ip_from_grok
+ field: source.ip
+ copy_from: _tmp.grok_source_ip
+ override: false
+ ignore_empty_value: true
+ if: ctx._tmp?.grok_source_ip != null
+ ignore_failure: true
+ - set:
+ tag: set_user_name_from_grok
+ field: user.name
+ copy_from: _tmp.grok_user
+ override: false
+ ignore_empty_value: true
+ if: ctx._tmp?.grok_user != null
+ ignore_failure: true
+ - lowercase:
+ tag: lowercase_network_protocol
+ field: network.protocol
+ if: ctx.network?.protocol != null
+ ignore_failure: true
+ - script:
+ tag: script_set_outcome_from_auth_outcome
+ lang: painless
+ description: "Sets event.outcome from parsed authentication outcome"
+ source: |-
+ def outcome = ctx._tmp?.auth_outcome;
+ if (outcome == null) return;
+ outcome = outcome.toLowerCase();
+ if (['successful', 'success', 'allowed'].contains(outcome)) {
+ if (ctx.event?.outcome == null) {
+ ctx.event.outcome = 'success';
+ }
+ } else if (['failed', 'denied'].contains(outcome)) {
+ if (ctx.event?.outcome == null) {
+ ctx.event.outcome = 'failure';
+ }
+ }
+ - script:
+ tag: script_set_outcome_from_generic
+ lang: painless
+ description: "Sets event.outcome from generic outcome word (Successful/Failed)"
+ source: |-
+ def outcome = ctx._tmp?.generic_outcome;
+ if (outcome == null) return;
+ outcome = outcome.toLowerCase();
+ if (outcome == 'successful') {
+ if (ctx.event?.outcome == null) { ctx.event.outcome = 'success'; }
+ } else if (outcome == 'failed') {
+ if (ctx.event?.outcome == null) { ctx.event.outcome = 'failure'; }
+ }
+ - script:
+ tag: script_set_outcome_from_error_code
+ lang: painless
+ description: "If error.code is set, outcome is failure"
+ source: |-
+ if (ctx.error?.code != null && ctx.error.code != '') {
+ ctx.event.outcome = 'failure';
+ }
+ ignore_failure: true
+ - append:
+ tag: append_type_start_eap_session
+ field: event.type
+ allow_duplicates: false
+ value: start
+ if: ctx._tmp?.eap_event == 'start'
+ ignore_failure: true
+ - append:
+ tag: append_type_end_eap_session
+ field: event.type
+ allow_duplicates: false
+ value: end
+ if: >-
+ ctx._tmp?.eap_event != null &&
+ ['end', 'stopped', 'close'].contains(ctx._tmp.eap_event)
+ ignore_failure: true
+ - set:
+ tag: set_outcome_dot1x_success
+ field: event.outcome
+ value: success
+ if: ctx._tmp?.dot1x_outcome == 'successful' && ctx.event?.outcome == null
+ ignore_failure: true
+ - set:
+ tag: set_outcome_dot1x_failure
+ field: event.outcome
+ value: failure
+ if: ctx._tmp?.dot1x_outcome == 'failed' && ctx.event?.outcome == null
+ ignore_failure: true
+ - append:
+ tag: append_related_ip_grok
+ field: related.ip
+ allow_duplicates: false
+ value: '{{{_tmp.grok_source_ip}}}'
+ if: ctx._tmp?.grok_source_ip != null
+ ignore_failure: true
+ - append:
+ tag: append_related_user_grok
+ field: related.user
+ allow_duplicates: false
+ value: '{{{_tmp.grok_user}}}'
+ if: ctx._tmp?.grok_user != null
+ ignore_failure: true
+ - remove:
+ tag: remove_auth_tmp_fields
+ field:
+ - _tmp.grok_source_ip
+ - _tmp.grok_user
+ - _tmp.auth_outcome
+ - _tmp.eap_event
+ - _tmp.dot1x_outcome
+ - _tmp.generic_outcome
+ ignore_missing: true
+ ignore_failure: true
+on_failure:
+ - append:
+ field: error.message
+ value: >-
+ Processor '{{{ _ingest.on_failure_processor_type }}}'
+ {{#_ingest.on_failure_processor_tag}}with tag '{{{ _ingest.on_failure_processor_tag }}}'
+ {{/_ingest.on_failure_processor_tag}}in pipeline '{{{ _ingest.pipeline }}}'
+ failed with message '{{{ _ingest.on_failure_message }}}'
+ - set:
+ field: event.kind
+ value: pipeline_error
+ - append:
+ field: tags
+ value: preserve_original_event
+ allow_duplicates: false
diff --git a/packages/fortinet_fortiauthenticator/data_stream/log/fields/base-fields.yml b/packages/fortinet_fortiauthenticator/data_stream/log/fields/base-fields.yml
new file mode 100644
index 00000000000..84b45118103
--- /dev/null
+++ b/packages/fortinet_fortiauthenticator/data_stream/log/fields/base-fields.yml
@@ -0,0 +1,26 @@
+- name: '@timestamp'
+ type: date
+ description: Event timestamp.
+- name: data_stream.dataset
+ type: constant_keyword
+ description: Data stream dataset.
+- name: data_stream.namespace
+ type: constant_keyword
+ description: Data stream namespace.
+- name: data_stream.type
+ type: constant_keyword
+ description: Data stream type.
+- name: event.dataset
+ type: constant_keyword
+ description: Event dataset.
+ value: fortinet_fortiauthenticator.log
+- name: event.module
+ type: constant_keyword
+ description: Event module.
+ value: fortinet_fortiauthenticator
+- name: event.action
+ type: keyword
+ description: The event action as described in FortiAuthenticator documentation. (e.g "FortiAuthenticator-admin-gui-login")
+- name: log.source.address
+ type: keyword
+ description: Source address from which the log event was received.
\ No newline at end of file
diff --git a/packages/fortinet_fortiauthenticator/data_stream/log/fields/beats.yml b/packages/fortinet_fortiauthenticator/data_stream/log/fields/beats.yml
new file mode 100644
index 00000000000..02620450bd7
--- /dev/null
+++ b/packages/fortinet_fortiauthenticator/data_stream/log/fields/beats.yml
@@ -0,0 +1,30 @@
+- name: input.type
+ description: Type of Filebeat input.
+ type: keyword
+- name: log.offset
+ type: long
+ description: Log offset.
+- name: tags
+ type: keyword
+ description: User defined tags.
+- name: log.file
+ type: group
+ fields:
+ - name: device_id
+ type: keyword
+ description: ID of the device containing the filesystem where the file resides.
+ - name: fingerprint
+ type: keyword
+ description: The sha256 fingerprint identity of the file when fingerprinting is enabled.
+ - name: inode
+ type: keyword
+ description: Inode number of the log file.
+ - name: idxhi
+ type: keyword
+ description: The high-order part of a unique identifier that is associated with a file. (Windows-only)
+ - name: idxlo
+ type: keyword
+ description: The low-order part of a unique identifier that is associated with a file. (Windows-only)
+ - name: vol
+ type: keyword
+ description: The serial number of the volume that contains a file. (Windows-only)
diff --git a/packages/fortinet_fortiauthenticator/data_stream/log/fields/fields.yml b/packages/fortinet_fortiauthenticator/data_stream/log/fields/fields.yml
new file mode 100644
index 00000000000..67c6e164388
--- /dev/null
+++ b/packages/fortinet_fortiauthenticator/data_stream/log/fields/fields.yml
@@ -0,0 +1,42 @@
+- name: fortinet.fortiauthenticator.log
+ type: group
+ fields:
+ - name: category
+ type: keyword
+ description: Log category (e.g., "Event").
+ - name: subcategory
+ type: keyword
+ description: Log subcategory (e.g., "Authentication", "System", "Admin Configuration", "High Availability").
+ - name: typeid
+ type: integer
+ description: Numeric event type identifier.
+ - name: level
+ type: keyword
+ description: Log severity level (e.g., "information", "notice", "warning", "error").
+ - name: user
+ type: keyword
+ description: Username associated with the event.
+ - name: nas
+ type: keyword
+ description: Network Access Server (NAS) identifier or IP address.
+ - name: userip
+ type: ip
+ description: IP address of the end-user device.
+ - name: action
+ type: keyword
+ description: Action field from the log (e.g., "EAP Login", "Authentication", "Login").
+ - name: status
+ type: keyword
+ description: Status of the event (e.g., "Success", "Failed", "Start").
+ - name: mfa_method
+ type: keyword
+ description: MFA or authentication method used (e.g., "FortiToken", "no token").
+ - name: reason
+ type: keyword
+ description: Reason or detail message for the authentication outcome.
+ - name: changes
+ type: keyword
+ description: Fields that were modified in a user edit operation (e.g., "email address and password", "FortiToken", "enabled and FortiToken").
+ - name: msg
+ type: keyword
+ description: Additional message field present in some system log lines.
diff --git a/packages/fortinet_fortiauthenticator/data_stream/log/manifest.yml b/packages/fortinet_fortiauthenticator/data_stream/log/manifest.yml
new file mode 100644
index 00000000000..bb206fed418
--- /dev/null
+++ b/packages/fortinet_fortiauthenticator/data_stream/log/manifest.yml
@@ -0,0 +1,232 @@
+title: Fortinet FortiAuthenticator Logs
+type: logs
+streams:
+ - input: filestream
+ enabled: false
+ template_path: filestream.yml.hbs
+ title: Fortinet FortiAuthenticator logs (Filestream)
+ vars:
+ - name: paths
+ type: text
+ title: Paths
+ multi: true
+ required: true
+ show_user: true
+ description: A list of glob-based paths that will be crawled and fetched.
+ - name: tz_offset
+ type: text
+ title: Timezone Offset
+ multi: false
+ required: true
+ show_user: true
+ default: local
+ description: >-
+ By default, datetimes in the logs will be interpreted as relative to the timezone configured in the host where the agent is running. If ingesting logs from a host on a different timezone, use this field to set the timezone offset so that datetimes are correctly parsed. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam") or an HH:mm differential (e.g. "-05:00").
+ - name: tags
+ type: text
+ title: Tags
+ multi: true
+ required: true
+ show_user: false
+ default:
+ - forwarded
+ - fortinet_fortiauthenticator-log
+ - name: preserve_original_event
+ required: true
+ show_user: true
+ title: Preserve original event
+ description: Preserves a raw copy of the original event, added to the field `event.original`.
+ type: bool
+ multi: false
+ default: false
+ - name: preserve_duplicate_custom_fields
+ required: true
+ show_user: false
+ title: Preserve duplicate custom fields
+ description: Preserve fortinet.fortiauthenticator.log fields that were copied to Elastic Common Schema (ECS) fields.
+ type: bool
+ multi: false
+ default: false
+ - name: processors
+ type: yaml
+ title: Processors
+ multi: false
+ required: false
+ show_user: false
+ description: >-
+ Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
+ - input: tcp
+ template_path: tcp.yml.hbs
+ title: Fortinet FortiAuthenticator logs (tcp)
+ vars:
+ - name: listen_address
+ type: text
+ title: Listen Address
+ description: The bind address to listen for TCP connections. Set to `0.0.0.0` to bind to all available interfaces.
+ multi: false
+ required: true
+ show_user: true
+ default: localhost
+ - name: listen_port
+ type: integer
+ title: Listen Port
+ description: The TCP port number to listen on.
+ multi: false
+ required: true
+ show_user: true
+ default: 9025
+ - name: tcp_options
+ type: yaml
+ title: Custom TCP Options
+ multi: false
+ required: false
+ show_user: false
+ default: |
+ #framing: rfc6587
+ #max_message_size: 50KiB
+ #max_connections: 1
+ #line_delimiter: "\n"
+ description: Specify custom configuration options for the TCP input.
+ - name: ssl
+ type: yaml
+ title: SSL Configuration
+ description: SSL configuration options. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/configuration-ssl.html#ssl-common-config) for details.
+ multi: false
+ required: false
+ show_user: false
+ default: |
+ #certificate_authorities:
+ # - |
+ # -----BEGIN CERTIFICATE-----
+ # MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF
+ # ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2
+ # MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB
+ # BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n
+ # fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl
+ # 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t
+ # /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP
+ # PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41
+ # CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O
+ # BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux
+ # 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D
+ # 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw
+ # 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA
+ # H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu
+ # 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0
+ # yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk
+ # sxSmbIUfc2SGJGCJD4I=
+ # -----END CERTIFICATE-----
+ - name: tz_offset
+ type: text
+ title: Timezone Offset
+ multi: false
+ required: true
+ show_user: false
+ default: local
+ description: >-
+ By default, datetimes in the logs will be interpreted as relative to the timezone configured in the host where the agent is running. If ingesting logs from a host on a different timezone, use this field to set the timezone offset so that datetimes are correctly parsed. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam") or an HH:mm differential (e.g. "-05:00").
+ - name: tags
+ type: text
+ title: Tags
+ multi: true
+ required: true
+ show_user: false
+ default:
+ - forwarded
+ - fortinet_fortiauthenticator-log
+ - name: preserve_original_event
+ required: true
+ show_user: true
+ title: Preserve original event
+ description: Preserves a raw copy of the original event, added to the field `event.original`.
+ type: bool
+ multi: false
+ default: false
+ - name: preserve_duplicate_custom_fields
+ required: true
+ show_user: false
+ title: Preserve duplicate custom fields
+ description: Preserve fortinet.fortiauthenticator.log fields that were copied to Elastic Common Schema (ECS) fields.
+ type: bool
+ multi: false
+ default: false
+ - name: processors
+ type: yaml
+ title: Processors
+ multi: false
+ required: false
+ show_user: false
+ description: >-
+ Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
+ - input: udp
+ template_path: udp.yml.hbs
+ title: Fortinet FortiAuthenticator logs (udp)
+ vars:
+ - name: listen_address
+ type: text
+ title: Listen Address
+ description: The bind address to listen for UDP connections. Set to `0.0.0.0` to bind to all available interfaces.
+ multi: false
+ required: true
+ show_user: true
+ default: localhost
+ - name: listen_port
+ type: integer
+ title: Listen Port
+ description: The UDP port number to listen on.
+ multi: false
+ required: true
+ show_user: true
+ default: 9025
+ - name: udp_options
+ type: yaml
+ title: Custom UDP Options
+ multi: false
+ required: false
+ show_user: false
+ default: |
+ #max_message_size: 50KiB
+ #timeout: 300s
+ description: Specify custom configuration options for the UDP input.
+ - name: tz_offset
+ type: text
+ title: Timezone Offset
+ multi: false
+ required: true
+ show_user: true
+ default: local
+ description: >-
+ By default, datetimes in the logs will be interpreted as relative to the timezone configured in the host where the agent is running. If ingesting logs from a host on a different timezone, use this field to set the timezone offset so that datetimes are correctly parsed. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam") or an HH:mm differential (e.g. "-05:00").
+ - name: tags
+ type: text
+ title: Tags
+ multi: true
+ required: true
+ show_user: false
+ default:
+ - forwarded
+ - fortinet_fortiauthenticator-log
+ - name: preserve_original_event
+ required: true
+ show_user: true
+ title: Preserve original event
+ description: Preserves a raw copy of the original event, added to the field `event.original`.
+ type: bool
+ multi: false
+ default: false
+ - name: preserve_duplicate_custom_fields
+ required: true
+ show_user: false
+ title: Preserve duplicate custom fields
+ description: Preserve fortinet.fortiauthenticator.log fields that were copied to Elastic Common Schema (ECS) fields.
+ type: bool
+ multi: false
+ default: false
+ - name: processors
+ type: yaml
+ title: Processors
+ multi: false
+ required: false
+ show_user: false
+ description: >-
+ Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
diff --git a/packages/fortinet_fortiauthenticator/data_stream/log/sample_event.json b/packages/fortinet_fortiauthenticator/data_stream/log/sample_event.json
new file mode 100644
index 00000000000..79e8c8585e6
--- /dev/null
+++ b/packages/fortinet_fortiauthenticator/data_stream/log/sample_event.json
@@ -0,0 +1,67 @@
+{
+ "@timestamp": "2026-04-07T16:34:36.000Z",
+ "ecs": {
+ "version": "8.17.0"
+ },
+ "event": {
+ "action": "FortiAuthenticator-admin-gui-authentication",
+ "category": [
+ "authentication",
+ "iam"
+ ],
+ "code": "20994",
+ "kind": "event",
+ "original": "Apr 7 16:34:36 fortiauthenticator category=\"Event\" subcategory=\"Authentication\" typeid=20994 level=\"information\" user=\"admin\" nas=\"\" userip=\"192.0.2.100\" action=\"Login\" status=\"Success\" Local administrator authentication from 192.0.2.100 with no token successful",
+ "outcome": "success",
+ "type": [
+ "admin",
+ "info"
+ ]
+ },
+ "fortinet": {
+ "fortiauthenticator": {
+ "log": {
+ "action": "Login",
+ "category": "Event",
+ "level": "information",
+ "mfa_method": "no token",
+ "status": "Success",
+ "subcategory": "Authentication",
+ "typeid": 20994,
+ "user": "admin",
+ "userip": "192.0.2.100"
+ }
+ }
+ },
+ "log": {
+ "level": "information"
+ },
+ "message": "Local administrator authentication from 192.0.2.100 with no token successful",
+ "observer": {
+ "hostname": "fortiauthenticator",
+ "product": "FortiAuthenticator",
+ "type": "authentication-server",
+ "vendor": "Fortinet"
+ },
+ "related": {
+ "ip": [
+ "192.0.2.100"
+ ],
+ "user": [
+ "admin"
+ ]
+ },
+ "source": {
+ "ip": "192.0.2.100",
+ "user": {
+ "name": "admin"
+ }
+ },
+ "tags": [
+ "preserve_original_event",
+ "preserve_duplicate_custom_fields"
+ ],
+ "user": {
+ "name": "admin"
+ }
+}
diff --git a/packages/fortinet_fortiauthenticator/docs/README.md b/packages/fortinet_fortiauthenticator/docs/README.md
new file mode 100644
index 00000000000..012d35be95f
--- /dev/null
+++ b/packages/fortinet_fortiauthenticator/docs/README.md
@@ -0,0 +1,352 @@
+# Fortinet FortiAuthenticator Logs Integration for Elastic
+
+## Overview
+
+The Fortinet FortiAuthenticator Logs integration for Elastic enables the collection of logs from Fortinet FortiAuthenticator. This allows for system and security monitoring. By ingesting FortiAuthenticator logs, users can gain visibility into radius, and tacacs+ activity.
+
+### Compatibility
+
+This integration has been tested against FortiAuthenticator version 8.0.2, this version has important bugfix for log messages. Version 7.x or any version below 8.0.2 may not work with this integration!
+
+This integration is compatible with Elastic Stack version 9.0.0 or higher.
+
+### How it works
+
+This integration collects logs from FortiAuthenticator by receiving syslog data via TCP/UDP or by reading directly from log files. An Elastic Agent is deployed on a host that is configured as a syslog receiver or has access to the log files. The agent forwards the logs to your Elastic deployment, where they can be monitored or analyzed.
+
+## What data does this integration collect?
+
+The Fortinet FortiAuthenticator Logs integration collects the following types of logs:
+* **System Event logs**: System-level events, license, firmware, high-availability (HA) events, and configuration changes.
+* **Authentication logs**: Records of radius, tacacs+, administrator, and user authentication events
+
+## What do I need to use this integration?
+
+- A FortiAuthenticator with version 8.0.2 or higher and administrative access to configure syslog settings.
+- Elastic Stack version 9.0.0 or higher.
+
+## How do I deploy this integration?
+
+### Agent-based deployment
+
+Elastic Agent must be installed on a host that will receive the syslog data or has access to the log files from the FortiAuthenticator. For detailed installation instructions, refer to the Elastic Agent [installation guide](docs-content://reference/fleet/install-elastic-agents.md). Only one Elastic Agent is needed per host.
+
+### Vendor set up steps
+
+#### Syslog Configuration
+
+You can configure FortiAuthenticator to send logs to the Elastic Agent using either the GUI or the CLI.
+
+**GUI Configuration:**
+
+1. Log in to the Fortinet FortiAuthenticator
+2. Navigate to **Logging -> Log Config -> Syslog Servers**.
+3. Create new syslog-server. In the IP address field, enter the IP address of the host where the Elastic Agent is installed.
+4. Navigate to **Logging -> Log COnfig -> Log Settings**.
+5. Enable **Send system logs to remote Syslog servers**.
+6. Select your newly created syslog-server and click the right arrow to move to list of "chosen syslog servers"
+7. Click **Save**.
+
+### Onboard / configure in Kibana
+
+1. In Kibana, navigate to **Management > Integrations**.
+2. Search for "Fortinet FortiAuthenticator" and select the integration.
+3. Click **Add Fortinet FortiAuthenticator Logs**.
+4. Configure the integration by selecting an input type and providing the necessary settings. This integration supports `TCP`, `UDP`, and `Log file` inputs.
+
+#### TCP Input Configuration
+
+This input collects logs over a TCP socket.
+
+| Setting | Description |
+|---|---|
+| **Listen Address** | The bind address for the TCP listener (e.g., `localhost`, `0.0.0.0`). |
+| **Listen Port** | The TCP port number to listen on (e.g., `9004`). |
+| **Preserve original event** | If checked, a raw copy of the original log is stored in the `event.original` field. |
+| **Preserve duplicate custom fields** | Check this to preserve fields that were copied to ECS fields. Default: false. |
+
+Under **Advanced Options**, you can configure the following optional parameters:
+
+| Setting | Description |
+|---|---|
+| **Internal/External interfaces** | Define your network interfaces to correctly map network direction. |
+| **Internal networks** | Specify your internal network ranges (defaults to private address spaces). Supports CIDR notation and named ranges like `private`. |
+| **SSL Configuration** | Configure SSL options for encrypted communication. See the [SSL documentation](https://www.elastic.co/guide/en/beats/filebeat/current/configuration-ssl.html#ssl-common-config) for details. |
+| **Custom TCP Options** | `max_message_size`: The maximum size of a log message (e.g., `50KiB`).
`max_connections`: The maximum number of simultaneous connections. |
+| **Timezone** | Specify an IANA timezone or offset (e.g., `+0200`) for logs with no timezone information. |
+| **Timezone Map** | A mapping of timezone strings from logs to standard IANA timezone formats. |
+| **Processors** | Add custom processors to enhance or reduce event fields before parsing. |
+
+#### UDP Input Configuration
+
+This input collects logs over a UDP socket.
+
+| Setting | Description |
+|---|---|
+| **Listen Address** | The bind address for the UDP listener (e.g., `localhost`, `0.0.0.0`). |
+| **Listen Port** | The UDP port number to listen on (e.g., `9004`). |
+| **Preserve original event** | If checked, a raw copy of the original log is stored in the `event.original` field. |
+| **Preserve duplicate custom fields** | Check this to preserve fields that were copied to ECS fields. Default: false. |
+
+Under **Advanced Options**, you can configure the following optional parameters:
+
+| Setting | Description |
+|---|---|
+| **Internal/External interfaces** | Define your network interfaces to correctly map network direction. |
+| **Internal networks** | Specify your internal network ranges (defaults to private address spaces). |
+| **Custom UDP Options** | `read_buffer`: The size of the read buffer for the UDP socket (e.g., `100MiB`).
`max_message_size`: The maximum size of a log message (e.g., `50KiB`).
`timeout`: The read timeout for the UDP socket (e.g., `300s`). |
+| **Timezone** | Specify an IANA timezone or offset (e.g., `+0200`) for logs with no timezone information. |
+| **Timezone Map** | A mapping of timezone strings from logs to standard IANA timezone formats. |
+| **Processors** | Add custom processors to enhance or reduce event fields before parsing. |
+
+
+#### Log file Input Configuration
+
+This input collects logs directly from log files on the host where the Elastic Agent is running.
+
+| Setting | Description |
+|---|---|
+| **Paths** | A list of file paths to monitor (e.g., `/var/log/fortinet-fortiauthenticatgor.log`). |
+| **Preserve original event** | If checked, a raw copy of the original log is stored in the `event.original` field. |
+| **Preserve duplicate custom fields** | Check this to preserve fields that were copied to ECS fields. Default: false. |
+
+Under **Advanced Options**, you can configure the following optional parameters:
+
+| Setting | Description |
+|---|---|
+| **Internal/External interfaces** | Define your network interfaces to correctly map network direction. |
+| **Internal networks** | Specify your internal network ranges (defaults to private address spaces). |
+| **Timezone** | Specify an IANA timezone or offset (e.g., `+0200`) for logs with no timezone information. |
+| **Timezone Map** | A mapping of timezone strings from logs to standard IANA timezone formats. |
+| **Processors** | Add custom processors to enhance or reduce event fields before parsing. |
+
+After configuring the input, assign the integration to an agent policy and click **Save and continue**.
+
+### Validation
+
+1. First, verify on the FortiAuthenticator device that logs are being actively sent to the configured Elastic Agent host.
+2. In Kibana, navigate to **Discover**.
+3. In the search bar, enter `data_stream.dataset: "fortinet_fortiauthenticator.log"` and check for incoming documents.
+4. Verify that events are appearing with recent timestamps.
+5. Navigate to **Management > Dashboards** and search for "Fortinet FortiAuthenticator Overview" to see if the visualizations are populated with data.
+6. Generate some test traffic that would be logged by the FortiAuthenticator and confirm that the corresponding logs appear in Kibana.
+
+## Troubleshooting
+
+For help with Elastic ingest tools, check [Common problems](https://www.elastic.co/docs/troubleshoot/ingest/fleet/common-problems).
+
+### Common Configuration Issues
+
+- **No data is being collected**:
+ * Verify network connectivity (e.g., using `ping` or `netcat`) between the FortiAuthenticator and the Elastic Agent host.
+ * Ensure there are no firewalls or network ACLs blocking the syslog port.
+ * Confirm that the syslog listening port configured in the Elastic integration matches the destination port configured on the FortiAuthenticator.
+
+### Vendor Resources
+
+- [Fortinet Fortiauthenticator - Log configuration](https://docs.fortinet.com/document/fortiauthenticator/8.0.2/administration-guide/964220/log-configuration)
+- [Fortinet Documentation Library](https://docs.fortinet.com/)
+- [Fortiauthenticator Guide](https://docs.fortinet.com/product/fortiauthenticator)
+
+## Performance and Scaling
+
+For more information on architectures that can be used for scaling this integration, check the [Ingest Architectures](https://www.elastic.co/docs/manage-data/ingest/ingest-reference-architectures) documentation.
+
+## Reference
+
+### log
+
+The `log` data stream collects all log types from the FortiAuthenticator.
+
+#### log fields
+
+**Exported fields**
+
+| Field | Description | Type |
+|---|---|---|
+| @timestamp | Event timestamp. | date |
+| data_stream.dataset | Data stream dataset. | constant_keyword |
+| data_stream.namespace | Data stream namespace. | constant_keyword |
+| data_stream.type | Data stream type. | constant_keyword |
+| event.action | The event action as described in FortiAuthenticator documentation. (e.g "FortiAuthenticator-admin-gui-login") | keyword |
+| event.dataset | Event dataset. | constant_keyword |
+| event.module | Event module. | constant_keyword |
+| fortinet.fortiauthenticator.log.action | Action field from the log (e.g., "EAP Login", "Authentication", "Login"). | keyword |
+| fortinet.fortiauthenticator.log.category | Log category (e.g., "Event"). | keyword |
+| fortinet.fortiauthenticator.log.changes | Fields that were modified in a user edit operation (e.g., "email address and password", "FortiToken", "enabled and FortiToken"). | keyword |
+| fortinet.fortiauthenticator.log.level | Log severity level (e.g., "information", "notice", "warning", "error"). | keyword |
+| fortinet.fortiauthenticator.log.mfa_method | MFA or authentication method used (e.g., "FortiToken", "no token"). | keyword |
+| fortinet.fortiauthenticator.log.msg | Additional message field present in some system log lines. | keyword |
+| fortinet.fortiauthenticator.log.nas | Network Access Server (NAS) identifier or IP address. | keyword |
+| fortinet.fortiauthenticator.log.reason | Reason or detail message for the authentication outcome. | keyword |
+| fortinet.fortiauthenticator.log.status | Status of the event (e.g., "Success", "Failed", "Start"). | keyword |
+| fortinet.fortiauthenticator.log.subcategory | Log subcategory (e.g., "Authentication", "System", "Admin Configuration", "High Availability"). | keyword |
+| fortinet.fortiauthenticator.log.typeid | Numeric event type identifier. | integer |
+| fortinet.fortiauthenticator.log.user | Username associated with the event. | keyword |
+| fortinet.fortiauthenticator.log.userip | IP address of the end-user device. | ip |
+| input.type | Type of Filebeat input. | keyword |
+| log.file.device_id | ID of the device containing the filesystem where the file resides. | keyword |
+| log.file.fingerprint | The sha256 fingerprint identity of the file when fingerprinting is enabled. | keyword |
+| log.file.idxhi | The high-order part of a unique identifier that is associated with a file. (Windows-only) | keyword |
+| log.file.idxlo | The low-order part of a unique identifier that is associated with a file. (Windows-only) | keyword |
+| log.file.inode | Inode number of the log file. | keyword |
+| log.file.vol | The serial number of the volume that contains a file. (Windows-only) | keyword |
+| log.offset | Log offset. | long |
+| log.source.address | Source address from which the log event was received. | keyword |
+| tags | User defined tags. | keyword |
+
+
+#### log sample event
+
+An example event for `log` looks as following:
+
+```json
+{
+ "@timestamp": "2026-04-07T16:34:36.000Z",
+ "ecs": {
+ "version": "8.17.0"
+ },
+ "event": {
+ "action": "FortiAuthenticator-admin-gui-authentication",
+ "category": [
+ "authentication",
+ "iam"
+ ],
+ "code": "20994",
+ "kind": "event",
+ "original": "Apr 7 16:34:36 fortiauthenticator category=\"Event\" subcategory=\"Authentication\" typeid=20994 level=\"information\" user=\"admin\" nas=\"\" userip=\"192.0.2.100\" action=\"Login\" status=\"Success\" Local administrator authentication from 192.0.2.100 with no token successful",
+ "outcome": "success",
+ "type": [
+ "admin",
+ "info"
+ ]
+ },
+ "fortinet": {
+ "fortiauthenticator": {
+ "log": {
+ "action": "Login",
+ "category": "Event",
+ "level": "information",
+ "mfa_method": "no token",
+ "status": "Success",
+ "subcategory": "Authentication",
+ "typeid": 20994,
+ "user": "admin",
+ "userip": "192.0.2.100"
+ }
+ }
+ },
+ "log": {
+ "level": "information"
+ },
+ "message": "Local administrator authentication from 192.0.2.100 with no token successful",
+ "observer": {
+ "hostname": "fortiauthenticator",
+ "product": "FortiAuthenticator",
+ "type": "authentication-server",
+ "vendor": "Fortinet"
+ },
+ "related": {
+ "ip": [
+ "192.0.2.100"
+ ],
+ "user": [
+ "admin"
+ ]
+ },
+ "source": {
+ "ip": "192.0.2.100",
+ "user": {
+ "name": "admin"
+ }
+ },
+ "tags": [
+ "preserve_original_event",
+ "preserve_duplicate_custom_fields"
+ ],
+ "user": {
+ "name": "admin"
+ }
+}
+```
+
+### Inputs used
+
+These inputs can be used with this integration:
+
+filestream
+
+## Setup
+
+For more details about the Filestream input settings, check the [Filebeat documentation](https://www.elastic.co/docs/reference/beats/filebeat/filebeat-input-filestream).
+
+
+### Collecting logs from Filestream
+
+To collect logs via Filestream, select **Collect logs via Filestream** and configure the following parameters:
+
+- Filestream paths: The full path to the related log file.
+
+
+tcp
+
+## Setup
+
+For more details about the TCP input settings, check the [Filebeat documentation](https://www.elastic.co/docs/reference/beats/filebeat/filebeat-input-tcp).
+
+### Collecting logs from TCP
+
+To collect logs via TCP, select **Collect logs via TCP** and configure the following parameters:
+
+**Required Settings:**
+- Host
+- Port
+
+**Common Optional Settings:**
+- Max Message Size - Maximum size of incoming messages
+- Max Connections - Maximum number of concurrent connections
+- Timeout - How long to wait for data before closing idle connections
+- Line Delimiter - Character(s) that separate log messages
+
+## SSL/TLS Configuration
+
+To enable encrypted connections, configure the following SSL settings:
+
+**SSL Settings:**
+- Enable SSL - Toggle to enable SSL/TLS encryption
+- Certificate - Path to the SSL certificate file (`.crt` or `.pem`)
+- Certificate Key - Path to the private key file (`.key`)
+- Certificate Authorities - Path to CA certificate file for client certificate validation (optional)
+- Client Authentication - Require client certificates (`none`, `optional`, or `required`)
+- Supported Protocols - TLS versions to support (e.g., `TLSv1.2`, `TLSv1.3`)
+
+**Example SSL Configuration:**
+```yaml
+ssl.enabled: true
+ssl.certificate: "/path/to/server.crt"
+ssl.key: "/path/to/server.key"
+ssl.certificate_authorities: ["/path/to/ca.crt"]
+ssl.client_authentication: "optional"
+```
+
+
+udp
+
+## Setup
+
+For more details about the UDP input settings, check the [Filebeat documentation](https://www.elastic.co/docs/reference/beats/filebeat/filebeat-input-udp).
+
+### Collecting logs from UDP
+
+To collect logs via UDP, select **Collect logs via UDP** and configure the following parameters:
+
+**Required Settings:**
+- Host
+- Port
+
+**Common Optional Settings:**
+- Max Message Size - Maximum size of UDP packets to accept (default: 10KB, max: 64KB)
+- Read Buffer - UDP socket read buffer size for handling bursts of messages
+- Read Timeout - How long to wait for incoming packets before checking for shutdown
+
+
diff --git a/packages/fortinet_fortiauthenticator/img/fortinet-fortiauthenticator-admin-audit.png b/packages/fortinet_fortiauthenticator/img/fortinet-fortiauthenticator-admin-audit.png
new file mode 100644
index 00000000000..3034c20804a
Binary files /dev/null and b/packages/fortinet_fortiauthenticator/img/fortinet-fortiauthenticator-admin-audit.png differ
diff --git a/packages/fortinet_fortiauthenticator/img/fortinet-fortiauthenticator-authentication.png b/packages/fortinet_fortiauthenticator/img/fortinet-fortiauthenticator-authentication.png
new file mode 100644
index 00000000000..a970bf639cc
Binary files /dev/null and b/packages/fortinet_fortiauthenticator/img/fortinet-fortiauthenticator-authentication.png differ
diff --git a/packages/fortinet_fortiauthenticator/img/fortinet-fortiauthenticator-overview.png b/packages/fortinet_fortiauthenticator/img/fortinet-fortiauthenticator-overview.png
new file mode 100644
index 00000000000..6689ff8a1d1
Binary files /dev/null and b/packages/fortinet_fortiauthenticator/img/fortinet-fortiauthenticator-overview.png differ
diff --git a/packages/fortinet_fortiauthenticator/img/fortinet-fortiauthenticator-system.png b/packages/fortinet_fortiauthenticator/img/fortinet-fortiauthenticator-system.png
new file mode 100644
index 00000000000..3107b82bebe
Binary files /dev/null and b/packages/fortinet_fortiauthenticator/img/fortinet-fortiauthenticator-system.png differ
diff --git a/packages/fortinet_fortiauthenticator/img/fortinet-logo.svg b/packages/fortinet_fortiauthenticator/img/fortinet-logo.svg
new file mode 100644
index 00000000000..d6a8448f320
--- /dev/null
+++ b/packages/fortinet_fortiauthenticator/img/fortinet-logo.svg
@@ -0,0 +1,9 @@
+
diff --git a/packages/fortinet_fortiauthenticator/kibana/dashboard/fortinet_fortiauthenticator-admin-audit.json b/packages/fortinet_fortiauthenticator/kibana/dashboard/fortinet_fortiauthenticator-admin-audit.json
new file mode 100644
index 00000000000..2e48dcb3f5f
--- /dev/null
+++ b/packages/fortinet_fortiauthenticator/kibana/dashboard/fortinet_fortiauthenticator-admin-audit.json
@@ -0,0 +1,1066 @@
+{
+ "attributes": {
+ "title": "[Logs FortiAuthenticator] Admin Configuration Audit",
+ "description": "Administrative changes on FortiAuthenticator: user account creation, modification, deletion, and token assignments.",
+ "panelsJSON": [
+ {
+ "panelIndex": "b901510e-4e89-757d-3ffc-2ddd1d265e5a",
+ "gridData": {
+ "x": 0,
+ "y": 0,
+ "w": 48,
+ "h": 3,
+ "i": "b901510e-4e89-757d-3ffc-2ddd1d265e5a"
+ },
+ "type": "links",
+ "embeddableConfig": {
+ "enhancements": {},
+ "attributes": {
+ "layout": "horizontal",
+ "links": [
+ {
+ "id": "3af4ba12-6f83-488a-bdc9-0c7216a22d73",
+ "order": 0,
+ "label": "Overview",
+ "type": "dashboardLink",
+ "destinationRefName": "link_3af4ba12-6f83-488a-bdc9-0c7216a22d73_dashboard"
+ },
+ {
+ "id": "85cbe962-a65c-5a52-ac29-31c83f2ee37e",
+ "order": 1,
+ "label": "Authentication",
+ "type": "dashboardLink",
+ "destinationRefName": "link_85cbe962-a65c-5a52-ac29-31c83f2ee37e_dashboard"
+ },
+ {
+ "id": "f8015227-17d1-b054-2b9c-b33d24cec76d",
+ "order": 2,
+ "label": "Admin Configuration Audit",
+ "type": "dashboardLink",
+ "destinationRefName": "link_f8015227-17d1-b054-2b9c-b33d24cec76d_dashboard"
+ },
+ {
+ "id": "72ea9ac7-2987-7cf7-6e6c-311078031348",
+ "order": 3,
+ "label": "System and HA",
+ "type": "dashboardLink",
+ "destinationRefName": "link_72ea9ac7-2987-7cf7-6e6c-311078031348_dashboard"
+ }
+ ]
+ }
+ }
+ },
+ {
+ "panelIndex": "0e57b144-ac09-3b98-3db2-6c0dad9c387f",
+ "gridData": {
+ "x": 0,
+ "y": 3,
+ "w": 16,
+ "h": 10,
+ "i": "0e57b144-ac09-3b98-3db2-6c0dad9c387f"
+ },
+ "type": "lens",
+ "embeddableConfig": {
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ },
+ "attributes": {
+ "title": "Distribution of Events by Action",
+ "visualizationType": "lnsPie",
+ "type": "lens",
+ "references": [],
+ "state": {
+ "visualization": {
+ "layers": [
+ {
+ "layerId": "4f2c021d-3af4-ce17-4e59-a14d4d9f6641",
+ "layerType": "data",
+ "colorMapping": {
+ "assignments": [],
+ "specialAssignments": [
+ {
+ "rule": {
+ "type": "other"
+ },
+ "color": {
+ "type": "loop"
+ },
+ "touched": false
+ }
+ ],
+ "paletteId": "eui_amsterdam_color_blind",
+ "colorMode": {
+ "type": "categorical"
+ }
+ },
+ "primaryGroups": [
+ "069a9c5c-3ec5-e96a-a89c-5b796baa7045"
+ ],
+ "metrics": [
+ "0cb3e3d7-c9da-1181-40f5-5b94be7f1201"
+ ],
+ "numberDisplay": "percent",
+ "categoryDisplay": "default",
+ "legendDisplay": "default",
+ "legendPosition": "right",
+ "nestedLegend": false,
+ "emptySizeRatio": 0.3
+ }
+ ],
+ "shape": "donut"
+ },
+ "query": {
+ "esql": "FROM logs-*\n| WHERE data_stream.dataset == \"fortinet_fortiauthenticator.log\"\n| WHERE fortinet.fortiauthenticator.log.subcategory == \"Admin Configuration\"\n AND fortinet.fortiauthenticator.log.action IS NOT NULL\n AND fortinet.fortiauthenticator.log.action != \"\"\n| STATS count = COUNT(*) BY fortinet.fortiauthenticator.log.action\n| SORT count DESC\n| LIMIT 7\n"
+ },
+ "filters": [],
+ "datasourceStates": {
+ "textBased": {
+ "layers": {
+ "4f2c021d-3af4-ce17-4e59-a14d4d9f6641": {
+ "query": {
+ "esql": "FROM logs-*\n| WHERE data_stream.dataset == \"fortinet_fortiauthenticator.log\"\n| WHERE fortinet.fortiauthenticator.log.subcategory == \"Admin Configuration\"\n AND fortinet.fortiauthenticator.log.action IS NOT NULL\n AND fortinet.fortiauthenticator.log.action != \"\"\n| STATS count = COUNT(*) BY fortinet.fortiauthenticator.log.action\n| SORT count DESC\n| LIMIT 7\n"
+ },
+ "columns": [
+ {
+ "fieldName": "count",
+ "columnId": "0cb3e3d7-c9da-1181-40f5-5b94be7f1201",
+ "label": "Events",
+ "customLabel": true,
+ "meta": {
+ "type": "number",
+ "esType": "long"
+ },
+ "inMetricDimension": true
+ },
+ {
+ "fieldName": "fortinet.fortiauthenticator.log.action",
+ "columnId": "069a9c5c-3ec5-e96a-a89c-5b796baa7045",
+ "label": "fortinet.fortiauthenticator.log.action",
+ "customLabel": false
+ }
+ ],
+ "allColumns": [
+ {
+ "fieldName": "count",
+ "columnId": "0cb3e3d7-c9da-1181-40f5-5b94be7f1201",
+ "label": "Events",
+ "customLabel": true,
+ "meta": {
+ "type": "number",
+ "esType": "long"
+ },
+ "inMetricDimension": true
+ },
+ {
+ "fieldName": "fortinet.fortiauthenticator.log.action",
+ "columnId": "069a9c5c-3ec5-e96a-a89c-5b796baa7045",
+ "label": "fortinet.fortiauthenticator.log.action",
+ "customLabel": false
+ }
+ ],
+ "timeField": "@timestamp"
+ }
+ }
+ }
+ },
+ "internalReferences": [],
+ "adHocDataViews": {}
+ }
+ },
+ "syncTooltips": false,
+ "syncColors": false,
+ "syncCursor": true,
+ "filters": [],
+ "query": {
+ "query": "",
+ "language": "kuery"
+ }
+ }
+ },
+ {
+ "panelIndex": "05441ad4-0192-717c-eefe-f459c20742e3",
+ "gridData": {
+ "x": 16,
+ "y": 3,
+ "w": 16,
+ "h": 10,
+ "i": "05441ad4-0192-717c-eefe-f459c20742e3"
+ },
+ "type": "lens",
+ "embeddableConfig": {
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ },
+ "attributes": {
+ "title": "Distribution of Events by Type",
+ "visualizationType": "lnsPie",
+ "type": "lens",
+ "references": [],
+ "state": {
+ "visualization": {
+ "layers": [
+ {
+ "layerId": "5df28c4b-f03a-2514-97be-efe34516e918",
+ "layerType": "data",
+ "colorMapping": {
+ "assignments": [],
+ "specialAssignments": [
+ {
+ "rule": {
+ "type": "other"
+ },
+ "color": {
+ "type": "loop"
+ },
+ "touched": false
+ }
+ ],
+ "paletteId": "eui_amsterdam_color_blind",
+ "colorMode": {
+ "type": "categorical"
+ }
+ },
+ "primaryGroups": [
+ "5a76efd9-6cd6-fa27-8e54-cef9c4d4a012"
+ ],
+ "metrics": [
+ "0cb3e3d7-c9da-1181-40f5-5b94be7f1201"
+ ],
+ "numberDisplay": "percent",
+ "categoryDisplay": "default",
+ "legendDisplay": "default",
+ "legendPosition": "right",
+ "nestedLegend": false,
+ "emptySizeRatio": 0.3
+ }
+ ],
+ "shape": "donut"
+ },
+ "query": {
+ "esql": "FROM logs-*\n| WHERE data_stream.dataset == \"fortinet_fortiauthenticator.log\"\n| WHERE fortinet.fortiauthenticator.log.subcategory == \"Admin Configuration\"\n| MV_EXPAND event.type\n| STATS count = COUNT(*) BY event.type\n| SORT count DESC\n| LIMIT 7\n"
+ },
+ "filters": [],
+ "datasourceStates": {
+ "textBased": {
+ "layers": {
+ "5df28c4b-f03a-2514-97be-efe34516e918": {
+ "query": {
+ "esql": "FROM logs-*\n| WHERE data_stream.dataset == \"fortinet_fortiauthenticator.log\"\n| WHERE fortinet.fortiauthenticator.log.subcategory == \"Admin Configuration\"\n| MV_EXPAND event.type\n| STATS count = COUNT(*) BY event.type\n| SORT count DESC\n| LIMIT 7\n"
+ },
+ "columns": [
+ {
+ "fieldName": "count",
+ "columnId": "0cb3e3d7-c9da-1181-40f5-5b94be7f1201",
+ "label": "Events",
+ "customLabel": true,
+ "meta": {
+ "type": "number",
+ "esType": "long"
+ },
+ "inMetricDimension": true
+ },
+ {
+ "fieldName": "event.type",
+ "columnId": "5a76efd9-6cd6-fa27-8e54-cef9c4d4a012",
+ "label": "event.type",
+ "customLabel": false
+ }
+ ],
+ "allColumns": [
+ {
+ "fieldName": "count",
+ "columnId": "0cb3e3d7-c9da-1181-40f5-5b94be7f1201",
+ "label": "Events",
+ "customLabel": true,
+ "meta": {
+ "type": "number",
+ "esType": "long"
+ },
+ "inMetricDimension": true
+ },
+ {
+ "fieldName": "event.type",
+ "columnId": "5a76efd9-6cd6-fa27-8e54-cef9c4d4a012",
+ "label": "event.type",
+ "customLabel": false
+ }
+ ],
+ "timeField": "@timestamp"
+ }
+ }
+ }
+ },
+ "internalReferences": [],
+ "adHocDataViews": {}
+ }
+ },
+ "syncTooltips": false,
+ "syncColors": false,
+ "syncCursor": true,
+ "filters": [],
+ "query": {
+ "query": "",
+ "language": "kuery"
+ }
+ }
+ },
+ {
+ "panelIndex": "c4e63202-9dbe-df34-f1fd-92956abca1a8",
+ "gridData": {
+ "x": 32,
+ "y": 3,
+ "w": 16,
+ "h": 10,
+ "i": "c4e63202-9dbe-df34-f1fd-92956abca1a8"
+ },
+ "type": "lens",
+ "embeddableConfig": {
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ },
+ "attributes": {
+ "title": "Distribution of Changed Fields",
+ "visualizationType": "lnsPie",
+ "type": "lens",
+ "references": [],
+ "state": {
+ "visualization": {
+ "layers": [
+ {
+ "layerId": "d1509284-17ec-7fe3-c519-ef22572508e7",
+ "layerType": "data",
+ "colorMapping": {
+ "assignments": [],
+ "specialAssignments": [
+ {
+ "rule": {
+ "type": "other"
+ },
+ "color": {
+ "type": "loop"
+ },
+ "touched": false
+ }
+ ],
+ "paletteId": "eui_amsterdam_color_blind",
+ "colorMode": {
+ "type": "categorical"
+ }
+ },
+ "primaryGroups": [
+ "019c078f-5312-49e4-ab66-0f1151f52ef3"
+ ],
+ "metrics": [
+ "0cb3e3d7-c9da-1181-40f5-5b94be7f1201"
+ ],
+ "numberDisplay": "percent",
+ "categoryDisplay": "default",
+ "legendDisplay": "default",
+ "legendPosition": "right",
+ "nestedLegend": false,
+ "emptySizeRatio": 0.3
+ }
+ ],
+ "shape": "donut"
+ },
+ "query": {
+ "esql": "FROM logs-*\n| WHERE data_stream.dataset == \"fortinet_fortiauthenticator.log\"\n| WHERE fortinet.fortiauthenticator.log.subcategory == \"Admin Configuration\"\n AND fortinet.fortiauthenticator.log.changes IS NOT NULL\n| MV_EXPAND fortinet.fortiauthenticator.log.changes\n| STATS count = COUNT(*) BY fortinet.fortiauthenticator.log.changes\n| SORT count DESC\n| LIMIT 7\n"
+ },
+ "filters": [],
+ "datasourceStates": {
+ "textBased": {
+ "layers": {
+ "d1509284-17ec-7fe3-c519-ef22572508e7": {
+ "query": {
+ "esql": "FROM logs-*\n| WHERE data_stream.dataset == \"fortinet_fortiauthenticator.log\"\n| WHERE fortinet.fortiauthenticator.log.subcategory == \"Admin Configuration\"\n AND fortinet.fortiauthenticator.log.changes IS NOT NULL\n| MV_EXPAND fortinet.fortiauthenticator.log.changes\n| STATS count = COUNT(*) BY fortinet.fortiauthenticator.log.changes\n| SORT count DESC\n| LIMIT 7\n"
+ },
+ "columns": [
+ {
+ "fieldName": "count",
+ "columnId": "0cb3e3d7-c9da-1181-40f5-5b94be7f1201",
+ "label": "Events",
+ "customLabel": true,
+ "meta": {
+ "type": "number",
+ "esType": "long"
+ },
+ "inMetricDimension": true
+ },
+ {
+ "fieldName": "fortinet.fortiauthenticator.log.changes",
+ "columnId": "019c078f-5312-49e4-ab66-0f1151f52ef3",
+ "label": "fortinet.fortiauthenticator.log.changes",
+ "customLabel": false
+ }
+ ],
+ "allColumns": [
+ {
+ "fieldName": "count",
+ "columnId": "0cb3e3d7-c9da-1181-40f5-5b94be7f1201",
+ "label": "Events",
+ "customLabel": true,
+ "meta": {
+ "type": "number",
+ "esType": "long"
+ },
+ "inMetricDimension": true
+ },
+ {
+ "fieldName": "fortinet.fortiauthenticator.log.changes",
+ "columnId": "019c078f-5312-49e4-ab66-0f1151f52ef3",
+ "label": "fortinet.fortiauthenticator.log.changes",
+ "customLabel": false
+ }
+ ],
+ "timeField": "@timestamp"
+ }
+ }
+ }
+ },
+ "internalReferences": [],
+ "adHocDataViews": {}
+ }
+ },
+ "syncTooltips": false,
+ "syncColors": false,
+ "syncCursor": true,
+ "filters": [],
+ "query": {
+ "query": "",
+ "language": "kuery"
+ }
+ }
+ },
+ {
+ "panelIndex": "fb04be40-3666-9d17-8ed5-6509ed79baae",
+ "gridData": {
+ "x": 0,
+ "y": 13,
+ "w": 24,
+ "h": 12,
+ "i": "fb04be40-3666-9d17-8ed5-6509ed79baae"
+ },
+ "type": "lens",
+ "embeddableConfig": {
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ },
+ "attributes": {
+ "title": "Top 10 Admins Performing Changes",
+ "visualizationType": "lnsDatatable",
+ "type": "lens",
+ "references": [
+ {
+ "type": "index-pattern",
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-97234203-1bdd-d1a4-3cf8-b6092bab081c"
+ }
+ ],
+ "state": {
+ "visualization": {
+ "columns": [
+ {
+ "columnId": "2643bd1b-75d2-6801-f9a0-6e856200de86",
+ "isTransposed": false,
+ "isMetric": false
+ },
+ {
+ "columnId": "e64a3706-4ce0-bea2-823d-450c06a9d293",
+ "isTransposed": false,
+ "isMetric": true
+ }
+ ],
+ "layerId": "97234203-1bdd-d1a4-3cf8-b6092bab081c",
+ "layerType": "data"
+ },
+ "query": {
+ "query": "data_stream.dataset:fortinet_fortiauthenticator.log AND fortinet.fortiauthenticator.log.subcategory:\"Admin Configuration\" AND user.name:*",
+ "language": "kuery"
+ },
+ "filters": [],
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "97234203-1bdd-d1a4-3cf8-b6092bab081c": {
+ "columns": {
+ "2643bd1b-75d2-6801-f9a0-6e856200de86": {
+ "label": "Admin",
+ "dataType": "string",
+ "customLabel": true,
+ "operationType": "terms",
+ "isBucketed": true,
+ "scale": "ordinal",
+ "params": {
+ "size": 10,
+ "orderBy": {
+ "type": "column",
+ "columnId": "e64a3706-4ce0-bea2-823d-450c06a9d293"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "missingBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "include": [],
+ "exclude": [],
+ "includeIsRegex": false,
+ "excludeIsRegex": false
+ },
+ "sourceField": "user.name"
+ },
+ "e64a3706-4ce0-bea2-823d-450c06a9d293": {
+ "label": "Changes",
+ "dataType": "number",
+ "customLabel": true,
+ "operationType": "count",
+ "isBucketed": false,
+ "scale": "ratio",
+ "sourceField": "___records___",
+ "params": {
+ "emptyAsNull": true
+ }
+ }
+ },
+ "columnOrder": [
+ "2643bd1b-75d2-6801-f9a0-6e856200de86",
+ "e64a3706-4ce0-bea2-823d-450c06a9d293"
+ ],
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "layers": {}
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "internalReferences": [],
+ "adHocDataViews": {}
+ }
+ },
+ "syncTooltips": false,
+ "syncColors": false,
+ "syncCursor": true,
+ "filters": [],
+ "query": {
+ "query": "",
+ "language": "kuery"
+ }
+ }
+ },
+ {
+ "panelIndex": "0efe5fda-5a02-e0e1-800e-60920186917f",
+ "gridData": {
+ "x": 24,
+ "y": 13,
+ "w": 24,
+ "h": 12,
+ "i": "0efe5fda-5a02-e0e1-800e-60920186917f"
+ },
+ "type": "lens",
+ "embeddableConfig": {
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ },
+ "attributes": {
+ "title": "Top 10 Target Accounts",
+ "visualizationType": "lnsDatatable",
+ "type": "lens",
+ "references": [
+ {
+ "type": "index-pattern",
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-8874c05f-8ca9-7d94-4cf6-d524f4806848"
+ }
+ ],
+ "state": {
+ "visualization": {
+ "columns": [
+ {
+ "columnId": "6263045d-7676-e1a4-12b0-54571255453d",
+ "isTransposed": false,
+ "isMetric": false
+ },
+ {
+ "columnId": "e64a3706-4ce0-bea2-823d-450c06a9d293",
+ "isTransposed": false,
+ "isMetric": true
+ }
+ ],
+ "layerId": "8874c05f-8ca9-7d94-4cf6-d524f4806848",
+ "layerType": "data"
+ },
+ "query": {
+ "query": "data_stream.dataset:fortinet_fortiauthenticator.log AND fortinet.fortiauthenticator.log.subcategory:\"Admin Configuration\" AND user.target.name:*",
+ "language": "kuery"
+ },
+ "filters": [],
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "8874c05f-8ca9-7d94-4cf6-d524f4806848": {
+ "columns": {
+ "6263045d-7676-e1a4-12b0-54571255453d": {
+ "label": "Target",
+ "dataType": "string",
+ "customLabel": true,
+ "operationType": "terms",
+ "isBucketed": true,
+ "scale": "ordinal",
+ "params": {
+ "size": 10,
+ "orderBy": {
+ "type": "column",
+ "columnId": "e64a3706-4ce0-bea2-823d-450c06a9d293"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "missingBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "include": [],
+ "exclude": [],
+ "includeIsRegex": false,
+ "excludeIsRegex": false
+ },
+ "sourceField": "user.target.name"
+ },
+ "e64a3706-4ce0-bea2-823d-450c06a9d293": {
+ "label": "Changes",
+ "dataType": "number",
+ "customLabel": true,
+ "operationType": "count",
+ "isBucketed": false,
+ "scale": "ratio",
+ "sourceField": "___records___",
+ "params": {
+ "emptyAsNull": true
+ }
+ }
+ },
+ "columnOrder": [
+ "6263045d-7676-e1a4-12b0-54571255453d",
+ "e64a3706-4ce0-bea2-823d-450c06a9d293"
+ ],
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "layers": {}
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "internalReferences": [],
+ "adHocDataViews": {}
+ }
+ },
+ "syncTooltips": false,
+ "syncColors": false,
+ "syncCursor": true,
+ "filters": [],
+ "query": {
+ "query": "",
+ "language": "kuery"
+ }
+ }
+ },
+ {
+ "panelIndex": "a2e4be51-44ce-0063-4ba7-5d7b1bac43c7",
+ "gridData": {
+ "x": 0,
+ "y": 25,
+ "w": 48,
+ "h": 12,
+ "i": "a2e4be51-44ce-0063-4ba7-5d7b1bac43c7"
+ },
+ "type": "lens",
+ "embeddableConfig": {
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ },
+ "attributes": {
+ "title": "Account Change Details",
+ "visualizationType": "lnsDatatable",
+ "type": "lens",
+ "references": [
+ {
+ "type": "index-pattern",
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-456f9b89-bac9-901f-8c8b-a5a967c3cba5"
+ }
+ ],
+ "state": {
+ "visualization": {
+ "columns": [
+ {
+ "columnId": "31e44861-6c19-cf13-c780-c5bb26c57cce",
+ "isTransposed": false,
+ "isMetric": false
+ },
+ {
+ "columnId": "0742c066-4ccc-2539-6baf-064879a8fdd3",
+ "isTransposed": false,
+ "isMetric": false
+ },
+ {
+ "columnId": "1d4f0601-720e-be3a-2d5f-2f5bf1678d44",
+ "isTransposed": false,
+ "isMetric": false
+ },
+ {
+ "columnId": "e293e1d8-19e0-ece8-e7f3-a0b190c5d64e",
+ "isTransposed": false,
+ "isMetric": true
+ }
+ ],
+ "layerId": "456f9b89-bac9-901f-8c8b-a5a967c3cba5",
+ "layerType": "data"
+ },
+ "query": {
+ "query": "data_stream.dataset:fortinet_fortiauthenticator.log AND fortinet.fortiauthenticator.log.subcategory:\"Admin Configuration\"",
+ "language": "kuery"
+ },
+ "filters": [],
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "456f9b89-bac9-901f-8c8b-a5a967c3cba5": {
+ "columns": {
+ "31e44861-6c19-cf13-c780-c5bb26c57cce": {
+ "label": "Event Action",
+ "dataType": "string",
+ "customLabel": true,
+ "operationType": "terms",
+ "isBucketed": true,
+ "scale": "ordinal",
+ "params": {
+ "size": 20,
+ "orderBy": {
+ "type": "column",
+ "columnId": "e293e1d8-19e0-ece8-e7f3-a0b190c5d64e"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "missingBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "include": [],
+ "exclude": [],
+ "includeIsRegex": false,
+ "excludeIsRegex": false
+ },
+ "sourceField": "event.action"
+ },
+ "0742c066-4ccc-2539-6baf-064879a8fdd3": {
+ "label": "Admin",
+ "dataType": "string",
+ "customLabel": true,
+ "operationType": "terms",
+ "isBucketed": true,
+ "scale": "ordinal",
+ "params": {
+ "size": 20,
+ "orderBy": {
+ "type": "column",
+ "columnId": "e293e1d8-19e0-ece8-e7f3-a0b190c5d64e"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "missingBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "include": [],
+ "exclude": [],
+ "includeIsRegex": false,
+ "excludeIsRegex": false
+ },
+ "sourceField": "user.name"
+ },
+ "1d4f0601-720e-be3a-2d5f-2f5bf1678d44": {
+ "label": "Target Account",
+ "dataType": "string",
+ "customLabel": true,
+ "operationType": "terms",
+ "isBucketed": true,
+ "scale": "ordinal",
+ "params": {
+ "size": 20,
+ "orderBy": {
+ "type": "column",
+ "columnId": "e293e1d8-19e0-ece8-e7f3-a0b190c5d64e"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "missingBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "include": [],
+ "exclude": [],
+ "includeIsRegex": false,
+ "excludeIsRegex": false
+ },
+ "sourceField": "user.target.name"
+ },
+ "e293e1d8-19e0-ece8-e7f3-a0b190c5d64e": {
+ "label": "Count",
+ "dataType": "number",
+ "customLabel": true,
+ "operationType": "count",
+ "isBucketed": false,
+ "scale": "ratio",
+ "sourceField": "___records___",
+ "params": {
+ "emptyAsNull": true
+ }
+ }
+ },
+ "columnOrder": [
+ "31e44861-6c19-cf13-c780-c5bb26c57cce",
+ "0742c066-4ccc-2539-6baf-064879a8fdd3",
+ "1d4f0601-720e-be3a-2d5f-2f5bf1678d44",
+ "e293e1d8-19e0-ece8-e7f3-a0b190c5d64e"
+ ],
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "layers": {}
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "internalReferences": [],
+ "adHocDataViews": {}
+ }
+ },
+ "syncTooltips": false,
+ "syncColors": false,
+ "syncCursor": true,
+ "filters": [],
+ "query": {
+ "query": "",
+ "language": "kuery"
+ }
+ }
+ },
+ {
+ "panelIndex": "a89869d9-659f-675d-3525-5f9de12f93aa",
+ "gridData": {
+ "x": 0,
+ "y": 37,
+ "w": 48,
+ "h": 15,
+ "i": "a89869d9-659f-675d-3525-5f9de12f93aa"
+ },
+ "type": "search",
+ "panelRefName": "a89869d9-659f-675d-3525-5f9de12f93aa:panel_a89869d9-659f-675d-3525-5f9de12f93aa",
+ "embeddableConfig": {
+ "title": "Log Stream",
+ "enhancements": {},
+ "savedObjectId": "fortinet_fortiauthenticator-admin-config-events"
+ }
+ }
+ ],
+ "optionsJSON": {
+ "useMargins": true,
+ "syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false,
+ "hidePanelTitles": false
+ },
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": {
+ "filter": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "disabled": false,
+ "negate": false,
+ "alias": null,
+ "type": "phrase",
+ "key": "data_stream.dataset",
+ "field": "data_stream.dataset",
+ "params": {
+ "query": "fortinet_fortiauthenticator.log"
+ }
+ },
+ "query": {
+ "match_phrase": {
+ "data_stream.dataset": "fortinet_fortiauthenticator.log"
+ }
+ }
+ }
+ ],
+ "query": {
+ "query": "",
+ "language": "kuery"
+ }
+ }
+ },
+ "timeRestore": false,
+ "version": 1,
+ "controlGroupInput": {
+ "chainingSystem": "HIERARCHICAL",
+ "controlStyle": "oneLine",
+ "ignoreParentSettingsJSON": {
+ "ignoreFilters": false,
+ "ignoreQuery": false,
+ "ignoreTimerange": false,
+ "ignoreValidations": false
+ },
+ "panelsJSON": {
+ "0cdfdf58-1970-368e-3e5f-023bd0f92321": {
+ "grow": false,
+ "order": 0,
+ "width": "medium",
+ "type": "optionsListControl",
+ "explicitInput": {
+ "id": "0cdfdf58-1970-368e-3e5f-023bd0f92321",
+ "dataViewId": "logs-*",
+ "fieldName": "event.action",
+ "title": "Event Action",
+ "searchTechnique": "prefix",
+ "selectedOptions": [],
+ "sort": {
+ "by": "_count",
+ "direction": "desc"
+ }
+ }
+ },
+ "ba8d3c8e-a233-e1cc-d519-87e4a509fd0f": {
+ "grow": false,
+ "order": 1,
+ "width": "medium",
+ "type": "optionsListControl",
+ "explicitInput": {
+ "id": "ba8d3c8e-a233-e1cc-d519-87e4a509fd0f",
+ "dataViewId": "logs-*",
+ "fieldName": "event.type",
+ "title": "Event Type",
+ "searchTechnique": "prefix",
+ "selectedOptions": [],
+ "sort": {
+ "by": "_count",
+ "direction": "desc"
+ }
+ }
+ },
+ "3f34fc08-59e7-5414-75c4-7f4095b40df2": {
+ "grow": false,
+ "order": 2,
+ "width": "medium",
+ "type": "optionsListControl",
+ "explicitInput": {
+ "id": "3f34fc08-59e7-5414-75c4-7f4095b40df2",
+ "dataViewId": "logs-*",
+ "fieldName": "user.name",
+ "title": "Admin",
+ "searchTechnique": "prefix",
+ "selectedOptions": [],
+ "sort": {
+ "by": "_count",
+ "direction": "desc"
+ }
+ }
+ }
+ },
+ "showApplySelections": false
+ }
+ },
+ "coreMigrationVersion": "8.8.0",
+ "created_at": "2023-10-01T00:00:00Z",
+ "created_by": "admin",
+ "id": "fortinet_fortiauthenticator-admin-audit",
+ "managed": false,
+ "references": [
+ {
+ "type": "dashboard",
+ "id": "fortinet_fortiauthenticator-overview",
+ "name": "b901510e-4e89-757d-3ffc-2ddd1d265e5a:link_3af4ba12-6f83-488a-bdc9-0c7216a22d73_dashboard"
+ },
+ {
+ "type": "dashboard",
+ "id": "fortinet_fortiauthenticator-authentication",
+ "name": "b901510e-4e89-757d-3ffc-2ddd1d265e5a:link_85cbe962-a65c-5a52-ac29-31c83f2ee37e_dashboard"
+ },
+ {
+ "type": "dashboard",
+ "id": "fortinet_fortiauthenticator-admin-audit",
+ "name": "b901510e-4e89-757d-3ffc-2ddd1d265e5a:link_f8015227-17d1-b054-2b9c-b33d24cec76d_dashboard"
+ },
+ {
+ "type": "dashboard",
+ "id": "fortinet_fortiauthenticator-system",
+ "name": "b901510e-4e89-757d-3ffc-2ddd1d265e5a:link_72ea9ac7-2987-7cf7-6e6c-311078031348_dashboard"
+ },
+ {
+ "type": "index-pattern",
+ "id": "logs-*",
+ "name": "fb04be40-3666-9d17-8ed5-6509ed79baae:indexpattern-datasource-layer-97234203-1bdd-d1a4-3cf8-b6092bab081c"
+ },
+ {
+ "type": "index-pattern",
+ "id": "logs-*",
+ "name": "0efe5fda-5a02-e0e1-800e-60920186917f:indexpattern-datasource-layer-8874c05f-8ca9-7d94-4cf6-d524f4806848"
+ },
+ {
+ "type": "index-pattern",
+ "id": "logs-*",
+ "name": "a2e4be51-44ce-0063-4ba7-5d7b1bac43c7:indexpattern-datasource-layer-456f9b89-bac9-901f-8c8b-a5a967c3cba5"
+ },
+ {
+ "type": "search",
+ "id": "fortinet_fortiauthenticator-admin-config-events",
+ "name": "a89869d9-659f-675d-3525-5f9de12f93aa:panel_a89869d9-659f-675d-3525-5f9de12f93aa"
+ },
+ {
+ "type": "index-pattern",
+ "id": "logs-*",
+ "name": "controlGroup_0cdfdf58-1970-368e-3e5f-023bd0f92321:optionsListDataView"
+ },
+ {
+ "type": "index-pattern",
+ "id": "logs-*",
+ "name": "controlGroup_ba8d3c8e-a233-e1cc-d519-87e4a509fd0f:optionsListDataView"
+ },
+ {
+ "type": "index-pattern",
+ "id": "logs-*",
+ "name": "controlGroup_3f34fc08-59e7-5414-75c4-7f4095b40df2:optionsListDataView"
+ }
+ ],
+ "type": "dashboard",
+ "typeMigrationVersion": "10.2.0",
+ "updated_at": "2023-10-01T00:00:00Z",
+ "updated_by": "admin",
+ "version": "1"
+}
\ No newline at end of file
diff --git a/packages/fortinet_fortiauthenticator/kibana/dashboard/fortinet_fortiauthenticator-authentication.json b/packages/fortinet_fortiauthenticator/kibana/dashboard/fortinet_fortiauthenticator-authentication.json
new file mode 100644
index 00000000000..4e43ed0c241
--- /dev/null
+++ b/packages/fortinet_fortiauthenticator/kibana/dashboard/fortinet_fortiauthenticator-authentication.json
@@ -0,0 +1,1281 @@
+{
+ "attributes": {
+ "title": "[Logs FortiAuthenticator] Authentication",
+ "description": "Authentication events from FortiAuthenticator. Shows only final RADIUS/TACACS+ authentication results — intermediate EAP handshake steps are excluded for accurate logon counts.",
+ "panelsJSON": [
+ {
+ "panelIndex": "b901510e-4e89-757d-3ffc-2ddd1d265e5a",
+ "gridData": {
+ "x": 0,
+ "y": 0,
+ "w": 48,
+ "h": 3,
+ "i": "b901510e-4e89-757d-3ffc-2ddd1d265e5a"
+ },
+ "type": "links",
+ "embeddableConfig": {
+ "enhancements": {},
+ "attributes": {
+ "layout": "horizontal",
+ "links": [
+ {
+ "id": "3af4ba12-6f83-488a-bdc9-0c7216a22d73",
+ "order": 0,
+ "label": "Overview",
+ "type": "dashboardLink",
+ "destinationRefName": "link_3af4ba12-6f83-488a-bdc9-0c7216a22d73_dashboard"
+ },
+ {
+ "id": "85cbe962-a65c-5a52-ac29-31c83f2ee37e",
+ "order": 1,
+ "label": "Authentication",
+ "type": "dashboardLink",
+ "destinationRefName": "link_85cbe962-a65c-5a52-ac29-31c83f2ee37e_dashboard"
+ },
+ {
+ "id": "f8015227-17d1-b054-2b9c-b33d24cec76d",
+ "order": 2,
+ "label": "Admin Configuration Audit",
+ "type": "dashboardLink",
+ "destinationRefName": "link_f8015227-17d1-b054-2b9c-b33d24cec76d_dashboard"
+ },
+ {
+ "id": "72ea9ac7-2987-7cf7-6e6c-311078031348",
+ "order": 3,
+ "label": "System and HA",
+ "type": "dashboardLink",
+ "destinationRefName": "link_72ea9ac7-2987-7cf7-6e6c-311078031348_dashboard"
+ }
+ ]
+ }
+ }
+ },
+ {
+ "panelIndex": "1a925689-4375-0918-f3ee-2bcfe198237c",
+ "gridData": {
+ "x": 0,
+ "y": 3,
+ "w": 16,
+ "h": 10,
+ "i": "1a925689-4375-0918-f3ee-2bcfe198237c"
+ },
+ "type": "lens",
+ "embeddableConfig": {
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ },
+ "attributes": {
+ "title": "Distribution of Events by Outcome",
+ "visualizationType": "lnsPie",
+ "type": "lens",
+ "references": [],
+ "state": {
+ "visualization": {
+ "layers": [
+ {
+ "layerId": "007d38be-2679-3233-9abf-3be678db50d0",
+ "layerType": "data",
+ "colorMapping": {
+ "assignments": [],
+ "specialAssignments": [
+ {
+ "rule": {
+ "type": "other"
+ },
+ "color": {
+ "type": "loop"
+ },
+ "touched": false
+ }
+ ],
+ "paletteId": "eui_amsterdam_color_blind",
+ "colorMode": {
+ "type": "categorical"
+ }
+ },
+ "primaryGroups": [
+ "6ebe5def-fb69-74b6-9df8-7ab4a0952f39"
+ ],
+ "metrics": [
+ "0cb3e3d7-c9da-1181-40f5-5b94be7f1201"
+ ],
+ "numberDisplay": "percent",
+ "categoryDisplay": "default",
+ "legendDisplay": "default",
+ "legendPosition": "right",
+ "nestedLegend": false,
+ "emptySizeRatio": 0.3
+ }
+ ],
+ "shape": "donut"
+ },
+ "query": {
+ "esql": "FROM logs-*\n| WHERE data_stream.dataset == \"fortinet_fortiauthenticator.log\"\n| WHERE fortinet.fortiauthenticator.log.subcategory == \"Authentication\"\n AND NOT event.action LIKE \"*admin-gui*\"\n AND NOT event.code IN (\"20430\", \"20431\", \"20300\", \"20299\", \"20422\", \"20005\")\n| STATS count = COUNT(*) BY event.outcome\n| SORT count DESC\n"
+ },
+ "filters": [],
+ "datasourceStates": {
+ "textBased": {
+ "layers": {
+ "007d38be-2679-3233-9abf-3be678db50d0": {
+ "query": {
+ "esql": "FROM logs-*\n| WHERE data_stream.dataset == \"fortinet_fortiauthenticator.log\"\n| WHERE fortinet.fortiauthenticator.log.subcategory == \"Authentication\"\n AND NOT event.action LIKE \"*admin-gui*\"\n AND NOT event.code IN (\"20430\", \"20431\", \"20300\", \"20299\", \"20422\", \"20005\")\n| STATS count = COUNT(*) BY event.outcome\n| SORT count DESC\n"
+ },
+ "columns": [
+ {
+ "fieldName": "count",
+ "columnId": "0cb3e3d7-c9da-1181-40f5-5b94be7f1201",
+ "label": "Events",
+ "customLabel": true,
+ "meta": {
+ "type": "number",
+ "esType": "long"
+ },
+ "inMetricDimension": true
+ },
+ {
+ "fieldName": "event.outcome",
+ "columnId": "6ebe5def-fb69-74b6-9df8-7ab4a0952f39",
+ "label": "event.outcome",
+ "customLabel": false
+ }
+ ],
+ "allColumns": [
+ {
+ "fieldName": "count",
+ "columnId": "0cb3e3d7-c9da-1181-40f5-5b94be7f1201",
+ "label": "Events",
+ "customLabel": true,
+ "meta": {
+ "type": "number",
+ "esType": "long"
+ },
+ "inMetricDimension": true
+ },
+ {
+ "fieldName": "event.outcome",
+ "columnId": "6ebe5def-fb69-74b6-9df8-7ab4a0952f39",
+ "label": "event.outcome",
+ "customLabel": false
+ }
+ ],
+ "timeField": "@timestamp"
+ }
+ }
+ }
+ },
+ "internalReferences": [],
+ "adHocDataViews": {}
+ }
+ },
+ "syncTooltips": false,
+ "syncColors": false,
+ "syncCursor": true,
+ "filters": [],
+ "query": {
+ "query": "",
+ "language": "kuery"
+ }
+ }
+ },
+ {
+ "panelIndex": "97034512-ce45-39e5-4b41-e1fd562226ce",
+ "gridData": {
+ "x": 16,
+ "y": 3,
+ "w": 16,
+ "h": 10,
+ "i": "97034512-ce45-39e5-4b41-e1fd562226ce"
+ },
+ "type": "lens",
+ "embeddableConfig": {
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ },
+ "attributes": {
+ "title": "Distribution of Events by Protocol",
+ "visualizationType": "lnsPie",
+ "type": "lens",
+ "references": [],
+ "state": {
+ "visualization": {
+ "layers": [
+ {
+ "layerId": "20971052-26ba-721a-f002-9b7145ae04c8",
+ "layerType": "data",
+ "colorMapping": {
+ "assignments": [],
+ "specialAssignments": [
+ {
+ "rule": {
+ "type": "other"
+ },
+ "color": {
+ "type": "loop"
+ },
+ "touched": false
+ }
+ ],
+ "paletteId": "eui_amsterdam_color_blind",
+ "colorMode": {
+ "type": "categorical"
+ }
+ },
+ "primaryGroups": [
+ "64d853d1-fb9b-e887-ece4-8ac6a4030b4b"
+ ],
+ "metrics": [
+ "0cb3e3d7-c9da-1181-40f5-5b94be7f1201"
+ ],
+ "numberDisplay": "percent",
+ "categoryDisplay": "default",
+ "legendDisplay": "default",
+ "legendPosition": "right",
+ "nestedLegend": false,
+ "emptySizeRatio": 0.3
+ }
+ ],
+ "shape": "donut"
+ },
+ "query": {
+ "esql": "FROM logs-*\n| WHERE data_stream.dataset == \"fortinet_fortiauthenticator.log\"\n| WHERE fortinet.fortiauthenticator.log.subcategory == \"Authentication\"\n AND NOT event.action LIKE \"*admin-gui*\"\n AND NOT event.code IN (\"20430\", \"20431\", \"20300\", \"20299\", \"20422\", \"20005\")\n AND network.protocol IS NOT NULL\n| STATS count = COUNT(*) BY network.protocol\n| SORT count DESC\n| LIMIT 7\n"
+ },
+ "filters": [],
+ "datasourceStates": {
+ "textBased": {
+ "layers": {
+ "20971052-26ba-721a-f002-9b7145ae04c8": {
+ "query": {
+ "esql": "FROM logs-*\n| WHERE data_stream.dataset == \"fortinet_fortiauthenticator.log\"\n| WHERE fortinet.fortiauthenticator.log.subcategory == \"Authentication\"\n AND NOT event.action LIKE \"*admin-gui*\"\n AND NOT event.code IN (\"20430\", \"20431\", \"20300\", \"20299\", \"20422\", \"20005\")\n AND network.protocol IS NOT NULL\n| STATS count = COUNT(*) BY network.protocol\n| SORT count DESC\n| LIMIT 7\n"
+ },
+ "columns": [
+ {
+ "fieldName": "count",
+ "columnId": "0cb3e3d7-c9da-1181-40f5-5b94be7f1201",
+ "label": "Events",
+ "customLabel": true,
+ "meta": {
+ "type": "number",
+ "esType": "long"
+ },
+ "inMetricDimension": true
+ },
+ {
+ "fieldName": "network.protocol",
+ "columnId": "64d853d1-fb9b-e887-ece4-8ac6a4030b4b",
+ "label": "network.protocol",
+ "customLabel": false
+ }
+ ],
+ "allColumns": [
+ {
+ "fieldName": "count",
+ "columnId": "0cb3e3d7-c9da-1181-40f5-5b94be7f1201",
+ "label": "Events",
+ "customLabel": true,
+ "meta": {
+ "type": "number",
+ "esType": "long"
+ },
+ "inMetricDimension": true
+ },
+ {
+ "fieldName": "network.protocol",
+ "columnId": "64d853d1-fb9b-e887-ece4-8ac6a4030b4b",
+ "label": "network.protocol",
+ "customLabel": false
+ }
+ ],
+ "timeField": "@timestamp"
+ }
+ }
+ }
+ },
+ "internalReferences": [],
+ "adHocDataViews": {}
+ }
+ },
+ "syncTooltips": false,
+ "syncColors": false,
+ "syncCursor": true,
+ "filters": [],
+ "query": {
+ "query": "",
+ "language": "kuery"
+ }
+ }
+ },
+ {
+ "panelIndex": "1626e6a6-6864-1217-8ef0-a7a8393dbeac",
+ "gridData": {
+ "x": 32,
+ "y": 3,
+ "w": 16,
+ "h": 10,
+ "i": "1626e6a6-6864-1217-8ef0-a7a8393dbeac"
+ },
+ "type": "lens",
+ "embeddableConfig": {
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ },
+ "attributes": {
+ "title": "Distribution of Events by Log Level",
+ "visualizationType": "lnsPie",
+ "type": "lens",
+ "references": [],
+ "state": {
+ "visualization": {
+ "layers": [
+ {
+ "layerId": "6091f957-e90c-c1ef-2859-cf0e6aa13417",
+ "layerType": "data",
+ "colorMapping": {
+ "assignments": [],
+ "specialAssignments": [
+ {
+ "rule": {
+ "type": "other"
+ },
+ "color": {
+ "type": "loop"
+ },
+ "touched": false
+ }
+ ],
+ "paletteId": "eui_amsterdam_color_blind",
+ "colorMode": {
+ "type": "categorical"
+ }
+ },
+ "primaryGroups": [
+ "963c7779-0642-ff95-05d1-7f32e63a6aad"
+ ],
+ "metrics": [
+ "0cb3e3d7-c9da-1181-40f5-5b94be7f1201"
+ ],
+ "numberDisplay": "percent",
+ "categoryDisplay": "default",
+ "legendDisplay": "default",
+ "legendPosition": "right",
+ "nestedLegend": false,
+ "emptySizeRatio": 0.3
+ }
+ ],
+ "shape": "donut"
+ },
+ "query": {
+ "esql": "FROM logs-*\n| WHERE data_stream.dataset == \"fortinet_fortiauthenticator.log\"\n| WHERE fortinet.fortiauthenticator.log.subcategory == \"Authentication\"\n AND NOT event.action LIKE \"*admin-gui*\"\n AND NOT event.code IN (\"20430\", \"20431\", \"20300\", \"20299\", \"20422\", \"20005\")\n| STATS count = COUNT(*) BY log.level\n| SORT count DESC\n"
+ },
+ "filters": [],
+ "datasourceStates": {
+ "textBased": {
+ "layers": {
+ "6091f957-e90c-c1ef-2859-cf0e6aa13417": {
+ "query": {
+ "esql": "FROM logs-*\n| WHERE data_stream.dataset == \"fortinet_fortiauthenticator.log\"\n| WHERE fortinet.fortiauthenticator.log.subcategory == \"Authentication\"\n AND NOT event.action LIKE \"*admin-gui*\"\n AND NOT event.code IN (\"20430\", \"20431\", \"20300\", \"20299\", \"20422\", \"20005\")\n| STATS count = COUNT(*) BY log.level\n| SORT count DESC\n"
+ },
+ "columns": [
+ {
+ "fieldName": "count",
+ "columnId": "0cb3e3d7-c9da-1181-40f5-5b94be7f1201",
+ "label": "Events",
+ "customLabel": true,
+ "meta": {
+ "type": "number",
+ "esType": "long"
+ },
+ "inMetricDimension": true
+ },
+ {
+ "fieldName": "log.level",
+ "columnId": "963c7779-0642-ff95-05d1-7f32e63a6aad",
+ "label": "log.level",
+ "customLabel": false
+ }
+ ],
+ "allColumns": [
+ {
+ "fieldName": "count",
+ "columnId": "0cb3e3d7-c9da-1181-40f5-5b94be7f1201",
+ "label": "Events",
+ "customLabel": true,
+ "meta": {
+ "type": "number",
+ "esType": "long"
+ },
+ "inMetricDimension": true
+ },
+ {
+ "fieldName": "log.level",
+ "columnId": "963c7779-0642-ff95-05d1-7f32e63a6aad",
+ "label": "log.level",
+ "customLabel": false
+ }
+ ],
+ "timeField": "@timestamp"
+ }
+ }
+ }
+ },
+ "internalReferences": [],
+ "adHocDataViews": {}
+ }
+ },
+ "syncTooltips": false,
+ "syncColors": false,
+ "syncCursor": true,
+ "filters": [],
+ "query": {
+ "query": "",
+ "language": "kuery"
+ }
+ }
+ },
+ {
+ "panelIndex": "2c4bf020-db9f-2b63-07c1-7733b9ef3835",
+ "gridData": {
+ "x": 0,
+ "y": 13,
+ "w": 16,
+ "h": 12,
+ "i": "2c4bf020-db9f-2b63-07c1-7733b9ef3835"
+ },
+ "type": "lens",
+ "embeddableConfig": {
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ },
+ "attributes": {
+ "title": "Top 10 Users",
+ "visualizationType": "lnsDatatable",
+ "type": "lens",
+ "references": [
+ {
+ "type": "index-pattern",
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-dab616a9-1fca-96b2-da78-4a5cf8f5c96d"
+ }
+ ],
+ "state": {
+ "visualization": {
+ "columns": [
+ {
+ "columnId": "2e2c6a1d-9d6f-5c34-54bb-0d0ae7b6a65c",
+ "isTransposed": false,
+ "isMetric": false
+ },
+ {
+ "columnId": "78906381-9268-4fda-8e10-7b28774532d5",
+ "isTransposed": false,
+ "isMetric": true
+ }
+ ],
+ "layerId": "dab616a9-1fca-96b2-da78-4a5cf8f5c96d",
+ "layerType": "data"
+ },
+ "query": {
+ "query": "data_stream.dataset:fortinet_fortiauthenticator.log AND fortinet.fortiauthenticator.log.subcategory:Authentication AND NOT event.action:*admin-gui* AND NOT event.code:(20430 OR 20431 OR 20300 OR 20299 OR 20422 OR 20005) AND user.name:*",
+ "language": "kuery"
+ },
+ "filters": [],
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "dab616a9-1fca-96b2-da78-4a5cf8f5c96d": {
+ "columns": {
+ "2e2c6a1d-9d6f-5c34-54bb-0d0ae7b6a65c": {
+ "label": "User",
+ "dataType": "string",
+ "customLabel": true,
+ "operationType": "terms",
+ "isBucketed": true,
+ "scale": "ordinal",
+ "params": {
+ "size": 10,
+ "orderBy": {
+ "type": "column",
+ "columnId": "78906381-9268-4fda-8e10-7b28774532d5"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "missingBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "include": [],
+ "exclude": [],
+ "includeIsRegex": false,
+ "excludeIsRegex": false
+ },
+ "sourceField": "user.name"
+ },
+ "78906381-9268-4fda-8e10-7b28774532d5": {
+ "label": "Events",
+ "dataType": "number",
+ "customLabel": true,
+ "operationType": "count",
+ "isBucketed": false,
+ "scale": "ratio",
+ "sourceField": "___records___",
+ "params": {
+ "emptyAsNull": true
+ }
+ }
+ },
+ "columnOrder": [
+ "2e2c6a1d-9d6f-5c34-54bb-0d0ae7b6a65c",
+ "78906381-9268-4fda-8e10-7b28774532d5"
+ ],
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "layers": {}
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "internalReferences": [],
+ "adHocDataViews": {}
+ }
+ },
+ "syncTooltips": false,
+ "syncColors": false,
+ "syncCursor": true,
+ "filters": [],
+ "query": {
+ "query": "",
+ "language": "kuery"
+ }
+ }
+ },
+ {
+ "panelIndex": "909b38b6-80ed-d397-cd15-293a9e7dd5dc",
+ "gridData": {
+ "x": 16,
+ "y": 13,
+ "w": 16,
+ "h": 12,
+ "i": "909b38b6-80ed-d397-cd15-293a9e7dd5dc"
+ },
+ "type": "lens",
+ "embeddableConfig": {
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ },
+ "attributes": {
+ "title": "Top 10 Source IPs",
+ "visualizationType": "lnsDatatable",
+ "type": "lens",
+ "references": [
+ {
+ "type": "index-pattern",
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-3c8b597a-14f1-3423-d8d0-147bfd0b76ec"
+ }
+ ],
+ "state": {
+ "visualization": {
+ "columns": [
+ {
+ "columnId": "d6769a7f-38c3-232c-02f5-f529185ff287",
+ "isTransposed": false,
+ "isMetric": false
+ },
+ {
+ "columnId": "78906381-9268-4fda-8e10-7b28774532d5",
+ "isTransposed": false,
+ "isMetric": true
+ }
+ ],
+ "layerId": "3c8b597a-14f1-3423-d8d0-147bfd0b76ec",
+ "layerType": "data"
+ },
+ "query": {
+ "query": "data_stream.dataset:fortinet_fortiauthenticator.log AND fortinet.fortiauthenticator.log.subcategory:Authentication AND NOT event.action:*admin-gui* AND NOT event.code:(20430 OR 20431 OR 20300 OR 20299 OR 20422 OR 20005) AND source.ip:*",
+ "language": "kuery"
+ },
+ "filters": [],
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "3c8b597a-14f1-3423-d8d0-147bfd0b76ec": {
+ "columns": {
+ "d6769a7f-38c3-232c-02f5-f529185ff287": {
+ "label": "Source IP",
+ "dataType": "string",
+ "customLabel": true,
+ "operationType": "terms",
+ "isBucketed": true,
+ "scale": "ordinal",
+ "params": {
+ "size": 10,
+ "orderBy": {
+ "type": "column",
+ "columnId": "78906381-9268-4fda-8e10-7b28774532d5"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "missingBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "include": [],
+ "exclude": [],
+ "includeIsRegex": false,
+ "excludeIsRegex": false
+ },
+ "sourceField": "source.ip"
+ },
+ "78906381-9268-4fda-8e10-7b28774532d5": {
+ "label": "Events",
+ "dataType": "number",
+ "customLabel": true,
+ "operationType": "count",
+ "isBucketed": false,
+ "scale": "ratio",
+ "sourceField": "___records___",
+ "params": {
+ "emptyAsNull": true
+ }
+ }
+ },
+ "columnOrder": [
+ "d6769a7f-38c3-232c-02f5-f529185ff287",
+ "78906381-9268-4fda-8e10-7b28774532d5"
+ ],
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "layers": {}
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "internalReferences": [],
+ "adHocDataViews": {}
+ }
+ },
+ "syncTooltips": false,
+ "syncColors": false,
+ "syncCursor": true,
+ "filters": [],
+ "query": {
+ "query": "",
+ "language": "kuery"
+ }
+ }
+ },
+ {
+ "panelIndex": "5aaa26b4-badd-9e23-0d80-fdfb5cc84f86",
+ "gridData": {
+ "x": 32,
+ "y": 13,
+ "w": 16,
+ "h": 12,
+ "i": "5aaa26b4-badd-9e23-0d80-fdfb5cc84f86"
+ },
+ "type": "lens",
+ "embeddableConfig": {
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ },
+ "attributes": {
+ "title": "Top 10 NAS Devices",
+ "visualizationType": "lnsDatatable",
+ "type": "lens",
+ "references": [
+ {
+ "type": "index-pattern",
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-b459019f-403f-e9f6-2fe6-d14dcdb03dd9"
+ }
+ ],
+ "state": {
+ "visualization": {
+ "columns": [
+ {
+ "columnId": "8ec91d05-1239-f877-3774-f1929bb1c8da",
+ "isTransposed": false,
+ "isMetric": false
+ },
+ {
+ "columnId": "78906381-9268-4fda-8e10-7b28774532d5",
+ "isTransposed": false,
+ "isMetric": true
+ }
+ ],
+ "layerId": "b459019f-403f-e9f6-2fe6-d14dcdb03dd9",
+ "layerType": "data"
+ },
+ "query": {
+ "query": "data_stream.dataset:fortinet_fortiauthenticator.log AND fortinet.fortiauthenticator.log.subcategory:Authentication AND NOT event.action:*admin-gui* AND NOT event.code:(20430 OR 20431 OR 20300 OR 20299 OR 20422 OR 20005) AND fortinet.fortiauthenticator.log.nas:*",
+ "language": "kuery"
+ },
+ "filters": [],
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "b459019f-403f-e9f6-2fe6-d14dcdb03dd9": {
+ "columns": {
+ "8ec91d05-1239-f877-3774-f1929bb1c8da": {
+ "label": "NAS",
+ "dataType": "string",
+ "customLabel": true,
+ "operationType": "terms",
+ "isBucketed": true,
+ "scale": "ordinal",
+ "params": {
+ "size": 10,
+ "orderBy": {
+ "type": "column",
+ "columnId": "78906381-9268-4fda-8e10-7b28774532d5"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "missingBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "include": [],
+ "exclude": [],
+ "includeIsRegex": false,
+ "excludeIsRegex": false
+ },
+ "sourceField": "fortinet.fortiauthenticator.log.nas"
+ },
+ "78906381-9268-4fda-8e10-7b28774532d5": {
+ "label": "Events",
+ "dataType": "number",
+ "customLabel": true,
+ "operationType": "count",
+ "isBucketed": false,
+ "scale": "ratio",
+ "sourceField": "___records___",
+ "params": {
+ "emptyAsNull": true
+ }
+ }
+ },
+ "columnOrder": [
+ "8ec91d05-1239-f877-3774-f1929bb1c8da",
+ "78906381-9268-4fda-8e10-7b28774532d5"
+ ],
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "layers": {}
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "internalReferences": [],
+ "adHocDataViews": {}
+ }
+ },
+ "syncTooltips": false,
+ "syncColors": false,
+ "syncCursor": true,
+ "filters": [],
+ "query": {
+ "query": "",
+ "language": "kuery"
+ }
+ }
+ },
+ {
+ "panelIndex": "707c9fee-61b8-ec0b-e387-e28b8eaffba7",
+ "gridData": {
+ "x": 0,
+ "y": 25,
+ "w": 24,
+ "h": 12,
+ "i": "707c9fee-61b8-ec0b-e387-e28b8eaffba7"
+ },
+ "type": "lens",
+ "embeddableConfig": {
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ },
+ "attributes": {
+ "title": "Top 10 Users by Failed Logons",
+ "visualizationType": "lnsDatatable",
+ "type": "lens",
+ "references": [
+ {
+ "type": "index-pattern",
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-6d015b0a-7c2f-5269-f069-66b9c6a85b92"
+ }
+ ],
+ "state": {
+ "visualization": {
+ "columns": [
+ {
+ "columnId": "2e2c6a1d-9d6f-5c34-54bb-0d0ae7b6a65c",
+ "isTransposed": false,
+ "isMetric": false
+ },
+ {
+ "columnId": "6f3d6ee6-6bf5-694a-c82d-72e50c75d623",
+ "isTransposed": false,
+ "isMetric": true
+ }
+ ],
+ "layerId": "6d015b0a-7c2f-5269-f069-66b9c6a85b92",
+ "layerType": "data"
+ },
+ "query": {
+ "query": "data_stream.dataset:fortinet_fortiauthenticator.log AND fortinet.fortiauthenticator.log.subcategory:Authentication AND NOT event.action:*admin-gui* AND NOT event.code:(20430 OR 20431 OR 20300 OR 20299 OR 20422 OR 20005) AND event.outcome:failure AND user.name:*",
+ "language": "kuery"
+ },
+ "filters": [],
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "6d015b0a-7c2f-5269-f069-66b9c6a85b92": {
+ "columns": {
+ "2e2c6a1d-9d6f-5c34-54bb-0d0ae7b6a65c": {
+ "label": "User",
+ "dataType": "string",
+ "customLabel": true,
+ "operationType": "terms",
+ "isBucketed": true,
+ "scale": "ordinal",
+ "params": {
+ "size": 10,
+ "orderBy": {
+ "type": "column",
+ "columnId": "6f3d6ee6-6bf5-694a-c82d-72e50c75d623"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "missingBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "include": [],
+ "exclude": [],
+ "includeIsRegex": false,
+ "excludeIsRegex": false
+ },
+ "sourceField": "user.name"
+ },
+ "6f3d6ee6-6bf5-694a-c82d-72e50c75d623": {
+ "label": "Failures",
+ "dataType": "number",
+ "customLabel": true,
+ "operationType": "count",
+ "isBucketed": false,
+ "scale": "ratio",
+ "sourceField": "___records___",
+ "params": {
+ "emptyAsNull": true
+ }
+ }
+ },
+ "columnOrder": [
+ "2e2c6a1d-9d6f-5c34-54bb-0d0ae7b6a65c",
+ "6f3d6ee6-6bf5-694a-c82d-72e50c75d623"
+ ],
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "layers": {}
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "internalReferences": [],
+ "adHocDataViews": {}
+ }
+ },
+ "syncTooltips": false,
+ "syncColors": false,
+ "syncCursor": true,
+ "filters": [],
+ "query": {
+ "query": "",
+ "language": "kuery"
+ }
+ }
+ },
+ {
+ "panelIndex": "7e97451e-e4b1-5e8f-b104-b649c7af62f1",
+ "gridData": {
+ "x": 24,
+ "y": 25,
+ "w": 24,
+ "h": 12,
+ "i": "7e97451e-e4b1-5e8f-b104-b649c7af62f1"
+ },
+ "type": "lens",
+ "embeddableConfig": {
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ },
+ "attributes": {
+ "title": "Top 10 Source IPs by Failed Logons",
+ "visualizationType": "lnsDatatable",
+ "type": "lens",
+ "references": [
+ {
+ "type": "index-pattern",
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-10ee748d-9590-93f5-a3fc-a0cac7053fce"
+ }
+ ],
+ "state": {
+ "visualization": {
+ "columns": [
+ {
+ "columnId": "d6769a7f-38c3-232c-02f5-f529185ff287",
+ "isTransposed": false,
+ "isMetric": false
+ },
+ {
+ "columnId": "6f3d6ee6-6bf5-694a-c82d-72e50c75d623",
+ "isTransposed": false,
+ "isMetric": true
+ }
+ ],
+ "layerId": "10ee748d-9590-93f5-a3fc-a0cac7053fce",
+ "layerType": "data"
+ },
+ "query": {
+ "query": "data_stream.dataset:fortinet_fortiauthenticator.log AND fortinet.fortiauthenticator.log.subcategory:Authentication AND NOT event.action:*admin-gui* AND NOT event.code:(20430 OR 20431 OR 20300 OR 20299 OR 20422 OR 20005) AND event.outcome:failure AND source.ip:*",
+ "language": "kuery"
+ },
+ "filters": [],
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "10ee748d-9590-93f5-a3fc-a0cac7053fce": {
+ "columns": {
+ "d6769a7f-38c3-232c-02f5-f529185ff287": {
+ "label": "Source IP",
+ "dataType": "string",
+ "customLabel": true,
+ "operationType": "terms",
+ "isBucketed": true,
+ "scale": "ordinal",
+ "params": {
+ "size": 10,
+ "orderBy": {
+ "type": "column",
+ "columnId": "6f3d6ee6-6bf5-694a-c82d-72e50c75d623"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "missingBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "include": [],
+ "exclude": [],
+ "includeIsRegex": false,
+ "excludeIsRegex": false
+ },
+ "sourceField": "source.ip"
+ },
+ "6f3d6ee6-6bf5-694a-c82d-72e50c75d623": {
+ "label": "Failures",
+ "dataType": "number",
+ "customLabel": true,
+ "operationType": "count",
+ "isBucketed": false,
+ "scale": "ratio",
+ "sourceField": "___records___",
+ "params": {
+ "emptyAsNull": true
+ }
+ }
+ },
+ "columnOrder": [
+ "d6769a7f-38c3-232c-02f5-f529185ff287",
+ "6f3d6ee6-6bf5-694a-c82d-72e50c75d623"
+ ],
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "layers": {}
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "internalReferences": [],
+ "adHocDataViews": {}
+ }
+ },
+ "syncTooltips": false,
+ "syncColors": false,
+ "syncCursor": true,
+ "filters": [],
+ "query": {
+ "query": "",
+ "language": "kuery"
+ }
+ }
+ },
+ {
+ "panelIndex": "a89869d9-659f-675d-3525-5f9de12f93aa",
+ "gridData": {
+ "x": 0,
+ "y": 37,
+ "w": 48,
+ "h": 15,
+ "i": "a89869d9-659f-675d-3525-5f9de12f93aa"
+ },
+ "type": "search",
+ "panelRefName": "a89869d9-659f-675d-3525-5f9de12f93aa:panel_a89869d9-659f-675d-3525-5f9de12f93aa",
+ "embeddableConfig": {
+ "title": "Log Stream",
+ "enhancements": {},
+ "savedObjectId": "fortinet_fortiauthenticator-authentication-events"
+ }
+ }
+ ],
+ "optionsJSON": {
+ "useMargins": true,
+ "syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false,
+ "hidePanelTitles": false
+ },
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": {
+ "filter": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "disabled": false,
+ "negate": false,
+ "alias": null,
+ "type": "phrase",
+ "key": "data_stream.dataset",
+ "field": "data_stream.dataset",
+ "params": {
+ "query": "fortinet_fortiauthenticator.log"
+ }
+ },
+ "query": {
+ "match_phrase": {
+ "data_stream.dataset": "fortinet_fortiauthenticator.log"
+ }
+ }
+ }
+ ],
+ "query": {
+ "query": "",
+ "language": "kuery"
+ }
+ }
+ },
+ "timeRestore": false,
+ "version": 1,
+ "controlGroupInput": {
+ "chainingSystem": "HIERARCHICAL",
+ "controlStyle": "oneLine",
+ "ignoreParentSettingsJSON": {
+ "ignoreFilters": false,
+ "ignoreQuery": false,
+ "ignoreTimerange": false,
+ "ignoreValidations": false
+ },
+ "panelsJSON": {
+ "1cd17cd9-41c3-4490-6459-a2d8e28c6d8c": {
+ "grow": false,
+ "order": 0,
+ "width": "medium",
+ "type": "optionsListControl",
+ "explicitInput": {
+ "id": "1cd17cd9-41c3-4490-6459-a2d8e28c6d8c",
+ "dataViewId": "logs-*",
+ "fieldName": "network.protocol",
+ "title": "Protocol",
+ "searchTechnique": "prefix",
+ "selectedOptions": [],
+ "sort": {
+ "by": "_count",
+ "direction": "desc"
+ }
+ }
+ },
+ "0099e908-3406-7335-5422-c8ac020f5ffb": {
+ "grow": false,
+ "order": 1,
+ "width": "medium",
+ "type": "optionsListControl",
+ "explicitInput": {
+ "id": "0099e908-3406-7335-5422-c8ac020f5ffb",
+ "dataViewId": "logs-*",
+ "fieldName": "event.outcome",
+ "title": "Outcome",
+ "searchTechnique": "prefix",
+ "selectedOptions": [],
+ "sort": {
+ "by": "_count",
+ "direction": "desc"
+ }
+ }
+ },
+ "6b86aa1a-4c35-ac8e-63a1-038806c973f3": {
+ "grow": false,
+ "order": 2,
+ "width": "medium",
+ "type": "optionsListControl",
+ "explicitInput": {
+ "id": "6b86aa1a-4c35-ac8e-63a1-038806c973f3",
+ "dataViewId": "logs-*",
+ "fieldName": "user.name",
+ "title": "User",
+ "searchTechnique": "prefix",
+ "selectedOptions": [],
+ "sort": {
+ "by": "_count",
+ "direction": "desc"
+ }
+ }
+ },
+ "7a76f0ae-e475-6883-b5f4-be7f82e39ad0": {
+ "grow": false,
+ "order": 3,
+ "width": "medium",
+ "type": "optionsListControl",
+ "explicitInput": {
+ "id": "7a76f0ae-e475-6883-b5f4-be7f82e39ad0",
+ "dataViewId": "logs-*",
+ "fieldName": "source.ip",
+ "title": "Source IP",
+ "searchTechnique": "prefix",
+ "selectedOptions": [],
+ "sort": {
+ "by": "_count",
+ "direction": "desc"
+ }
+ }
+ }
+ },
+ "showApplySelections": false
+ }
+ },
+ "coreMigrationVersion": "8.8.0",
+ "created_at": "2023-10-01T00:00:00Z",
+ "created_by": "admin",
+ "id": "fortinet_fortiauthenticator-authentication",
+ "managed": false,
+ "references": [
+ {
+ "type": "dashboard",
+ "id": "fortinet_fortiauthenticator-overview",
+ "name": "b901510e-4e89-757d-3ffc-2ddd1d265e5a:link_3af4ba12-6f83-488a-bdc9-0c7216a22d73_dashboard"
+ },
+ {
+ "type": "dashboard",
+ "id": "fortinet_fortiauthenticator-authentication",
+ "name": "b901510e-4e89-757d-3ffc-2ddd1d265e5a:link_85cbe962-a65c-5a52-ac29-31c83f2ee37e_dashboard"
+ },
+ {
+ "type": "dashboard",
+ "id": "fortinet_fortiauthenticator-admin-audit",
+ "name": "b901510e-4e89-757d-3ffc-2ddd1d265e5a:link_f8015227-17d1-b054-2b9c-b33d24cec76d_dashboard"
+ },
+ {
+ "type": "dashboard",
+ "id": "fortinet_fortiauthenticator-system",
+ "name": "b901510e-4e89-757d-3ffc-2ddd1d265e5a:link_72ea9ac7-2987-7cf7-6e6c-311078031348_dashboard"
+ },
+ {
+ "type": "index-pattern",
+ "id": "logs-*",
+ "name": "2c4bf020-db9f-2b63-07c1-7733b9ef3835:indexpattern-datasource-layer-dab616a9-1fca-96b2-da78-4a5cf8f5c96d"
+ },
+ {
+ "type": "index-pattern",
+ "id": "logs-*",
+ "name": "909b38b6-80ed-d397-cd15-293a9e7dd5dc:indexpattern-datasource-layer-3c8b597a-14f1-3423-d8d0-147bfd0b76ec"
+ },
+ {
+ "type": "index-pattern",
+ "id": "logs-*",
+ "name": "5aaa26b4-badd-9e23-0d80-fdfb5cc84f86:indexpattern-datasource-layer-b459019f-403f-e9f6-2fe6-d14dcdb03dd9"
+ },
+ {
+ "type": "index-pattern",
+ "id": "logs-*",
+ "name": "707c9fee-61b8-ec0b-e387-e28b8eaffba7:indexpattern-datasource-layer-6d015b0a-7c2f-5269-f069-66b9c6a85b92"
+ },
+ {
+ "type": "index-pattern",
+ "id": "logs-*",
+ "name": "7e97451e-e4b1-5e8f-b104-b649c7af62f1:indexpattern-datasource-layer-10ee748d-9590-93f5-a3fc-a0cac7053fce"
+ },
+ {
+ "type": "search",
+ "id": "fortinet_fortiauthenticator-authentication-events",
+ "name": "a89869d9-659f-675d-3525-5f9de12f93aa:panel_a89869d9-659f-675d-3525-5f9de12f93aa"
+ },
+ {
+ "type": "index-pattern",
+ "id": "logs-*",
+ "name": "controlGroup_1cd17cd9-41c3-4490-6459-a2d8e28c6d8c:optionsListDataView"
+ },
+ {
+ "type": "index-pattern",
+ "id": "logs-*",
+ "name": "controlGroup_0099e908-3406-7335-5422-c8ac020f5ffb:optionsListDataView"
+ },
+ {
+ "type": "index-pattern",
+ "id": "logs-*",
+ "name": "controlGroup_6b86aa1a-4c35-ac8e-63a1-038806c973f3:optionsListDataView"
+ },
+ {
+ "type": "index-pattern",
+ "id": "logs-*",
+ "name": "controlGroup_7a76f0ae-e475-6883-b5f4-be7f82e39ad0:optionsListDataView"
+ }
+ ],
+ "type": "dashboard",
+ "typeMigrationVersion": "10.2.0",
+ "updated_at": "2023-10-01T00:00:00Z",
+ "updated_by": "admin",
+ "version": "1"
+}
\ No newline at end of file
diff --git a/packages/fortinet_fortiauthenticator/kibana/dashboard/fortinet_fortiauthenticator-overview.json b/packages/fortinet_fortiauthenticator/kibana/dashboard/fortinet_fortiauthenticator-overview.json
new file mode 100644
index 00000000000..349e5e0b041
--- /dev/null
+++ b/packages/fortinet_fortiauthenticator/kibana/dashboard/fortinet_fortiauthenticator-overview.json
@@ -0,0 +1,941 @@
+{
+ "attributes": {
+ "title": "[Logs FortiAuthenticator] Overview",
+ "description": "Hub dashboard for Fortinet FortiAuthenticator. Use the links below to navigate to category-specific dashboards.",
+ "panelsJSON": [
+ {
+ "panelIndex": "b901510e-4e89-757d-3ffc-2ddd1d265e5a",
+ "gridData": {
+ "x": 0,
+ "y": 0,
+ "w": 48,
+ "h": 3,
+ "i": "b901510e-4e89-757d-3ffc-2ddd1d265e5a"
+ },
+ "type": "links",
+ "embeddableConfig": {
+ "enhancements": {},
+ "attributes": {
+ "layout": "horizontal",
+ "links": [
+ {
+ "id": "3af4ba12-6f83-488a-bdc9-0c7216a22d73",
+ "order": 0,
+ "label": "Overview",
+ "type": "dashboardLink",
+ "destinationRefName": "link_3af4ba12-6f83-488a-bdc9-0c7216a22d73_dashboard"
+ },
+ {
+ "id": "85cbe962-a65c-5a52-ac29-31c83f2ee37e",
+ "order": 1,
+ "label": "Authentication",
+ "type": "dashboardLink",
+ "destinationRefName": "link_85cbe962-a65c-5a52-ac29-31c83f2ee37e_dashboard"
+ },
+ {
+ "id": "f8015227-17d1-b054-2b9c-b33d24cec76d",
+ "order": 2,
+ "label": "Admin Configuration Audit",
+ "type": "dashboardLink",
+ "destinationRefName": "link_f8015227-17d1-b054-2b9c-b33d24cec76d_dashboard"
+ },
+ {
+ "id": "72ea9ac7-2987-7cf7-6e6c-311078031348",
+ "order": 3,
+ "label": "System and HA",
+ "type": "dashboardLink",
+ "destinationRefName": "link_72ea9ac7-2987-7cf7-6e6c-311078031348_dashboard"
+ }
+ ]
+ }
+ }
+ },
+ {
+ "panelIndex": "e0ea2565-b0ff-0669-342c-dba5354e42aa",
+ "gridData": {
+ "x": 0,
+ "y": 3,
+ "w": 12,
+ "h": 4,
+ "i": "e0ea2565-b0ff-0669-342c-dba5354e42aa"
+ },
+ "type": "lens",
+ "embeddableConfig": {
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ },
+ "hidePanelTitles": true,
+ "attributes": {
+ "title": "",
+ "visualizationType": "lnsMetric",
+ "type": "lens",
+ "references": [],
+ "state": {
+ "visualization": {
+ "layerId": "0ffd82c7-30b3-7318-36bf-b58b975c5480",
+ "layerType": "data",
+ "metricAccessor": "829c15ae-d330-7cac-8c26-b50f0d97db4c",
+ "showBar": false,
+ "applyColorTo": "background"
+ },
+ "query": {
+ "esql": "FROM logs-*\n| WHERE data_stream.dataset == \"fortinet_fortiauthenticator.log\"\n| STATS total = COUNT(*)\n"
+ },
+ "filters": [],
+ "datasourceStates": {
+ "textBased": {
+ "layers": {
+ "0ffd82c7-30b3-7318-36bf-b58b975c5480": {
+ "query": {
+ "esql": "FROM logs-*\n| WHERE data_stream.dataset == \"fortinet_fortiauthenticator.log\"\n| STATS total = COUNT(*)\n"
+ },
+ "columns": [
+ {
+ "fieldName": "total",
+ "columnId": "829c15ae-d330-7cac-8c26-b50f0d97db4c",
+ "label": "Total Events",
+ "customLabel": true,
+ "meta": {
+ "type": "number",
+ "esType": "long"
+ },
+ "inMetricDimension": true,
+ "params": {
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ }
+ }
+ ],
+ "allColumns": [
+ {
+ "fieldName": "total",
+ "columnId": "829c15ae-d330-7cac-8c26-b50f0d97db4c",
+ "label": "Total Events",
+ "customLabel": true,
+ "meta": {
+ "type": "number",
+ "esType": "long"
+ },
+ "inMetricDimension": true,
+ "params": {
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ }
+ }
+ ],
+ "timeField": "@timestamp"
+ }
+ }
+ }
+ },
+ "internalReferences": [],
+ "adHocDataViews": {}
+ }
+ },
+ "syncTooltips": false,
+ "syncColors": false,
+ "syncCursor": true,
+ "filters": [],
+ "query": {
+ "query": "",
+ "language": "kuery"
+ }
+ }
+ },
+ {
+ "panelIndex": "6c2482d4-1285-2676-b1ea-471622a3a12f",
+ "gridData": {
+ "x": 12,
+ "y": 3,
+ "w": 12,
+ "h": 4,
+ "i": "6c2482d4-1285-2676-b1ea-471622a3a12f"
+ },
+ "type": "lens",
+ "embeddableConfig": {
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ },
+ "hidePanelTitles": true,
+ "attributes": {
+ "title": "",
+ "visualizationType": "lnsMetric",
+ "type": "lens",
+ "references": [],
+ "state": {
+ "visualization": {
+ "layerId": "fe36cbbe-c6fe-ece6-6e21-e5aa3d01b5b2",
+ "layerType": "data",
+ "metricAccessor": "6fe63307-8235-fca2-b908-3092535d0ea0",
+ "showBar": false,
+ "applyColorTo": "background"
+ },
+ "query": {
+ "esql": "FROM logs-*\n| WHERE data_stream.dataset == \"fortinet_fortiauthenticator.log\"\n AND user.name IS NOT NULL\n| STATS users = COUNT_DISTINCT(user.name)\n"
+ },
+ "filters": [],
+ "datasourceStates": {
+ "textBased": {
+ "layers": {
+ "fe36cbbe-c6fe-ece6-6e21-e5aa3d01b5b2": {
+ "query": {
+ "esql": "FROM logs-*\n| WHERE data_stream.dataset == \"fortinet_fortiauthenticator.log\"\n AND user.name IS NOT NULL\n| STATS users = COUNT_DISTINCT(user.name)\n"
+ },
+ "columns": [
+ {
+ "fieldName": "users",
+ "columnId": "6fe63307-8235-fca2-b908-3092535d0ea0",
+ "label": "Unique Users",
+ "customLabel": true,
+ "meta": {
+ "type": "number",
+ "esType": "long"
+ },
+ "inMetricDimension": true,
+ "params": {
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ }
+ }
+ ],
+ "allColumns": [
+ {
+ "fieldName": "users",
+ "columnId": "6fe63307-8235-fca2-b908-3092535d0ea0",
+ "label": "Unique Users",
+ "customLabel": true,
+ "meta": {
+ "type": "number",
+ "esType": "long"
+ },
+ "inMetricDimension": true,
+ "params": {
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ }
+ }
+ ],
+ "timeField": "@timestamp"
+ }
+ }
+ }
+ },
+ "internalReferences": [],
+ "adHocDataViews": {}
+ }
+ },
+ "syncTooltips": false,
+ "syncColors": false,
+ "syncCursor": true,
+ "filters": [],
+ "query": {
+ "query": "",
+ "language": "kuery"
+ }
+ }
+ },
+ {
+ "panelIndex": "bd39548a-8b37-9dc7-f7b9-dbb64e0c744a",
+ "gridData": {
+ "x": 24,
+ "y": 3,
+ "w": 12,
+ "h": 4,
+ "i": "bd39548a-8b37-9dc7-f7b9-dbb64e0c744a"
+ },
+ "type": "lens",
+ "embeddableConfig": {
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ },
+ "hidePanelTitles": true,
+ "attributes": {
+ "title": "",
+ "visualizationType": "lnsMetric",
+ "type": "lens",
+ "references": [],
+ "state": {
+ "visualization": {
+ "layerId": "753d9881-e226-6b86-55c1-d42956b4e363",
+ "layerType": "data",
+ "metricAccessor": "cc70cf0a-7ac7-83a8-351f-50ee0b6cc9a6",
+ "showBar": false,
+ "applyColorTo": "background"
+ },
+ "query": {
+ "esql": "FROM logs-*\n| WHERE data_stream.dataset == \"fortinet_fortiauthenticator.log\"\n AND source.ip IS NOT NULL\n| STATS ips = COUNT_DISTINCT(source.ip)\n"
+ },
+ "filters": [],
+ "datasourceStates": {
+ "textBased": {
+ "layers": {
+ "753d9881-e226-6b86-55c1-d42956b4e363": {
+ "query": {
+ "esql": "FROM logs-*\n| WHERE data_stream.dataset == \"fortinet_fortiauthenticator.log\"\n AND source.ip IS NOT NULL\n| STATS ips = COUNT_DISTINCT(source.ip)\n"
+ },
+ "columns": [
+ {
+ "fieldName": "ips",
+ "columnId": "cc70cf0a-7ac7-83a8-351f-50ee0b6cc9a6",
+ "label": "Unique Source IPs",
+ "customLabel": true,
+ "meta": {
+ "type": "number",
+ "esType": "long"
+ },
+ "inMetricDimension": true,
+ "params": {
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ }
+ }
+ ],
+ "allColumns": [
+ {
+ "fieldName": "ips",
+ "columnId": "cc70cf0a-7ac7-83a8-351f-50ee0b6cc9a6",
+ "label": "Unique Source IPs",
+ "customLabel": true,
+ "meta": {
+ "type": "number",
+ "esType": "long"
+ },
+ "inMetricDimension": true,
+ "params": {
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ }
+ }
+ ],
+ "timeField": "@timestamp"
+ }
+ }
+ }
+ },
+ "internalReferences": [],
+ "adHocDataViews": {}
+ }
+ },
+ "syncTooltips": false,
+ "syncColors": false,
+ "syncCursor": true,
+ "filters": [],
+ "query": {
+ "query": "",
+ "language": "kuery"
+ }
+ }
+ },
+ {
+ "panelIndex": "6c047025-2e57-7e9f-e311-3fb0d80bacb2",
+ "gridData": {
+ "x": 36,
+ "y": 3,
+ "w": 12,
+ "h": 4,
+ "i": "6c047025-2e57-7e9f-e311-3fb0d80bacb2"
+ },
+ "type": "lens",
+ "embeddableConfig": {
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ },
+ "hidePanelTitles": true,
+ "attributes": {
+ "title": "",
+ "visualizationType": "lnsMetric",
+ "type": "lens",
+ "references": [],
+ "state": {
+ "visualization": {
+ "layerId": "32a738f1-0b73-91e6-4da4-510b1b5d505d",
+ "layerType": "data",
+ "metricAccessor": "9b795563-1844-680f-aef9-1c9e61f6b326",
+ "showBar": false,
+ "applyColorTo": "background"
+ },
+ "query": {
+ "esql": "FROM logs-*\n| WHERE data_stream.dataset == \"fortinet_fortiauthenticator.log\"\n AND event.outcome IS NOT NULL\n| STATS total = COUNT(*), failed = COUNT(CASE(event.outcome == \"failure\", 1))\n| EVAL failure_rate = ROUND(failed * 100.0 / total, 1)\n"
+ },
+ "filters": [],
+ "datasourceStates": {
+ "textBased": {
+ "layers": {
+ "32a738f1-0b73-91e6-4da4-510b1b5d505d": {
+ "query": {
+ "esql": "FROM logs-*\n| WHERE data_stream.dataset == \"fortinet_fortiauthenticator.log\"\n AND event.outcome IS NOT NULL\n| STATS total = COUNT(*), failed = COUNT(CASE(event.outcome == \"failure\", 1))\n| EVAL failure_rate = ROUND(failed * 100.0 / total, 1)\n"
+ },
+ "columns": [
+ {
+ "fieldName": "failure_rate",
+ "columnId": "9b795563-1844-680f-aef9-1c9e61f6b326",
+ "label": "Failure Rate (%)",
+ "customLabel": true,
+ "meta": {
+ "type": "number",
+ "esType": "long"
+ },
+ "inMetricDimension": true,
+ "params": {
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 1
+ }
+ }
+ }
+ }
+ ],
+ "allColumns": [
+ {
+ "fieldName": "failure_rate",
+ "columnId": "9b795563-1844-680f-aef9-1c9e61f6b326",
+ "label": "Failure Rate (%)",
+ "customLabel": true,
+ "meta": {
+ "type": "number",
+ "esType": "long"
+ },
+ "inMetricDimension": true,
+ "params": {
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 1
+ }
+ }
+ }
+ }
+ ],
+ "timeField": "@timestamp"
+ }
+ }
+ }
+ },
+ "internalReferences": [],
+ "adHocDataViews": {}
+ }
+ },
+ "syncTooltips": false,
+ "syncColors": false,
+ "syncCursor": true,
+ "filters": [],
+ "query": {
+ "query": "",
+ "language": "kuery"
+ }
+ }
+ },
+ {
+ "panelIndex": "fe0d97c6-3b75-2d22-4c2c-d1059bf569ea",
+ "gridData": {
+ "x": 0,
+ "y": 7,
+ "w": 32,
+ "h": 10,
+ "i": "fe0d97c6-3b75-2d22-4c2c-d1059bf569ea"
+ },
+ "type": "lens",
+ "embeddableConfig": {
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ },
+ "attributes": {
+ "title": "Events Over Time",
+ "visualizationType": "lnsXY",
+ "type": "lens",
+ "references": [],
+ "state": {
+ "visualization": {
+ "layers": [
+ {
+ "layerId": "e59c9477-b198-8ff1-798f-85b9cef2d84b",
+ "accessors": [
+ "2800cdf4-94fb-1ee8-53aa-5ff10df538ee"
+ ],
+ "layerType": "data",
+ "seriesType": "bar_stacked",
+ "xAccessor": "42a876a0-15e3-395a-0a00-b1577942ad2f",
+ "position": "top",
+ "showGridlines": false,
+ "splitAccessor": "b7ba46ca-a5d9-e1da-99de-3cd4bf142397",
+ "colorMapping": {
+ "assignments": [],
+ "specialAssignments": [
+ {
+ "rule": {
+ "type": "other"
+ },
+ "color": {
+ "type": "loop"
+ },
+ "touched": false
+ }
+ ],
+ "paletteId": "eui_amsterdam_color_blind",
+ "colorMode": {
+ "type": "categorical"
+ }
+ }
+ }
+ ],
+ "preferredSeriesType": "bar_stacked",
+ "legend": {
+ "isVisible": true,
+ "position": "right"
+ },
+ "valueLabels": "hide"
+ },
+ "query": {
+ "esql": "FROM logs-*\n| WHERE data_stream.dataset == \"fortinet_fortiauthenticator.log\"\n| STATS count = COUNT(*) BY time_bucket = BUCKET(@timestamp, 20, ?_tstart, ?_tend), subcategory = fortinet.fortiauthenticator.log.subcategory\n| SORT time_bucket ASC\n"
+ },
+ "filters": [],
+ "datasourceStates": {
+ "textBased": {
+ "layers": {
+ "e59c9477-b198-8ff1-798f-85b9cef2d84b": {
+ "query": {
+ "esql": "FROM logs-*\n| WHERE data_stream.dataset == \"fortinet_fortiauthenticator.log\"\n| STATS count = COUNT(*) BY time_bucket = BUCKET(@timestamp, 20, ?_tstart, ?_tend), subcategory = fortinet.fortiauthenticator.log.subcategory\n| SORT time_bucket ASC\n"
+ },
+ "columns": [
+ {
+ "fieldName": "count",
+ "columnId": "2800cdf4-94fb-1ee8-53aa-5ff10df538ee",
+ "label": "count",
+ "customLabel": false,
+ "meta": {
+ "type": "number",
+ "esType": "long"
+ },
+ "inMetricDimension": true
+ },
+ {
+ "fieldName": "time_bucket",
+ "columnId": "42a876a0-15e3-395a-0a00-b1577942ad2f",
+ "label": "time_bucket",
+ "customLabel": false,
+ "meta": {
+ "type": "date",
+ "esType": "date"
+ }
+ },
+ {
+ "fieldName": "subcategory",
+ "columnId": "b7ba46ca-a5d9-e1da-99de-3cd4bf142397",
+ "label": "subcategory",
+ "customLabel": false
+ }
+ ],
+ "allColumns": [
+ {
+ "fieldName": "count",
+ "columnId": "2800cdf4-94fb-1ee8-53aa-5ff10df538ee",
+ "label": "count",
+ "customLabel": false,
+ "meta": {
+ "type": "number",
+ "esType": "long"
+ },
+ "inMetricDimension": true
+ },
+ {
+ "fieldName": "time_bucket",
+ "columnId": "42a876a0-15e3-395a-0a00-b1577942ad2f",
+ "label": "time_bucket",
+ "customLabel": false,
+ "meta": {
+ "type": "date",
+ "esType": "date"
+ }
+ },
+ {
+ "fieldName": "subcategory",
+ "columnId": "b7ba46ca-a5d9-e1da-99de-3cd4bf142397",
+ "label": "subcategory",
+ "customLabel": false
+ }
+ ],
+ "timeField": "@timestamp"
+ }
+ }
+ }
+ },
+ "internalReferences": [],
+ "adHocDataViews": {}
+ }
+ },
+ "syncTooltips": false,
+ "syncColors": false,
+ "syncCursor": true,
+ "filters": [],
+ "query": {
+ "query": "",
+ "language": "kuery"
+ }
+ }
+ },
+ {
+ "panelIndex": "d6668ac1-02e9-5f1c-b618-87c5c6e717d9",
+ "gridData": {
+ "x": 32,
+ "y": 7,
+ "w": 16,
+ "h": 10,
+ "i": "d6668ac1-02e9-5f1c-b618-87c5c6e717d9"
+ },
+ "type": "lens",
+ "embeddableConfig": {
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ },
+ "attributes": {
+ "title": "Distribution of Events by Subcategory",
+ "visualizationType": "lnsPie",
+ "type": "lens",
+ "references": [],
+ "state": {
+ "visualization": {
+ "layers": [
+ {
+ "layerId": "5ea6a7c4-530c-7f2b-f200-8638071a8d60",
+ "layerType": "data",
+ "colorMapping": {
+ "assignments": [],
+ "specialAssignments": [
+ {
+ "rule": {
+ "type": "other"
+ },
+ "color": {
+ "type": "loop"
+ },
+ "touched": false
+ }
+ ],
+ "paletteId": "eui_amsterdam_color_blind",
+ "colorMode": {
+ "type": "categorical"
+ }
+ },
+ "primaryGroups": [
+ "f7ad0898-e822-1f8c-8912-c4bca43a19bf"
+ ],
+ "metrics": [
+ "0cb3e3d7-c9da-1181-40f5-5b94be7f1201"
+ ],
+ "numberDisplay": "percent",
+ "categoryDisplay": "default",
+ "legendDisplay": "default",
+ "legendPosition": "right",
+ "nestedLegend": false,
+ "emptySizeRatio": 0.3
+ }
+ ],
+ "shape": "donut"
+ },
+ "query": {
+ "esql": "FROM logs-*\n| WHERE data_stream.dataset == \"fortinet_fortiauthenticator.log\"\n| STATS count = COUNT(*) BY fortinet.fortiauthenticator.log.subcategory\n| SORT count DESC\n| LIMIT 7\n"
+ },
+ "filters": [],
+ "datasourceStates": {
+ "textBased": {
+ "layers": {
+ "5ea6a7c4-530c-7f2b-f200-8638071a8d60": {
+ "query": {
+ "esql": "FROM logs-*\n| WHERE data_stream.dataset == \"fortinet_fortiauthenticator.log\"\n| STATS count = COUNT(*) BY fortinet.fortiauthenticator.log.subcategory\n| SORT count DESC\n| LIMIT 7\n"
+ },
+ "columns": [
+ {
+ "fieldName": "count",
+ "columnId": "0cb3e3d7-c9da-1181-40f5-5b94be7f1201",
+ "label": "Events",
+ "customLabel": true,
+ "meta": {
+ "type": "number",
+ "esType": "long"
+ },
+ "inMetricDimension": true
+ },
+ {
+ "fieldName": "fortinet.fortiauthenticator.log.subcategory",
+ "columnId": "f7ad0898-e822-1f8c-8912-c4bca43a19bf",
+ "label": "fortinet.fortiauthenticator.log.subcategory",
+ "customLabel": false
+ }
+ ],
+ "allColumns": [
+ {
+ "fieldName": "count",
+ "columnId": "0cb3e3d7-c9da-1181-40f5-5b94be7f1201",
+ "label": "Events",
+ "customLabel": true,
+ "meta": {
+ "type": "number",
+ "esType": "long"
+ },
+ "inMetricDimension": true
+ },
+ {
+ "fieldName": "fortinet.fortiauthenticator.log.subcategory",
+ "columnId": "f7ad0898-e822-1f8c-8912-c4bca43a19bf",
+ "label": "fortinet.fortiauthenticator.log.subcategory",
+ "customLabel": false
+ }
+ ],
+ "timeField": "@timestamp"
+ }
+ }
+ }
+ },
+ "internalReferences": [],
+ "adHocDataViews": {}
+ }
+ },
+ "syncTooltips": false,
+ "syncColors": false,
+ "syncCursor": true,
+ "filters": [],
+ "query": {
+ "query": "",
+ "language": "kuery"
+ }
+ }
+ },
+ {
+ "panelIndex": "7b4d234b-24d1-f154-5527-cbc3891698d5",
+ "gridData": {
+ "x": 0,
+ "y": 17,
+ "w": 48,
+ "h": 15,
+ "i": "7b4d234b-24d1-f154-5527-cbc3891698d5"
+ },
+ "type": "search",
+ "panelRefName": "7b4d234b-24d1-f154-5527-cbc3891698d5:panel_7b4d234b-24d1-f154-5527-cbc3891698d5",
+ "embeddableConfig": {
+ "title": "Log Stream",
+ "enhancements": {},
+ "savedObjectId": "fortinet_fortiauthenticator-all-user-events"
+ }
+ }
+ ],
+ "optionsJSON": {
+ "useMargins": true,
+ "syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false,
+ "hidePanelTitles": false
+ },
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": {
+ "filter": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "disabled": false,
+ "negate": false,
+ "alias": null,
+ "type": "phrase",
+ "key": "data_stream.dataset",
+ "field": "data_stream.dataset",
+ "params": {
+ "query": "fortinet_fortiauthenticator.log"
+ }
+ },
+ "query": {
+ "match_phrase": {
+ "data_stream.dataset": "fortinet_fortiauthenticator.log"
+ }
+ }
+ }
+ ],
+ "query": {
+ "query": "",
+ "language": "kuery"
+ }
+ }
+ },
+ "timeRestore": false,
+ "version": 1,
+ "controlGroupInput": {
+ "chainingSystem": "HIERARCHICAL",
+ "controlStyle": "oneLine",
+ "ignoreParentSettingsJSON": {
+ "ignoreFilters": false,
+ "ignoreQuery": false,
+ "ignoreTimerange": false,
+ "ignoreValidations": false
+ },
+ "panelsJSON": {
+ "b54aeb5f-7271-c33f-2cce-9209b49cd246": {
+ "grow": false,
+ "order": 0,
+ "width": "medium",
+ "type": "optionsListControl",
+ "explicitInput": {
+ "id": "b54aeb5f-7271-c33f-2cce-9209b49cd246",
+ "dataViewId": "logs-*",
+ "fieldName": "fortinet.fortiauthenticator.log.subcategory",
+ "title": "Subcategory",
+ "searchTechnique": "prefix",
+ "selectedOptions": [],
+ "sort": {
+ "by": "_count",
+ "direction": "desc"
+ }
+ }
+ },
+ "061a5d5c-4fd1-2af9-c58b-e956b0295f84": {
+ "grow": false,
+ "order": 1,
+ "width": "medium",
+ "type": "optionsListControl",
+ "explicitInput": {
+ "id": "061a5d5c-4fd1-2af9-c58b-e956b0295f84",
+ "dataViewId": "logs-*",
+ "fieldName": "log.level",
+ "title": "Log Level",
+ "searchTechnique": "prefix",
+ "selectedOptions": [],
+ "sort": {
+ "by": "_count",
+ "direction": "desc"
+ }
+ }
+ },
+ "6b86aa1a-4c35-ac8e-63a1-038806c973f3": {
+ "grow": false,
+ "order": 2,
+ "width": "medium",
+ "type": "optionsListControl",
+ "explicitInput": {
+ "id": "6b86aa1a-4c35-ac8e-63a1-038806c973f3",
+ "dataViewId": "logs-*",
+ "fieldName": "user.name",
+ "title": "User",
+ "searchTechnique": "prefix",
+ "selectedOptions": [],
+ "sort": {
+ "by": "_count",
+ "direction": "desc"
+ }
+ }
+ },
+ "7a76f0ae-e475-6883-b5f4-be7f82e39ad0": {
+ "grow": false,
+ "order": 3,
+ "width": "medium",
+ "type": "optionsListControl",
+ "explicitInput": {
+ "id": "7a76f0ae-e475-6883-b5f4-be7f82e39ad0",
+ "dataViewId": "logs-*",
+ "fieldName": "source.ip",
+ "title": "Source IP",
+ "searchTechnique": "prefix",
+ "selectedOptions": [],
+ "sort": {
+ "by": "_count",
+ "direction": "desc"
+ }
+ }
+ }
+ },
+ "showApplySelections": false
+ }
+ },
+ "coreMigrationVersion": "8.8.0",
+ "created_at": "2023-10-01T00:00:00Z",
+ "created_by": "admin",
+ "id": "fortinet_fortiauthenticator-overview",
+ "managed": false,
+ "references": [
+ {
+ "type": "dashboard",
+ "id": "fortinet_fortiauthenticator-overview",
+ "name": "b901510e-4e89-757d-3ffc-2ddd1d265e5a:link_3af4ba12-6f83-488a-bdc9-0c7216a22d73_dashboard"
+ },
+ {
+ "type": "dashboard",
+ "id": "fortinet_fortiauthenticator-authentication",
+ "name": "b901510e-4e89-757d-3ffc-2ddd1d265e5a:link_85cbe962-a65c-5a52-ac29-31c83f2ee37e_dashboard"
+ },
+ {
+ "type": "dashboard",
+ "id": "fortinet_fortiauthenticator-admin-audit",
+ "name": "b901510e-4e89-757d-3ffc-2ddd1d265e5a:link_f8015227-17d1-b054-2b9c-b33d24cec76d_dashboard"
+ },
+ {
+ "type": "dashboard",
+ "id": "fortinet_fortiauthenticator-system",
+ "name": "b901510e-4e89-757d-3ffc-2ddd1d265e5a:link_72ea9ac7-2987-7cf7-6e6c-311078031348_dashboard"
+ },
+ {
+ "type": "search",
+ "id": "fortinet_fortiauthenticator-all-user-events",
+ "name": "7b4d234b-24d1-f154-5527-cbc3891698d5:panel_7b4d234b-24d1-f154-5527-cbc3891698d5"
+ },
+ {
+ "type": "index-pattern",
+ "id": "logs-*",
+ "name": "controlGroup_b54aeb5f-7271-c33f-2cce-9209b49cd246:optionsListDataView"
+ },
+ {
+ "type": "index-pattern",
+ "id": "logs-*",
+ "name": "controlGroup_061a5d5c-4fd1-2af9-c58b-e956b0295f84:optionsListDataView"
+ },
+ {
+ "type": "index-pattern",
+ "id": "logs-*",
+ "name": "controlGroup_6b86aa1a-4c35-ac8e-63a1-038806c973f3:optionsListDataView"
+ },
+ {
+ "type": "index-pattern",
+ "id": "logs-*",
+ "name": "controlGroup_7a76f0ae-e475-6883-b5f4-be7f82e39ad0:optionsListDataView"
+ }
+ ],
+ "type": "dashboard",
+ "typeMigrationVersion": "10.2.0",
+ "updated_at": "2023-10-01T00:00:00Z",
+ "updated_by": "admin",
+ "version": "1"
+}
\ No newline at end of file
diff --git a/packages/fortinet_fortiauthenticator/kibana/dashboard/fortinet_fortiauthenticator-system.json b/packages/fortinet_fortiauthenticator/kibana/dashboard/fortinet_fortiauthenticator-system.json
new file mode 100644
index 00000000000..1d3008eabc9
--- /dev/null
+++ b/packages/fortinet_fortiauthenticator/kibana/dashboard/fortinet_fortiauthenticator-system.json
@@ -0,0 +1,1098 @@
+{
+ "attributes": {
+ "title": "[Logs FortiAuthenticator] System and HA",
+ "description": "System operations, admin GUI login activity, and high availability cluster events from FortiAuthenticator.",
+ "panelsJSON": [
+ {
+ "panelIndex": "b901510e-4e89-757d-3ffc-2ddd1d265e5a",
+ "gridData": {
+ "x": 0,
+ "y": 0,
+ "w": 48,
+ "h": 3,
+ "i": "b901510e-4e89-757d-3ffc-2ddd1d265e5a"
+ },
+ "type": "links",
+ "embeddableConfig": {
+ "enhancements": {},
+ "attributes": {
+ "layout": "horizontal",
+ "links": [
+ {
+ "id": "3af4ba12-6f83-488a-bdc9-0c7216a22d73",
+ "order": 0,
+ "label": "Overview",
+ "type": "dashboardLink",
+ "destinationRefName": "link_3af4ba12-6f83-488a-bdc9-0c7216a22d73_dashboard"
+ },
+ {
+ "id": "85cbe962-a65c-5a52-ac29-31c83f2ee37e",
+ "order": 1,
+ "label": "Authentication",
+ "type": "dashboardLink",
+ "destinationRefName": "link_85cbe962-a65c-5a52-ac29-31c83f2ee37e_dashboard"
+ },
+ {
+ "id": "f8015227-17d1-b054-2b9c-b33d24cec76d",
+ "order": 2,
+ "label": "Admin Configuration Audit",
+ "type": "dashboardLink",
+ "destinationRefName": "link_f8015227-17d1-b054-2b9c-b33d24cec76d_dashboard"
+ },
+ {
+ "id": "72ea9ac7-2987-7cf7-6e6c-311078031348",
+ "order": 3,
+ "label": "System and HA",
+ "type": "dashboardLink",
+ "destinationRefName": "link_72ea9ac7-2987-7cf7-6e6c-311078031348_dashboard"
+ }
+ ]
+ }
+ }
+ },
+ {
+ "panelIndex": "31c34a78-aa8e-1c17-b3f8-c69f0505c69e",
+ "gridData": {
+ "x": 0,
+ "y": 3,
+ "w": 16,
+ "h": 10,
+ "i": "31c34a78-aa8e-1c17-b3f8-c69f0505c69e"
+ },
+ "type": "lens",
+ "embeddableConfig": {
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ },
+ "attributes": {
+ "title": "Distribution of Events by Subcategory",
+ "visualizationType": "lnsPie",
+ "type": "lens",
+ "references": [],
+ "state": {
+ "visualization": {
+ "layers": [
+ {
+ "layerId": "e611be52-e88c-4b96-b594-167b7c898dce",
+ "layerType": "data",
+ "colorMapping": {
+ "assignments": [],
+ "specialAssignments": [
+ {
+ "rule": {
+ "type": "other"
+ },
+ "color": {
+ "type": "loop"
+ },
+ "touched": false
+ }
+ ],
+ "paletteId": "eui_amsterdam_color_blind",
+ "colorMode": {
+ "type": "categorical"
+ }
+ },
+ "primaryGroups": [
+ "27a1a6b9-b42c-508d-6a0e-d5e68466543d"
+ ],
+ "metrics": [
+ "0cb3e3d7-c9da-1181-40f5-5b94be7f1201"
+ ],
+ "numberDisplay": "percent",
+ "categoryDisplay": "default",
+ "legendDisplay": "default",
+ "legendPosition": "right",
+ "nestedLegend": false,
+ "emptySizeRatio": 0.3
+ }
+ ],
+ "shape": "donut"
+ },
+ "query": {
+ "esql": "FROM logs-*\n| WHERE data_stream.dataset == \"fortinet_fortiauthenticator.log\"\n| WHERE fortinet.fortiauthenticator.log.subcategory IN (\"System\", \"High Availability\")\n OR event.action LIKE \"*admin-gui*\"\n| EVAL area = CASE(\n event.action LIKE \"*admin-gui*\", \"Admin GUI\",\n fortinet.fortiauthenticator.log.subcategory\n )\n| STATS count = COUNT(*) BY area\n| SORT count DESC\n"
+ },
+ "filters": [],
+ "datasourceStates": {
+ "textBased": {
+ "layers": {
+ "e611be52-e88c-4b96-b594-167b7c898dce": {
+ "query": {
+ "esql": "FROM logs-*\n| WHERE data_stream.dataset == \"fortinet_fortiauthenticator.log\"\n| WHERE fortinet.fortiauthenticator.log.subcategory IN (\"System\", \"High Availability\")\n OR event.action LIKE \"*admin-gui*\"\n| EVAL area = CASE(\n event.action LIKE \"*admin-gui*\", \"Admin GUI\",\n fortinet.fortiauthenticator.log.subcategory\n )\n| STATS count = COUNT(*) BY area\n| SORT count DESC\n"
+ },
+ "columns": [
+ {
+ "fieldName": "count",
+ "columnId": "0cb3e3d7-c9da-1181-40f5-5b94be7f1201",
+ "label": "Events",
+ "customLabel": true,
+ "meta": {
+ "type": "number",
+ "esType": "long"
+ },
+ "inMetricDimension": true
+ },
+ {
+ "fieldName": "area",
+ "columnId": "27a1a6b9-b42c-508d-6a0e-d5e68466543d",
+ "label": "area",
+ "customLabel": false
+ }
+ ],
+ "allColumns": [
+ {
+ "fieldName": "count",
+ "columnId": "0cb3e3d7-c9da-1181-40f5-5b94be7f1201",
+ "label": "Events",
+ "customLabel": true,
+ "meta": {
+ "type": "number",
+ "esType": "long"
+ },
+ "inMetricDimension": true
+ },
+ {
+ "fieldName": "area",
+ "columnId": "27a1a6b9-b42c-508d-6a0e-d5e68466543d",
+ "label": "area",
+ "customLabel": false
+ }
+ ],
+ "timeField": "@timestamp"
+ }
+ }
+ }
+ },
+ "internalReferences": [],
+ "adHocDataViews": {}
+ }
+ },
+ "syncTooltips": false,
+ "syncColors": false,
+ "syncCursor": true,
+ "filters": [],
+ "query": {
+ "query": "",
+ "language": "kuery"
+ }
+ }
+ },
+ {
+ "panelIndex": "f1e85087-e1b7-3e39-2732-fae38cf79a7c",
+ "gridData": {
+ "x": 16,
+ "y": 3,
+ "w": 16,
+ "h": 10,
+ "i": "f1e85087-e1b7-3e39-2732-fae38cf79a7c"
+ },
+ "type": "lens",
+ "embeddableConfig": {
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ },
+ "attributes": {
+ "title": "Distribution of Events by Log Level",
+ "visualizationType": "lnsPie",
+ "type": "lens",
+ "references": [],
+ "state": {
+ "visualization": {
+ "layers": [
+ {
+ "layerId": "825fae43-f47c-f3ce-ae0c-96a9824bd7db",
+ "layerType": "data",
+ "colorMapping": {
+ "assignments": [],
+ "specialAssignments": [
+ {
+ "rule": {
+ "type": "other"
+ },
+ "color": {
+ "type": "loop"
+ },
+ "touched": false
+ }
+ ],
+ "paletteId": "eui_amsterdam_color_blind",
+ "colorMode": {
+ "type": "categorical"
+ }
+ },
+ "primaryGroups": [
+ "963c7779-0642-ff95-05d1-7f32e63a6aad"
+ ],
+ "metrics": [
+ "0cb3e3d7-c9da-1181-40f5-5b94be7f1201"
+ ],
+ "numberDisplay": "percent",
+ "categoryDisplay": "default",
+ "legendDisplay": "default",
+ "legendPosition": "right",
+ "nestedLegend": false,
+ "emptySizeRatio": 0.3
+ }
+ ],
+ "shape": "donut"
+ },
+ "query": {
+ "esql": "FROM logs-*\n| WHERE data_stream.dataset == \"fortinet_fortiauthenticator.log\"\n| WHERE fortinet.fortiauthenticator.log.subcategory IN (\"System\", \"High Availability\")\n OR event.action LIKE \"*admin-gui*\"\n| STATS count = COUNT(*) BY log.level\n| SORT count DESC\n"
+ },
+ "filters": [],
+ "datasourceStates": {
+ "textBased": {
+ "layers": {
+ "825fae43-f47c-f3ce-ae0c-96a9824bd7db": {
+ "query": {
+ "esql": "FROM logs-*\n| WHERE data_stream.dataset == \"fortinet_fortiauthenticator.log\"\n| WHERE fortinet.fortiauthenticator.log.subcategory IN (\"System\", \"High Availability\")\n OR event.action LIKE \"*admin-gui*\"\n| STATS count = COUNT(*) BY log.level\n| SORT count DESC\n"
+ },
+ "columns": [
+ {
+ "fieldName": "count",
+ "columnId": "0cb3e3d7-c9da-1181-40f5-5b94be7f1201",
+ "label": "Events",
+ "customLabel": true,
+ "meta": {
+ "type": "number",
+ "esType": "long"
+ },
+ "inMetricDimension": true
+ },
+ {
+ "fieldName": "log.level",
+ "columnId": "963c7779-0642-ff95-05d1-7f32e63a6aad",
+ "label": "log.level",
+ "customLabel": false
+ }
+ ],
+ "allColumns": [
+ {
+ "fieldName": "count",
+ "columnId": "0cb3e3d7-c9da-1181-40f5-5b94be7f1201",
+ "label": "Events",
+ "customLabel": true,
+ "meta": {
+ "type": "number",
+ "esType": "long"
+ },
+ "inMetricDimension": true
+ },
+ {
+ "fieldName": "log.level",
+ "columnId": "963c7779-0642-ff95-05d1-7f32e63a6aad",
+ "label": "log.level",
+ "customLabel": false
+ }
+ ],
+ "timeField": "@timestamp"
+ }
+ }
+ }
+ },
+ "internalReferences": [],
+ "adHocDataViews": {}
+ }
+ },
+ "syncTooltips": false,
+ "syncColors": false,
+ "syncCursor": true,
+ "filters": [],
+ "query": {
+ "query": "",
+ "language": "kuery"
+ }
+ }
+ },
+ {
+ "panelIndex": "6f34782d-ac54-7d8f-767e-a263df64b47c",
+ "gridData": {
+ "x": 32,
+ "y": 3,
+ "w": 16,
+ "h": 10,
+ "i": "6f34782d-ac54-7d8f-767e-a263df64b47c"
+ },
+ "type": "lens",
+ "embeddableConfig": {
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ },
+ "attributes": {
+ "title": "Distribution of Admin GUI Login Outcomes",
+ "visualizationType": "lnsPie",
+ "type": "lens",
+ "references": [],
+ "state": {
+ "visualization": {
+ "layers": [
+ {
+ "layerId": "2a07eb47-1e9e-5075-bd9a-f1d7fd9a848e",
+ "layerType": "data",
+ "colorMapping": {
+ "assignments": [],
+ "specialAssignments": [
+ {
+ "rule": {
+ "type": "other"
+ },
+ "color": {
+ "type": "loop"
+ },
+ "touched": false
+ }
+ ],
+ "paletteId": "eui_amsterdam_color_blind",
+ "colorMode": {
+ "type": "categorical"
+ }
+ },
+ "primaryGroups": [
+ "6ebe5def-fb69-74b6-9df8-7ab4a0952f39"
+ ],
+ "metrics": [
+ "a116fd01-e663-c301-d202-57aef5ebc827"
+ ],
+ "numberDisplay": "percent",
+ "categoryDisplay": "default",
+ "legendDisplay": "default",
+ "legendPosition": "right",
+ "nestedLegend": false,
+ "emptySizeRatio": 0.3
+ }
+ ],
+ "shape": "donut"
+ },
+ "query": {
+ "esql": "FROM logs-*\n| WHERE data_stream.dataset == \"fortinet_fortiauthenticator.log\"\n| WHERE event.action LIKE \"*admin-gui*\"\n| STATS count = COUNT(*) BY event.outcome\n| SORT count DESC\n"
+ },
+ "filters": [],
+ "datasourceStates": {
+ "textBased": {
+ "layers": {
+ "2a07eb47-1e9e-5075-bd9a-f1d7fd9a848e": {
+ "query": {
+ "esql": "FROM logs-*\n| WHERE data_stream.dataset == \"fortinet_fortiauthenticator.log\"\n| WHERE event.action LIKE \"*admin-gui*\"\n| STATS count = COUNT(*) BY event.outcome\n| SORT count DESC\n"
+ },
+ "columns": [
+ {
+ "fieldName": "count",
+ "columnId": "a116fd01-e663-c301-d202-57aef5ebc827",
+ "label": "Logins",
+ "customLabel": true,
+ "meta": {
+ "type": "number",
+ "esType": "long"
+ },
+ "inMetricDimension": true
+ },
+ {
+ "fieldName": "event.outcome",
+ "columnId": "6ebe5def-fb69-74b6-9df8-7ab4a0952f39",
+ "label": "event.outcome",
+ "customLabel": false
+ }
+ ],
+ "allColumns": [
+ {
+ "fieldName": "count",
+ "columnId": "a116fd01-e663-c301-d202-57aef5ebc827",
+ "label": "Logins",
+ "customLabel": true,
+ "meta": {
+ "type": "number",
+ "esType": "long"
+ },
+ "inMetricDimension": true
+ },
+ {
+ "fieldName": "event.outcome",
+ "columnId": "6ebe5def-fb69-74b6-9df8-7ab4a0952f39",
+ "label": "event.outcome",
+ "customLabel": false
+ }
+ ],
+ "timeField": "@timestamp"
+ }
+ }
+ }
+ },
+ "internalReferences": [],
+ "adHocDataViews": {}
+ }
+ },
+ "syncTooltips": false,
+ "syncColors": false,
+ "syncCursor": true,
+ "filters": [],
+ "query": {
+ "query": "",
+ "language": "kuery"
+ }
+ }
+ },
+ {
+ "panelIndex": "6188811c-b451-c4d9-6ea4-ac31ffe7bce2",
+ "gridData": {
+ "x": 0,
+ "y": 13,
+ "w": 24,
+ "h": 12,
+ "i": "6188811c-b451-c4d9-6ea4-ac31ffe7bce2"
+ },
+ "type": "lens",
+ "embeddableConfig": {
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ },
+ "attributes": {
+ "title": "Top 10 Admin GUI Login Source IPs",
+ "visualizationType": "lnsDatatable",
+ "type": "lens",
+ "references": [
+ {
+ "type": "index-pattern",
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-8ce8447c-a2ef-524e-ca99-a424d2980e75"
+ }
+ ],
+ "state": {
+ "visualization": {
+ "columns": [
+ {
+ "columnId": "d6769a7f-38c3-232c-02f5-f529185ff287",
+ "isTransposed": false,
+ "isMetric": false
+ },
+ {
+ "columnId": "2643bd1b-75d2-6801-f9a0-6e856200de86",
+ "isTransposed": false,
+ "isMetric": false
+ },
+ {
+ "columnId": "9689941a-1ce9-5e92-679e-4ca58b5299be",
+ "isTransposed": false,
+ "isMetric": true
+ }
+ ],
+ "layerId": "8ce8447c-a2ef-524e-ca99-a424d2980e75",
+ "layerType": "data"
+ },
+ "query": {
+ "query": "data_stream.dataset:fortinet_fortiauthenticator.log AND event.action:*admin-gui* AND source.ip:*",
+ "language": "kuery"
+ },
+ "filters": [],
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "8ce8447c-a2ef-524e-ca99-a424d2980e75": {
+ "columns": {
+ "d6769a7f-38c3-232c-02f5-f529185ff287": {
+ "label": "Source IP",
+ "dataType": "string",
+ "customLabel": true,
+ "operationType": "terms",
+ "isBucketed": true,
+ "scale": "ordinal",
+ "params": {
+ "size": 10,
+ "orderBy": {
+ "type": "column",
+ "columnId": "9689941a-1ce9-5e92-679e-4ca58b5299be"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "missingBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "include": [],
+ "exclude": [],
+ "includeIsRegex": false,
+ "excludeIsRegex": false
+ },
+ "sourceField": "source.ip"
+ },
+ "2643bd1b-75d2-6801-f9a0-6e856200de86": {
+ "label": "Admin",
+ "dataType": "string",
+ "customLabel": true,
+ "operationType": "terms",
+ "isBucketed": true,
+ "scale": "ordinal",
+ "params": {
+ "size": 10,
+ "orderBy": {
+ "type": "column",
+ "columnId": "9689941a-1ce9-5e92-679e-4ca58b5299be"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "missingBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "include": [],
+ "exclude": [],
+ "includeIsRegex": false,
+ "excludeIsRegex": false
+ },
+ "sourceField": "user.name"
+ },
+ "9689941a-1ce9-5e92-679e-4ca58b5299be": {
+ "label": "Logins",
+ "dataType": "number",
+ "customLabel": true,
+ "operationType": "count",
+ "isBucketed": false,
+ "scale": "ratio",
+ "sourceField": "___records___",
+ "params": {
+ "emptyAsNull": true
+ }
+ }
+ },
+ "columnOrder": [
+ "d6769a7f-38c3-232c-02f5-f529185ff287",
+ "2643bd1b-75d2-6801-f9a0-6e856200de86",
+ "9689941a-1ce9-5e92-679e-4ca58b5299be"
+ ],
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "layers": {}
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "internalReferences": [],
+ "adHocDataViews": {}
+ }
+ },
+ "syncTooltips": false,
+ "syncColors": false,
+ "syncCursor": true,
+ "filters": [],
+ "query": {
+ "query": "",
+ "language": "kuery"
+ }
+ }
+ },
+ {
+ "panelIndex": "dc1b2288-1313-dc90-9c2f-7f30c0dbc83d",
+ "gridData": {
+ "x": 24,
+ "y": 13,
+ "w": 24,
+ "h": 12,
+ "i": "dc1b2288-1313-dc90-9c2f-7f30c0dbc83d"
+ },
+ "type": "lens",
+ "embeddableConfig": {
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ },
+ "attributes": {
+ "title": "Top 10 System Event Actions",
+ "visualizationType": "lnsDatatable",
+ "type": "lens",
+ "references": [
+ {
+ "type": "index-pattern",
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-34b4bc7f-16bb-57c0-884d-8a56dff48c8b"
+ }
+ ],
+ "state": {
+ "visualization": {
+ "columns": [
+ {
+ "columnId": "33b1df72-cf0e-f95c-21c1-9447de46a9d0",
+ "isTransposed": false,
+ "isMetric": false
+ },
+ {
+ "columnId": "78906381-9268-4fda-8e10-7b28774532d5",
+ "isTransposed": false,
+ "isMetric": true
+ }
+ ],
+ "layerId": "34b4bc7f-16bb-57c0-884d-8a56dff48c8b",
+ "layerType": "data"
+ },
+ "query": {
+ "query": "data_stream.dataset:fortinet_fortiauthenticator.log AND fortinet.fortiauthenticator.log.subcategory:(System OR \"High Availability\") AND event.action:*",
+ "language": "kuery"
+ },
+ "filters": [],
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "34b4bc7f-16bb-57c0-884d-8a56dff48c8b": {
+ "columns": {
+ "33b1df72-cf0e-f95c-21c1-9447de46a9d0": {
+ "label": "Event Action",
+ "dataType": "string",
+ "customLabel": true,
+ "operationType": "terms",
+ "isBucketed": true,
+ "scale": "ordinal",
+ "params": {
+ "size": 10,
+ "orderBy": {
+ "type": "column",
+ "columnId": "78906381-9268-4fda-8e10-7b28774532d5"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "missingBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "include": [],
+ "exclude": [],
+ "includeIsRegex": false,
+ "excludeIsRegex": false
+ },
+ "sourceField": "event.action"
+ },
+ "78906381-9268-4fda-8e10-7b28774532d5": {
+ "label": "Events",
+ "dataType": "number",
+ "customLabel": true,
+ "operationType": "count",
+ "isBucketed": false,
+ "scale": "ratio",
+ "sourceField": "___records___",
+ "params": {
+ "emptyAsNull": true
+ }
+ }
+ },
+ "columnOrder": [
+ "33b1df72-cf0e-f95c-21c1-9447de46a9d0",
+ "78906381-9268-4fda-8e10-7b28774532d5"
+ ],
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "layers": {}
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "internalReferences": [],
+ "adHocDataViews": {}
+ }
+ },
+ "syncTooltips": false,
+ "syncColors": false,
+ "syncCursor": true,
+ "filters": [],
+ "query": {
+ "query": "",
+ "language": "kuery"
+ }
+ }
+ },
+ {
+ "panelIndex": "e9aa5c0e-991f-573b-9225-89527ea34020",
+ "gridData": {
+ "x": 0,
+ "y": 25,
+ "w": 48,
+ "h": 12,
+ "i": "e9aa5c0e-991f-573b-9225-89527ea34020"
+ },
+ "type": "lens",
+ "embeddableConfig": {
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ },
+ "attributes": {
+ "title": "System and HA Events",
+ "visualizationType": "lnsDatatable",
+ "type": "lens",
+ "references": [
+ {
+ "type": "index-pattern",
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-1d3495d5-80eb-8d84-b9e2-5eb1e3f58e39"
+ }
+ ],
+ "state": {
+ "visualization": {
+ "columns": [
+ {
+ "columnId": "71ab2d01-359e-822f-7cf8-b86f095ff6c2",
+ "isTransposed": false,
+ "isMetric": false
+ },
+ {
+ "columnId": "a4935eb6-3cb8-27b0-0cf3-c0a07b7dad3d",
+ "isTransposed": false,
+ "isMetric": false
+ },
+ {
+ "columnId": "20de9c16-3529-2046-e3f7-015522dff4a0",
+ "isTransposed": false,
+ "isMetric": false
+ },
+ {
+ "columnId": "e293e1d8-19e0-ece8-e7f3-a0b190c5d64e",
+ "isTransposed": false,
+ "isMetric": true
+ }
+ ],
+ "layerId": "1d3495d5-80eb-8d84-b9e2-5eb1e3f58e39",
+ "layerType": "data"
+ },
+ "query": {
+ "query": "data_stream.dataset:fortinet_fortiauthenticator.log AND fortinet.fortiauthenticator.log.subcategory:(System OR \"High Availability\")",
+ "language": "kuery"
+ },
+ "filters": [],
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "1d3495d5-80eb-8d84-b9e2-5eb1e3f58e39": {
+ "columns": {
+ "71ab2d01-359e-822f-7cf8-b86f095ff6c2": {
+ "label": "Event Action",
+ "dataType": "string",
+ "customLabel": true,
+ "operationType": "terms",
+ "isBucketed": true,
+ "scale": "ordinal",
+ "params": {
+ "size": 30,
+ "orderBy": {
+ "type": "column",
+ "columnId": "e293e1d8-19e0-ece8-e7f3-a0b190c5d64e"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "missingBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "include": [],
+ "exclude": [],
+ "includeIsRegex": false,
+ "excludeIsRegex": false
+ },
+ "sourceField": "event.action"
+ },
+ "a4935eb6-3cb8-27b0-0cf3-c0a07b7dad3d": {
+ "label": "Subcategory",
+ "dataType": "string",
+ "customLabel": true,
+ "operationType": "terms",
+ "isBucketed": true,
+ "scale": "ordinal",
+ "params": {
+ "size": 10,
+ "orderBy": {
+ "type": "column",
+ "columnId": "e293e1d8-19e0-ece8-e7f3-a0b190c5d64e"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "missingBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "include": [],
+ "exclude": [],
+ "includeIsRegex": false,
+ "excludeIsRegex": false
+ },
+ "sourceField": "fortinet.fortiauthenticator.log.subcategory"
+ },
+ "20de9c16-3529-2046-e3f7-015522dff4a0": {
+ "label": "Log Level",
+ "dataType": "string",
+ "customLabel": true,
+ "operationType": "terms",
+ "isBucketed": true,
+ "scale": "ordinal",
+ "params": {
+ "size": 5,
+ "orderBy": {
+ "type": "column",
+ "columnId": "e293e1d8-19e0-ece8-e7f3-a0b190c5d64e"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "missingBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "include": [],
+ "exclude": [],
+ "includeIsRegex": false,
+ "excludeIsRegex": false
+ },
+ "sourceField": "log.level"
+ },
+ "e293e1d8-19e0-ece8-e7f3-a0b190c5d64e": {
+ "label": "Count",
+ "dataType": "number",
+ "customLabel": true,
+ "operationType": "count",
+ "isBucketed": false,
+ "scale": "ratio",
+ "sourceField": "___records___",
+ "params": {
+ "emptyAsNull": true
+ }
+ }
+ },
+ "columnOrder": [
+ "71ab2d01-359e-822f-7cf8-b86f095ff6c2",
+ "a4935eb6-3cb8-27b0-0cf3-c0a07b7dad3d",
+ "20de9c16-3529-2046-e3f7-015522dff4a0",
+ "e293e1d8-19e0-ece8-e7f3-a0b190c5d64e"
+ ],
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "layers": {}
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "internalReferences": [],
+ "adHocDataViews": {}
+ }
+ },
+ "syncTooltips": false,
+ "syncColors": false,
+ "syncCursor": true,
+ "filters": [],
+ "query": {
+ "query": "",
+ "language": "kuery"
+ }
+ }
+ },
+ {
+ "panelIndex": "a89869d9-659f-675d-3525-5f9de12f93aa",
+ "gridData": {
+ "x": 0,
+ "y": 37,
+ "w": 48,
+ "h": 15,
+ "i": "a89869d9-659f-675d-3525-5f9de12f93aa"
+ },
+ "type": "search",
+ "panelRefName": "a89869d9-659f-675d-3525-5f9de12f93aa:panel_a89869d9-659f-675d-3525-5f9de12f93aa",
+ "embeddableConfig": {
+ "title": "Log Stream",
+ "enhancements": {},
+ "savedObjectId": "fortinet_fortiauthenticator-system-events"
+ }
+ }
+ ],
+ "optionsJSON": {
+ "useMargins": true,
+ "syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false,
+ "hidePanelTitles": false
+ },
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": {
+ "filter": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "disabled": false,
+ "negate": false,
+ "alias": null,
+ "type": "phrase",
+ "key": "data_stream.dataset",
+ "field": "data_stream.dataset",
+ "params": {
+ "query": "fortinet_fortiauthenticator.log"
+ }
+ },
+ "query": {
+ "match_phrase": {
+ "data_stream.dataset": "fortinet_fortiauthenticator.log"
+ }
+ }
+ }
+ ],
+ "query": {
+ "query": "",
+ "language": "kuery"
+ }
+ }
+ },
+ "timeRestore": false,
+ "version": 1,
+ "controlGroupInput": {
+ "chainingSystem": "HIERARCHICAL",
+ "controlStyle": "oneLine",
+ "ignoreParentSettingsJSON": {
+ "ignoreFilters": false,
+ "ignoreQuery": false,
+ "ignoreTimerange": false,
+ "ignoreValidations": false
+ },
+ "panelsJSON": {
+ "b54aeb5f-7271-c33f-2cce-9209b49cd246": {
+ "grow": false,
+ "order": 0,
+ "width": "medium",
+ "type": "optionsListControl",
+ "explicitInput": {
+ "id": "b54aeb5f-7271-c33f-2cce-9209b49cd246",
+ "dataViewId": "logs-*",
+ "fieldName": "fortinet.fortiauthenticator.log.subcategory",
+ "title": "Subcategory",
+ "searchTechnique": "prefix",
+ "selectedOptions": [],
+ "sort": {
+ "by": "_count",
+ "direction": "desc"
+ }
+ }
+ },
+ "061a5d5c-4fd1-2af9-c58b-e956b0295f84": {
+ "grow": false,
+ "order": 1,
+ "width": "medium",
+ "type": "optionsListControl",
+ "explicitInput": {
+ "id": "061a5d5c-4fd1-2af9-c58b-e956b0295f84",
+ "dataViewId": "logs-*",
+ "fieldName": "log.level",
+ "title": "Log Level",
+ "searchTechnique": "prefix",
+ "selectedOptions": [],
+ "sort": {
+ "by": "_count",
+ "direction": "desc"
+ }
+ }
+ },
+ "0cdfdf58-1970-368e-3e5f-023bd0f92321": {
+ "grow": false,
+ "order": 2,
+ "width": "medium",
+ "type": "optionsListControl",
+ "explicitInput": {
+ "id": "0cdfdf58-1970-368e-3e5f-023bd0f92321",
+ "dataViewId": "logs-*",
+ "fieldName": "event.action",
+ "title": "Event Action",
+ "searchTechnique": "prefix",
+ "selectedOptions": [],
+ "sort": {
+ "by": "_count",
+ "direction": "desc"
+ }
+ }
+ }
+ },
+ "showApplySelections": false
+ }
+ },
+ "coreMigrationVersion": "8.8.0",
+ "created_at": "2023-10-01T00:00:00Z",
+ "created_by": "admin",
+ "id": "fortinet_fortiauthenticator-system",
+ "managed": false,
+ "references": [
+ {
+ "type": "dashboard",
+ "id": "fortinet_fortiauthenticator-overview",
+ "name": "b901510e-4e89-757d-3ffc-2ddd1d265e5a:link_3af4ba12-6f83-488a-bdc9-0c7216a22d73_dashboard"
+ },
+ {
+ "type": "dashboard",
+ "id": "fortinet_fortiauthenticator-authentication",
+ "name": "b901510e-4e89-757d-3ffc-2ddd1d265e5a:link_85cbe962-a65c-5a52-ac29-31c83f2ee37e_dashboard"
+ },
+ {
+ "type": "dashboard",
+ "id": "fortinet_fortiauthenticator-admin-audit",
+ "name": "b901510e-4e89-757d-3ffc-2ddd1d265e5a:link_f8015227-17d1-b054-2b9c-b33d24cec76d_dashboard"
+ },
+ {
+ "type": "dashboard",
+ "id": "fortinet_fortiauthenticator-system",
+ "name": "b901510e-4e89-757d-3ffc-2ddd1d265e5a:link_72ea9ac7-2987-7cf7-6e6c-311078031348_dashboard"
+ },
+ {
+ "type": "index-pattern",
+ "id": "logs-*",
+ "name": "6188811c-b451-c4d9-6ea4-ac31ffe7bce2:indexpattern-datasource-layer-8ce8447c-a2ef-524e-ca99-a424d2980e75"
+ },
+ {
+ "type": "index-pattern",
+ "id": "logs-*",
+ "name": "dc1b2288-1313-dc90-9c2f-7f30c0dbc83d:indexpattern-datasource-layer-34b4bc7f-16bb-57c0-884d-8a56dff48c8b"
+ },
+ {
+ "type": "index-pattern",
+ "id": "logs-*",
+ "name": "e9aa5c0e-991f-573b-9225-89527ea34020:indexpattern-datasource-layer-1d3495d5-80eb-8d84-b9e2-5eb1e3f58e39"
+ },
+ {
+ "type": "search",
+ "id": "fortinet_fortiauthenticator-system-events",
+ "name": "a89869d9-659f-675d-3525-5f9de12f93aa:panel_a89869d9-659f-675d-3525-5f9de12f93aa"
+ },
+ {
+ "type": "index-pattern",
+ "id": "logs-*",
+ "name": "controlGroup_b54aeb5f-7271-c33f-2cce-9209b49cd246:optionsListDataView"
+ },
+ {
+ "type": "index-pattern",
+ "id": "logs-*",
+ "name": "controlGroup_061a5d5c-4fd1-2af9-c58b-e956b0295f84:optionsListDataView"
+ },
+ {
+ "type": "index-pattern",
+ "id": "logs-*",
+ "name": "controlGroup_0cdfdf58-1970-368e-3e5f-023bd0f92321:optionsListDataView"
+ }
+ ],
+ "type": "dashboard",
+ "typeMigrationVersion": "10.2.0",
+ "updated_at": "2023-10-01T00:00:00Z",
+ "updated_by": "admin",
+ "version": "1"
+}
\ No newline at end of file
diff --git a/packages/fortinet_fortiauthenticator/kibana/search/fortinet_fortiauthenticator-admin-config-events.json b/packages/fortinet_fortiauthenticator/kibana/search/fortinet_fortiauthenticator-admin-config-events.json
new file mode 100644
index 00000000000..adcd1a40d56
--- /dev/null
+++ b/packages/fortinet_fortiauthenticator/kibana/search/fortinet_fortiauthenticator-admin-config-events.json
@@ -0,0 +1,98 @@
+{
+ "attributes": {
+ "columns": [
+ "event.action",
+ "user.name",
+ "user.target.name",
+ "fortinet.fortiauthenticator.log.changes",
+ "message"
+ ],
+ "description": "Administrative configuration changes from FortiAuthenticator.",
+ "grid": {},
+ "hideChart": true,
+ "isTextBasedQuery": false,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": {
+ "filter": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "key": "data_stream.dataset",
+ "negate": false,
+ "params": {
+ "query": "fortinet_fortiauthenticator.log"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "data_stream.dataset": "fortinet_fortiauthenticator.log"
+ }
+ }
+ },
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
+ "key": "fortinet.fortiauthenticator.log.subcategory",
+ "negate": false,
+ "params": {
+ "query": "Admin Configuration"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "fortinet.fortiauthenticator.log.subcategory": "Admin Configuration"
+ }
+ }
+ }
+ ],
+ "highlightAll": true,
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "version": true
+ }
+ },
+ "sort": [
+ [
+ "@timestamp",
+ "desc"
+ ]
+ ],
+ "timeRestore": false,
+ "title": "[Logs FortiAuthenticator] Admin Configuration Events"
+ },
+ "coreMigrationVersion": "8.8.0",
+ "id": "fortinet_fortiauthenticator-admin-config-events",
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "search"
+}
diff --git a/packages/fortinet_fortiauthenticator/kibana/search/fortinet_fortiauthenticator-all-user-events.json b/packages/fortinet_fortiauthenticator/kibana/search/fortinet_fortiauthenticator-all-user-events.json
new file mode 100644
index 00000000000..8687851f348
--- /dev/null
+++ b/packages/fortinet_fortiauthenticator/kibana/search/fortinet_fortiauthenticator-all-user-events.json
@@ -0,0 +1,73 @@
+{
+ "attributes": {
+ "columns": [
+ "event.action",
+ "event.outcome",
+ "user.name",
+ "source.ip",
+ "fortinet.fortiauthenticator.log.subcategory",
+ "message"
+ ],
+ "description": "All FortiAuthenticator events sorted by timestamp. Use dashboard controls to filter by user.",
+ "grid": {},
+ "hideChart": true,
+ "isTextBasedQuery": false,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": {
+ "filter": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "key": "data_stream.dataset",
+ "negate": false,
+ "params": {
+ "query": "fortinet_fortiauthenticator.log"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "data_stream.dataset": "fortinet_fortiauthenticator.log"
+ }
+ }
+ }
+ ],
+ "highlightAll": true,
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "version": true
+ }
+ },
+ "sort": [
+ [
+ "@timestamp",
+ "desc"
+ ]
+ ],
+ "timeRestore": false,
+ "title": "[Logs FortiAuthenticator] All Events"
+ },
+ "coreMigrationVersion": "8.8.0",
+ "id": "fortinet_fortiauthenticator-all-user-events",
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "search"
+}
\ No newline at end of file
diff --git a/packages/fortinet_fortiauthenticator/kibana/search/fortinet_fortiauthenticator-authentication-events.json b/packages/fortinet_fortiauthenticator/kibana/search/fortinet_fortiauthenticator-authentication-events.json
new file mode 100644
index 00000000000..36c7f2d824c
--- /dev/null
+++ b/packages/fortinet_fortiauthenticator/kibana/search/fortinet_fortiauthenticator-authentication-events.json
@@ -0,0 +1,99 @@
+{
+ "attributes": {
+ "columns": [
+ "event.action",
+ "event.outcome",
+ "network.protocol",
+ "user.name",
+ "source.ip",
+ "message"
+ ],
+ "description": "Authentication events from FortiAuthenticator.",
+ "grid": {},
+ "hideChart": true,
+ "isTextBasedQuery": false,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": {
+ "filter": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "key": "data_stream.dataset",
+ "negate": false,
+ "params": {
+ "query": "fortinet_fortiauthenticator.log"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "data_stream.dataset": "fortinet_fortiauthenticator.log"
+ }
+ }
+ },
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
+ "key": "fortinet.fortiauthenticator.log.subcategory",
+ "negate": false,
+ "params": {
+ "query": "Authentication"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "fortinet.fortiauthenticator.log.subcategory": "Authentication"
+ }
+ }
+ }
+ ],
+ "highlightAll": true,
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "version": true
+ }
+ },
+ "sort": [
+ [
+ "@timestamp",
+ "desc"
+ ]
+ ],
+ "timeRestore": false,
+ "title": "[Logs FortiAuthenticator] Authentication Events"
+ },
+ "coreMigrationVersion": "8.8.0",
+ "id": "fortinet_fortiauthenticator-authentication-events",
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "search"
+}
diff --git a/packages/fortinet_fortiauthenticator/kibana/search/fortinet_fortiauthenticator-system-events.json b/packages/fortinet_fortiauthenticator/kibana/search/fortinet_fortiauthenticator-system-events.json
new file mode 100644
index 00000000000..a1e016d0b95
--- /dev/null
+++ b/packages/fortinet_fortiauthenticator/kibana/search/fortinet_fortiauthenticator-system-events.json
@@ -0,0 +1,73 @@
+{
+ "attributes": {
+ "columns": [
+ "event.action",
+ "fortinet.fortiauthenticator.log.subcategory",
+ "log.level",
+ "user.name",
+ "source.ip",
+ "message"
+ ],
+ "description": "System, High Availability, and admin GUI login events from FortiAuthenticator.",
+ "grid": {},
+ "hideChart": true,
+ "isTextBasedQuery": false,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": {
+ "filter": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "key": "data_stream.dataset",
+ "negate": false,
+ "params": {
+ "query": "fortinet_fortiauthenticator.log"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "data_stream.dataset": "fortinet_fortiauthenticator.log"
+ }
+ }
+ }
+ ],
+ "highlightAll": true,
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "query": {
+ "language": "kuery",
+ "query": "fortinet.fortiauthenticator.log.subcategory:(System OR \"High Availability\") OR event.action:*admin-gui*"
+ },
+ "version": true
+ }
+ },
+ "sort": [
+ [
+ "@timestamp",
+ "desc"
+ ]
+ ],
+ "timeRestore": false,
+ "title": "[Logs FortiAuthenticator] System and HA Events"
+ },
+ "coreMigrationVersion": "8.8.0",
+ "id": "fortinet_fortiauthenticator-system-events",
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "search"
+}
diff --git a/packages/fortinet_fortiauthenticator/kibana/tags.yml b/packages/fortinet_fortiauthenticator/kibana/tags.yml
new file mode 100644
index 00000000000..47f20a8f551
--- /dev/null
+++ b/packages/fortinet_fortiauthenticator/kibana/tags.yml
@@ -0,0 +1,4 @@
+- text: Security Solution
+ asset_types:
+ - dashboard
+ - search
diff --git a/packages/fortinet_fortiauthenticator/manifest.yml b/packages/fortinet_fortiauthenticator/manifest.yml
new file mode 100644
index 00000000000..ffa8338d9e4
--- /dev/null
+++ b/packages/fortinet_fortiauthenticator/manifest.yml
@@ -0,0 +1,51 @@
+name: fortinet_fortiauthenticator
+title: Fortinet FortiAuthenticator Logs
+version: "0.1.0"
+description: Collect logs from Fortinet FortiAuthenticator instances.
+type: integration
+format_version: "3.0.3"
+categories: ["security", "iam"]
+conditions:
+ kibana:
+ version: "^9.0.0"
+ elastic:
+ subscription: basic
+icons:
+ - src: /img/fortinet-logo.svg
+ title: Fortinet
+ size: 216x216
+ type: image/svg+xml
+screenshots:
+ - src: /img/fortinet-fortiauthenticator-overview.png
+ title: Fortinet FortiAuthenticator overview dashboard
+ size: 2782x1665
+ type: image/png
+ - src: /img/fortinet-fortiauthenticator-authentication.png
+ title: Fortinet FortiAuthenticator authentication events dashboard
+ size: 2785x1961
+ type: image/png
+ - src: /img/fortinet-fortiauthenticator-admin-audit.png
+ title: Fortinet FortiAuthenticator admin configuration audit dashboard
+ size: 2785x1961
+ type: image/png
+ - src: /img/fortinet-fortiauthenticator-system.png
+ title: Fortinet FortiAuthenticator system and HA dashboard
+ size: 2786x1961
+ type: image/png
+policy_templates:
+ - name: fortinet_fortiauthenticator
+ title: Fortinet FortiAuthenticator logs
+ description: Collect logs from Fortinet FortiAuthenticator instances.
+ inputs:
+ - type: filestream
+ title: Collect Fortinet FortiAuthenticator logs via Filestream
+ description: Collect Fortinet FortiAuthenticator logs from files.
+ - type: tcp
+ title: Collect Fortinet FortiAuthenticator logs via TCP
+ description: Collect Fortinet FortiAuthenticator logs over TCP.
+ - type: udp
+ title: Collect Fortinet FortiAuthenticator logs via UDP
+ description: Collect Fortinet FortiAuthenticator logs over UDP.
+owner:
+ github: elastic/integration-experience
+ type: elastic
diff --git a/packages/fortinet_fortiauthenticator/validation.yml b/packages/fortinet_fortiauthenticator/validation.yml
new file mode 100644
index 00000000000..4ed4947e035
--- /dev/null
+++ b/packages/fortinet_fortiauthenticator/validation.yml
@@ -0,0 +1,7 @@
+errors:
+ exclude_checks:
+ - SVR00004 # References in dashboards.
+ - SVR00005 # Kibana version for saved tags.
+docs_structure_enforced:
+ enabled: true
+ version: 1