Hi There,
I'm trying to set up my FortiGate device to send logs to my ELK cluster. I am running ELK inside a docker container. Here is what my Fortigate Config looks like:-
config log syslogd2 setting
set status enable
set server "my-elk-docker-host's-IP"
set mode reliable
set port 6514
set facility local7
set source-ip ''
set format default
set enc-algorithm disable
end
I referred this for my logstash config. (See full config below)
I guess what I am looking for how do I even troubleshoot if something doesn't work? I went ahead and tried to create a new Index Pattern in Kibana but It said I don't have any data in ES yet. I ran a sniffer on my Fortigate device I was able to see the TCP handshake happening successfully. So logs must be with Logstash, right? Where do I look to see what's happening under the hood?
input {
tcp {
port => 6514
tags => "syslog"
}
udp {
port => 6514
tags => "syslog"
}
stdin {}
}
filter {
if "syslog" in [tags] {
grok {
patterns_dir => [ "/etc/logstash/patterns.d" ]
match => {
"message" => [ "%{SYSLOG5424PRI:syslog_index}date=%{FORTIDATE:date} time=%{TIME:time} devname=\"%{HOSTNAME:devname}\" devid=\"%{HOSTNAME:devid}\" logid=\"%{NUMBER:logid}\" type=\"%{DATA:type}\" subtype=\"%{DATA:subtype}\" %{GREEDYDATA:fortigate}" ]
}
add_tag => [ "FortiGate" ]
}
if "FortiGate" in [tags] {
mutate {
add_field => { "FORTIDATETIME" => "%{date} %{time}" }
}
date {
match => [ "FORTIDATETIME", "YYYY-MM-dd HH:mm:ss" ]
timezone => "Asia/Tokyo"
locale => en
target => "@timestamp"
}
kv {
source => "fortigate"
field_split => "\s"
value_split => "="
}
mutate {
remove_field => [ "syslog_index", "year", "month", "day", "fortigate", "date", "time", "FORTIDATETIME", "message" ]
}
if "event" in [type] {
mutate {
add_tag => [ "Event" ]
}
}
if "traffic" in [type] {
mutate {
add_tag => [ "Traffic" ]
}
}
if "utm" in [type] {
mutate {
add_tag => [ "UTM" ]
}
}
if "dns" in [type] {
mutate {
add_tag => [ "DNS" ]
}
}
if "anomaly" in [type] {
mutate {
add_tag => [ "Anomaly" ]
}
}
if "Traffic" in [tags] or "UTM" in [tags] or "Anomaly" in [tags] {
if [srcip] !~ "(^127\.)|(^169\.254\.)|(^10\.)|(^172\.1[6-9]\.)|(^172\.2[0-9]\.)|(^172\.3[0-1]\.)|(^192\.168\.)" {
geoip {
source => "srcip"
target => "src_geoip"
}
}
if [dstip] !~ "(^127\.)|(^169\.254\.)|(^10\.)|(^172\.1[6-9]\.)|(^172\.2[0-9]\.)|(^172\.3[0-1]\.)|(^192\.168\.)" {
geoip {
source => "dstip"
target => "dst_geoip"
}
}
}
}
}
}
output {
if "FortiGate" in [tags] {
if "Event" in [tags] {
elasticsearch {
hosts => [ "127.0.0.1:9200" ]
index => "fortigate_event-%{+YYYY.MM.dd}.log"
}
}
if "Traffic" in [tags] {
elasticsearch {
hosts => [ "127.0.0.1:9200" ]
index => "fortigate_traffic-%{+YYYY.MM.dd}.log"
}
}
if "UTM" in [tags] {
elasticsearch {
hosts => [ "127.0.0.1:9200" ]
index => "fortigate_utm-%{+YYYY.MM.dd}.log"
}
}
if "DNS" in [tags] {
elasticsearch {
hosts => [ "127.0.0.1:9200" ]
index => "fortigate_dns-%{+YYYY.MM.dd}.log"
}
}
if "Anomaly" in [tags] {
elasticsearch {
hosts => [ "127.0.0.1:9200" ]
index => "fortigate_anomaly-%{+YYYY.MM.dd}.log"
}
}
}
# stdout { codec => rubydebug }
}