Can't see logs from Fortigate device

Hi There,

I'm trying to set up my FortiGate device to send logs to my ELK cluster. I am running ELK inside a docker container. Here is what my Fortigate Config looks like:-

    config log syslogd2 setting
        set status enable
        set server "my-elk-docker-host's-IP"
        set mode reliable
        set port 6514
        set facility local7
        set source-ip ''
        set format default
        set enc-algorithm disable
    end

I referred this for my logstash config. (See full config below)

I guess what I am looking for how do I even troubleshoot if something doesn't work? I went ahead and tried to create a new Index Pattern in Kibana but It said I don't have any data in ES yet. I ran a sniffer on my Fortigate device I was able to see the TCP handshake happening successfully. So logs must be with Logstash, right? Where do I look to see what's happening under the hood?

    input {
      tcp {
        port => 6514
        tags => "syslog"
      }
      udp {
        port => 6514
        tags => "syslog"
      }
      stdin {}
    }

    filter {
      if "syslog" in [tags] {
        grok {
          patterns_dir => [ "/etc/logstash/patterns.d" ]
          match => {
            "message" => [ "%{SYSLOG5424PRI:syslog_index}date=%{FORTIDATE:date} time=%{TIME:time} devname=\"%{HOSTNAME:devname}\" devid=\"%{HOSTNAME:devid}\" logid=\"%{NUMBER:logid}\" type=\"%{DATA:type}\" subtype=\"%{DATA:subtype}\" %{GREEDYDATA:fortigate}" ]
          }
          add_tag => [ "FortiGate" ]
        }
        if "FortiGate" in [tags] {
          mutate {
            add_field => { "FORTIDATETIME" => "%{date} %{time}" }
          }
          date {
            match => [ "FORTIDATETIME", "YYYY-MM-dd HH:mm:ss" ]
            timezone => "Asia/Tokyo"
            locale => en
            target => "@timestamp"
          }
          kv {
            source => "fortigate"
            field_split => "\s"
            value_split => "="
          }
          mutate {
            remove_field => [ "syslog_index", "year", "month", "day", "fortigate", "date", "time", "FORTIDATETIME", "message" ]
          }
          if "event" in [type] {
            mutate {
              add_tag => [ "Event" ]
            }
          }
          if "traffic" in [type] {
            mutate {
              add_tag => [ "Traffic" ]
            }
          }
          if "utm" in [type] {
            mutate {
              add_tag => [ "UTM" ]
            }
          }
          if "dns" in [type] {
            mutate {
              add_tag => [ "DNS" ]
            }
          }
          if "anomaly" in [type] {
            mutate {
              add_tag => [ "Anomaly" ]
            }
          }
          if "Traffic" in [tags] or "UTM" in [tags] or "Anomaly" in [tags] {
            if [srcip] !~ "(^127\.)|(^169\.254\.)|(^10\.)|(^172\.1[6-9]\.)|(^172\.2[0-9]\.)|(^172\.3[0-1]\.)|(^192\.168\.)" {
              geoip {
                source => "srcip"
                target => "src_geoip"
              }
            }
            if [dstip] !~ "(^127\.)|(^169\.254\.)|(^10\.)|(^172\.1[6-9]\.)|(^172\.2[0-9]\.)|(^172\.3[0-1]\.)|(^192\.168\.)" {
              geoip {
                source => "dstip"
                target => "dst_geoip"
              }
            }
          }
        }
      }
    }

    output {
      if "FortiGate" in [tags] {
        if "Event" in [tags] {
          elasticsearch {
            hosts => [ "127.0.0.1:9200" ]
            index => "fortigate_event-%{+YYYY.MM.dd}.log"
          }
        }
        if "Traffic" in [tags] {
          elasticsearch {
            hosts => [ "127.0.0.1:9200" ]
            index => "fortigate_traffic-%{+YYYY.MM.dd}.log"
          }
        }
        if "UTM" in [tags] {
          elasticsearch {
            hosts => [ "127.0.0.1:9200" ]
            index => "fortigate_utm-%{+YYYY.MM.dd}.log"
          }
        }
        if "DNS" in [tags] {
          elasticsearch {
            hosts => [ "127.0.0.1:9200" ]
            index => "fortigate_dns-%{+YYYY.MM.dd}.log"
          }
        }
        if "Anomaly" in [tags] {
          elasticsearch {
            hosts => [ "127.0.0.1:9200" ]
            index => "fortigate_anomaly-%{+YYYY.MM.dd}.log"
          }
        }
      }
    #  stdout { codec => rubydebug }
    }

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.