Configuration fortigate with filebeat

Hello i have project that work with fortigate and filebeat
i want to collect sys_log from fortigate into filebeat
my configuration

fortigate

config log syslogd setting
set status enable
set server filebeat_server
set mode reliable
next
end

filebeat

• type: syslog
  enabled: true
  host: ":"
  protocol.udp:
  max_message_size: 10MiB

but it look like not work as well as

Which FB version are you using?
Have you enabled the fortinet module?
filebeat modules enable fortinet

If you still want pure syslog:

filebeat.inputs:
- type: syslog
  enabled: true
  format: auto
  protocol.udp:
    host: "0.0.0.0:514"

For test purpose,until data is received, you can set the console output:

output.console:
  pretty: true

Make sure that your data is coming to the FB host.
netstat -ulpn | grep ':<portnum>'

My file beat using version 8.10.3.

That is relatively new, shouldn't be issues.

Set correct filebeat.yml and make sure that the traffic is coming to the FB host

I want to confirm from you again.
my fortigate config is

config log syslogd setting
set status enable
set server filebeat_server
set mode reliable
next
end

and filebeat.yml

filebeat.inputs:

• type: syslog
  enabled: true
  format: auto
  protocol.udp:
  host: "0.0.0.0:514"

output.console:
pretty: true

and for me i make sure that traffic that send from fortigate must be listen by filebeat right?

Thanks u in advance!!

This means it will send over TCP.

Change in filebeat.yml:

filebeat.inputs:
- type: syslog
  enabled: true
  format: auto
  protocol.tcp:
    host: "0.0.0.0:514"

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.