I have two machine: 1. Fortigate appliance and 2. ELK machine
In my ELK I have the following services :
filebeat with the following input and output:
filebeat.input:
-type: udp
host: "172.16.57.222:5044" ## this is FG machine
max-message-size: 10KiB
enabled: true
output.logstash:
host: ["http://localhost:5044"] #TCP
In logstash machine I have:
input{
beats {
port => 5044
}
}
output {
if [@metadata][pipeline] {
elasticsearch {
hosts => ["localhost:9200"]
user => "elastic"
password => "changeme"
manage_template => false
index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
pipeline => "%{[@metadata][pipeline]}"
}
} else {
elasticsearch {
hosts => ["http://localhost:9200"]
user => "elastic"
password => "changeme"
manage_template => false
index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
}
}
}
Elasticsearchg configuration
network.host: localhost
http.port: 9200
Notes: 1. I can see logs via tcpdump and logs arrived. 2. when I use filestream instead of udp in filebeat I can see logs of system. 3. fortinet is enabled and it's okey.
But I can't send data from filebeat to kibana such as :
filebeat->logstash->elastic->kibana