Hello, I've installed the Fleet Server, Elastic Agent, and Fortinet module with TCP (im using fortianalyzer that send logs of all my fortigate) integration in the fleet server machine. But the log from FortiGate to elastic first i see it come correctly at time but after this by a day i find there's only 3 fortigate that send in real time and other has been delay by 3 hours and after this by a day i find all of logs of fortigate has been received late by 7 hours . I looked at the logs via Observability -> Logs -> Stream, and Analytics -> Discover. I've tried using bulk_max_size and worker. The timezone in Elastic, Kibana, and FortiGate is fine, but it doesn't work. Is there something wrong? Thank you.
Elastic Stack Version 8.18
this example of json i received in my elastic siem when time is 11:50 23/07/2025
{
"_index": ".ds-logs-fortinet_fortigate.log-default-YYYY.MM.DD-000001",
"_id": "SAMPLE_DOC_ID",
"_version": 1,
"_source": {
"agent": {
"name": "example-agent",
"id": "AGENT_ID_SAMPLE",
"ephemeral_id": "EPHEMERAL_ID_SAMPLE",
"type": "filebeat",
"version": "8.18.3"
},
"log": {
"level": "notice",
"source": {
"address": "192.0.2.1:55000"
},
"syslog": {
"severity": { "code": 5 },
"priority": 189,
"facility": { "code": 23 }
}
},
"elastic_agent": {
"id": "AGENT_ID_SAMPLE",
"version": "8.18.3",
"snapshot": false
},
"destination": {
"port": 53,
"bytes": 268,
"ip": "10.0.0.2",
"packets": 2
},
"rule": {
"ruleset": "policy",
"id": "37",
"category": "Network-Service",
"uuid": "RULE_UUID_SAMPLE"
},
"source": {
"port": 60242,
"bytes": 120,
"ip": "10.0.0.1",
"mac": "AA-BB-CC-DD-EE-FF",
"packets": 2
},
"tags": [
"preserve_original_event",
"fortinet-fortigate",
"fortinet-firewall",
"forwarded"
],
"network": {
"protocol": "dns",
"application": "DNS",
"bytes": 388,
"transport": "udp",
"iana_number": "17",
"packets": 4,
"direction": "internal"
},
"input": { "type": "tcp" },
"observer": {
"ingress": { "interface": { "name": "lan1" } },
"product": "Fortigate",
"vendor": "Fortinet",
"name": "FGT_SAMPLE",
"serial_number": "SERIAL_SAMPLE",
"type": "firewall",
"egress": { "interface": { "name": "Tunnel1" } }
},
"@timestamp": "2025-07-22T23:52:41.000+01:00",
"ecs": { "version": "8.17.0" },
"related": { "ip": ["10.0.0.1", "10.0.0.2"] },
"data_stream": {
"namespace": "default",
"type": "logs",
"dataset": "fortinet_fortigate.log"
},
"fortinet": {
"firewall": {
"vwlname": "to_site",
"applist": "default",
"sessionid": "12345678",
"type": "traffic",
"srccountry": "Reserved",
"vwlid": "2",
"mastersrcmac": "aa:bb:cc:dd:ee:ff",
"action": "accept",
"trandisp": "noop",
"osname": "Ubuntu",
"srcserver": "0",
"vpntype": "ipsecvpn",
"vwlquality": "Seq_num(93 Tunnel1), alive, sla(0x1)",
"vd": "root",
"devtype": "Computer",
"dstcountry": "Reserved",
"srcintfrole": "lan",
"logver": "702111740",
"apprisk": "elevated",
"subtype": "forward",
"timestamp": "1753228361",
"dstintfrole": "wan",
"appid": "16195"
}
},
"event": {
"original": "<189>logver=702111740 timestamp=1753228361 devname=\"FGT_SAMPLE\" devid=\"FGT_SAMPLE\" vd=\"root\" date=2025-07-22 time=23:52:41 eventtime=1753224761778859740 tz=\"+0100\" logid=\"0000000013\" type=\"traffic\" subtype=\"forward\" level=\"notice\" srcip=10.0.0.1 srcport=60242 srcintf=\"lan1\" srcintfrole=\"lan\" dstip=10.0.0.2 dstport=53 dstintf=\"Tunnel1\" dstintfrole=\"wan\" srccountry=\"Reserved\" dstcountry=\"Reserved\" sessionid=12345678 proto=17 action=\"accept\" policyid=37 policytype=\"policy\" poluuid=\"RULE_UUID_SAMPLE\" service=\"DNS\" trandisp=\"noop\" appid=16195 app=\"DNS\" appcat=\"Network.Service\" apprisk=\"elevated\" applist=\"default\" duration=180 sentbyte=120 rcvdbyte=268 sentpkt=2 rcvdpkt=2 vpntype=\"ipsecvpn\" vwlid=2 vwlquality=\"Seq_num(93 Tunnel1), alive, sla(0x1)\" vwlname=\"to_site\" devtype=\"Computer\" osname=\"Ubuntu\" mastersrcmac=\"aa:bb:cc:dd:ee:ff\" srcmac=\"aa:bb:cc:dd:ee:ff\" srcserver=0",
"code": "0000000013",
"timezone": "+0100",
"kind": "event",
"start": "2025-07-22T23:52:41.778+01:00",
"type": ["connection", "end", "protocol", "allowed"],
"duration": 180000000000,
"agent_id_status": "verified",
"ingested": "2025-07-23T10:46:01Z",
"action": "accept",
"category": ["network"],
"dataset": "fortinet_fortigate.log",
"outcome": "success"
}
}
}