Hi @P1llus,
I saw you're the person that give more comment on Filebeat Fortinet module, so I directly ask for help.
I just send my fortinet log into my rsyslog server and save it into the file then I enabled the fortinet modules in Filebeat. I already followed all the procedures to enable the module in this URL .
I have error.message as follow:
"message": "Dec 10 17:59:54 192.100.254.68 date=2020-12-10 time=17:59:54 devname=\"FW_VPN_Jasindo_DRC\" devid=\"FG3H1E5819900316\" logid=\"0000000013\" type=\"traffic\" subtype=\"forward\" level=\"notice\" vd=\"root\" eventtime=1607597994 srcip=192.168.32.38 srcname=\"VCENTER-DRC-BSD\" srcport=46418 srcintf=\"port2\" srcintfrole=\"lan\" dstip=192.168.203.6 dstport=445 dstintf=\"port1\" dstintfrole=\"wan\" poluuid=\"b67b21c8-9185-51e9-efbb-a32dfe6a402c\" sessionid=2387369696 proto=6 action=\"server-rst\" policyid=3 policytype=\"policy\" service=\"SMB\" dstcountry=\"Reserved\" srccountry=\"Reserved\" trandisp=\"noop\" duration=1 sentbyte=104 rcvdbyte=80 sentpkt=2 rcvdpkt=2 appcat=\"unscanned\" devtype=\"Windows PC\" devcategory=\"Windows Device\" osname=\"Windows 7 / 2008 R2\" unauthuser=\"vcenter-drc-bsd$\" unauthusersource=\"kerberos\" mastersrcmac=\"00:50:56:ae:1a:90\" srcmac=\"00:50:56:ae:1a:90\" srcserver=1",
"error": {
"message": "Provided Grok expressions do not match field value: [Dec 10 17:59:54 192.100.254.68 date=2020-12-10 time=17:59:54 devname=\\\"FW_VPN_Jasindo_DRC\\\" devid=\\\"FG3H1E5819900316\\\" logid=\\\"0000000013\\\" type=\\\"traffic\\\" subtype=\\\"forward\\\" level=\\\"notice\\\" vd=\\\"root\\\" eventtime=1607597994 srcip=192.168.32.38 srcname=\\\"VCENTER-DRC-BSD\\\" srcport=46418 srcintf=\\\"port2\\\" srcintfrole=\\\"lan\\\" dstip=192.168.203.6 dstport=445 dstintf=\\\"port1\\\" dstintfrole=\\\"wan\\\" poluuid=\\\"b67b21c8-9185-51e9-efbb-a32dfe6a402c\\\" sessionid=2387369696 proto=6 action=\\\"server-rst\\\" policyid=3 policytype=\\\"policy\\\" service=\\\"SMB\\\" dstcountry=\\\"Reserved\\\" srccountry=\\\"Reserved\\\" trandisp=\\\"noop\\\" duration=1 sentbyte=104 rcvdbyte=80 sentpkt=2 rcvdpkt=2 appcat=\\\"unscanned\\\" devtype=\\\"Windows PC\\\" devcategory=\\\"Windows Device\\\" osname=\\\"Windows 7 / 2008 R2\\\" unauthuser=\\\"vcenter-drc-bsd$\\\" unauthusersource=\\\"kerberos\\\" mastersrcmac=\\\"00:50:56:ae:1a:90\\\" srcmac=\\\"00:50:56:ae:1a:90\\\" srcserver=1]"
}
Just to check the Grok in the Fortinet pipeline:
{
"grok": {
"patterns": [
"%{SYSLOG5424PRI}%{GREEDYDATA:syslog5424_sd}$"
],
"field": "message"
}
}
The fortinet config as follow:
config log syslogd setting
set status enable
set server "rsyslog"
set mode legacy-reliable
set port 5514
set facility local7
set source-ip ''
set format defaults
end
Also this is my fortinet.yml
# Module: fortinet
# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.10/filebeat-module-fortinet.html
- module: fortinet
firewall:
enabled: true
# Set which input to use between tcp, udp (default) or file.
var.input: file
# The interface to listen to syslog traffic. Defaults to
# localhost. Set to 0.0.0.0 to bind to all available interfaces.
#var.syslog_host: 0.0.0.0
# The port to listen for syslog traffic. Defaults to 9004.
#var.syslog_port: 9004
# Set paths for the log files when file input is used.
var.paths: ["/datalog/192.100.254.68/*.log"]
# Toggle output of non-ECS fields (default true).
var.rsa_fields: false
# Set custom timezone offset.
# "local" (default) for system timezone.
# "+02:00" for GMT+02:00
var.tz_offset: +07:00
clientendpoint:
enabled: false
# Set which input to use between udp (default), tcp or file.
var.input: file
# var.syslog_host: localhost
# var.syslog_port: 9510
# Set paths for the log files when file input is used.
# var.paths:
# Toggle output of non-ECS fields (default true).
# var.rsa_fields: true
# Set custom timezone offset.
# "local" (default) for system timezone.
# "+02:00" for GMT+02:00
# var.tz_offset: +07:00
fortimail:
enabled: false
# Set which input to use between udp (default), tcp or file.
var.input: file
# var.syslog_host: localhost
# var.syslog_port: 9529
# Set paths for the log files when file input is used.
# var.paths:
# Toggle output of non-ECS fields (default true).
# var.rsa_fields: true
# Set custom timezone offset.
# "local" (default) for system timezone.
# "+02:00" for GMT+02:00
# var.tz_offset: +07:00
fortimanager:
enabled: false
# Set which input to use between udp (default), tcp or file.
#var.input: file
# var.syslog_host: localhost
# var.syslog_port: 9530
# Set paths for the log files when file input is used.
# var.paths:
# Toggle output of non-ECS fields (default true).
# var.rsa_fields: true
# Set custom timezone offset.
# "local" (default) for system timezone.
# "+02:00" for GMT+02:00
# var.tz_offset: +07:00
Is there any workaround to make the fortinet index working?
BTW, I just enable panw.yml and it works flawlesly.
Appreciate your help.
[Edit]
Elasticsearch: 7.10.0
Filebeat: 7.10.0
Regards,
Fadjar340