Filebeat Fortinet module can't run

Elastic Stack Beats
,
#1

Hi, I'm trying to ship Fortigate300E Log to my Elasticstack with topo: Fortigate syslog port 514 -> Filebeat (fortinet module) -> Elasticsearch -> Kibana. I have 2 question:

First, is it possible?

And when I run filebeat filebeat setup -e with config (below comment) , then it error Exiting: 1 error: error loading config file: invalid config: yaml: line 21: did not find expected key I have check and not find the cause. Hope to get help. Thanks

    [root@localhost ~]# filebeat setup -e
   
    2020-12-14T13:01:33.488+0700    INFO    [index-management]      idxmgmt/std.go:2                                                                                                                                                             61      Auto ILM enable success.
    2020-12-14T13:01:33.489+0700    INFO    [index-management.ilm]  ilm/std.go:139 d                                                                                                                                                             o not generate ilm policy: exists=true, overwrite=false
    2020-12-14T13:01:33.489+0700    INFO    [index-management]      idxmgmt/std.go:2                                                                                                                                                             74      ILM policy successfully loaded.
    2020-12-14T13:01:33.489+0700    INFO    [index-management]      idxmgmt/std.go:4                                                                                                                                                             07      Set setup.template.name to '{filebeat-7.10.1 {now/d}-000001}' as ILM is                                                                                                                                                              enabled.
    2020-12-14T13:01:33.489+0700    INFO    [index-management]      idxmgmt/std.go:4                                                                                                                                                             12      Set setup.template.pattern to 'filebeat-7.10.1-*' as ILM is enabled.
    2020-12-14T13:01:33.489+0700    INFO    [index-management]      idxmgmt/std.go:4                                                                                                                                                             46      Set settings.index.lifecycle.rollover_alias in template to {filebeat-7.1                                                                                                                                                             0.1 {now/d}-000001} as ILM is enabled.
    2020-12-14T13:01:33.489+0700    INFO    [index-management]      idxmgmt/std.go:4                                                                                                                                                             50      Set settings.index.lifecycle.name in template to {filebeat {"policy":{"p                                                                                                                                                             hases":{"hot":{"actions":{"rollover":{"max_age":"30d","max_size":"50gb"}}}}}}} a                                                                                                                                                             s ILM is enabled.
    2020-12-14T13:01:33.490+0700    INFO    template/load.go:183    Existing templat                                                                                                                                                             e will be overwritten, as overwrite is enabled.
    2020-12-14T13:01:34.900+0700    INFO    template/load.go:117    Try loading temp                                                                                                                                                             late filebeat-7.10.1 to Elasticsearch
    2020-12-14T13:01:35.153+0700    INFO    template/load.go:109    template with na                                                                                                                                                             me 'filebeat-7.10.1' loaded.
    2020-12-14T13:01:35.153+0700    INFO    [index-management]      idxmgmt/std.go:2                                                                                                                                                             98      Loaded index template.
    2020-12-14T13:01:35.155+0700    INFO    [index-management]      idxmgmt/std.go:3                                                                                                                                                             09      Write alias successfully generated.
    Index setup finished.
    Loading dashboards (Kibana must be running and reachable)
    2020-12-14T13:01:35.155+0700    INFO    kibana/client.go:119    Kibana url: http                                                                                                                                                             ://localhost:5601
    2020-12-14T13:01:36.463+0700    INFO    [add_cloud_metadata]    add_cloud_metadata/add_cloud_metadata.go:89     add_cloud_metadata: hosting provider type not detected.
    2020-12-14T13:01:36.947+0700    INFO    kibana/client.go:119    Kibana url: http://localhost:5601
    2020-12-14T13:02:45.821+0700    INFO    instance/beat.go:815    Kibana dashboards successfully loaded.
    Loaded dashboards
    2020-12-14T13:02:45.821+0700    WARN    [cfgwarn]       instance/beat.go:556    DEPRECATED: Setting up ML using Filebeat is going to be removed. Please use the ML app to setup jobs. Will be removed in version: 8.0.0
    Setting up ML using setup --machine-learning is going to be removed in 8.0.0. Please use the ML app instead.
    See more: https://www.elastic.co/guide/en/machine-learning/current/index.html
    2020-12-14T13:02:45.822+0700    INFO    eslegclient/connection.go:99    elasticsearch url: http://localhost:9200
    2020-12-14T13:02:45.823+0700    INFO    [esclientleg]   eslegclient/connection.go:314   Attempting to connect to Elasticsearch version 7.10.0
    2020-12-14T13:02:45.824+0700    INFO    kibana/client.go:119    Kibana url: http://localhost:5601
    2020-12-14T13:02:45.860+0700    WARN    fileset/modules.go:421  X-Pack Machine Learning is not enabled
    2020-12-14T13:02:45.862+0700    ERROR   instance/beat.go:956    Exiting: 1 error: error loading config file: invalid config: yaml: line 21: did not find expected key
    Exiting: 1 error: error loading config file: invalid config: yaml: line 21: did not find expected key
#2

filebeat.yml

###################### Filebeat Configuration Example #########################

# This file is an example configuration file highlighting only the most common
# options. The filebeat.reference.yml file from the same directory contains all the
# supported options with more comments. You can use it as a reference.
#
# You can find the full configuration reference here:
# https://www.elastic.co/guide/en/beats/filebeat/index.html

# For more available modules and options, please see the filebeat.reference.yml sample
# configuration file.

# ============================== Filebeat inputs ===============================

filebeat.inputs:

# Each - is an input. Most options can be set at the input level, so
# you can use different inputs for various configurations.
# Below are the input specific configurations.

- type: log

  # Change to true to enable this input configuration.
  enabled: false

  # Paths that should be crawled and fetched. Glob based paths.
  paths:
    - /var/log/*.log
    #- c:\programdata\elasticsearch\logs\*

  # Exclude lines. A list of regular expressions to match. It drops the lines that are
  # matching any regular expression from the list.
  #exclude_lines: ['^DBG']

  # Include lines. A list of regular expressions to match. It exports the lines that are
  # matching any regular expression from the list.
  #include_lines: ['^ERR', '^WARN']

  # Exclude files. A list of regular expressions to match. Filebeat drops the files that
  # are matching any regular expression from the list. By default, no files are dropped.
  #exclude_files: ['.gz$']

  # Optional additional fields. These fields can be freely picked
  # to add additional information to the crawled log files for filtering
  #fields:
  #  level: debug
  #  review: 1

  ### Multiline options

  # Multiline can be used for log messages spanning multiple lines. This is common
  # for Java Stack Traces or C-Line Continuation

  # The regexp Pattern that has to be matched. The example pattern matches all lines starting with [
  #multiline.pattern: ^\[

  # Defines if the pattern set under pattern should be negated or not. Default is false.
  #multiline.negate: false

  # Match can be set to "after" or "before". It is used to define if lines should be append to a pattern
  # that was (not) matched before or after or as long as a pattern is not matched based on negate.
  # Note: After is the equivalent to previous and before is the equivalent to to next in Logstash
  #multiline.match: after

# filestream is an experimental input. It is going to replace log input in the future.
- type: filestream

  # Change to true to enable this input configuration.
  enabled: false

  # Paths that should be crawled and fetched. Glob based paths.
  paths:
    - /var/log/*.log
    #- c:\programdata\elasticsearch\logs\*

  # Exclude lines. A list of regular expressions to match. It drops the lines that are
  # matching any regular expression from the list.
  #exclude_lines: ['^DBG']

  # Include lines. A list of regular expressions to match. It exports the lines that are
  # matching any regular expression from the list.
  #include_lines: ['^ERR', '^WARN']

  # Exclude files. A list of regular expressions to match. Filebeat drops the files that
  # are matching any regular expression from the list. By default, no files are dropped.
  #prospector.scanner.exclude_files: ['.gz$']

  # Optional additional fields. These fields can be freely picked
  # to add additional information to the crawled log files for filtering
  #fields:
  #  level: debug
  #  review: 1

# ============================== Filebeat modules ==============================

filebeat.config.modules:
  # Glob pattern for configuration loading
  path: ${path.config}/modules.d/*.yml

  # Set to true to enable config reloading
  reload.enabled: false

  # Period on which files under path should be checked for changes
  #reload.period: 10s

# ======================= Elasticsearch template setting =======================

setup.template.settings:
  index.number_of_shards: 1
  #index.codec: best_compression
  #_source.enabled: false


# ================================== General ===================================

# The name of the shipper that publishes the network data. It can be used to group
# all the transactions sent by a single shipper in the web interface.
#name:

# The tags of the shipper are included in their own field with each
# transaction published.
#tags: ["service-X", "web-tier"]

# Optional fields that you can specify to add additional information to the
# output.
#fields:
#  env: staging

# ================================= Dashboards =================================
# These settings control loading the sample dashboards to the Kibana index. Loading
# the dashboards is disabled by default and can be enabled either by setting the
# options here or by using the `setup` command.
#setup.dashboards.enabled: false

# The URL from where to download the dashboards archive. By default this URL
# has a value which is computed based on the Beat name and version. For released
# versions, this URL points to the dashboard archive on the artifacts.elastic.co
# website.
#setup.dashboards.url:

# =================================== Kibana ===================================

# Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API.
# This requires a Kibana endpoint configuration.
setup.kibana:

  # Kibana Host
  # Scheme and port can be left out and will be set to the default (http and 5601)
  # In case you specify and additional path, the scheme is required: http://localhost:5601/path
  # IPv6 addresses should always be defined as: https://[2001:db8::1]:5601
  host: "localhost:5601"

  # Kibana Space ID
  # ID of the Kibana Space into which the dashboards should be loaded. By default,
  # the Default Space will be used.
  #space.id:

# =============================== Elastic Cloud ================================

# These settings simplify using Filebeat with the Elastic Cloud (https://cloud.elastic.co/).

# The cloud.id setting overwrites the `output.elasticsearch.hosts` and
# `setup.kibana.host` options.
# You can find the `cloud.id` in the Elastic Cloud web UI.
#cloud.id:

# The cloud.auth setting overwrites the `output.elasticsearch.username` and
# `output.elasticsearch.password` settings. The format is `<user>:<pass>`.
#cloud.auth:

# ================================== Outputs ===================================

# Configure what output to use when sending the data collected by the beat.

# ---------------------------- Elasticsearch Output ----------------------------
output.elasticsearch:
  # Array of hosts to connect to.
  hosts: ["localhost:9200"]

  # Protocol - either `http` (default) or `https`.
  #protocol: "https"

  # Authentication credentials - either API key or username/password.
  #api_key: "id:api_key"
  username: "elastic"
  password: "my_password"

# ------------------------------ Logstash Output -------------------------------
#output.logstash:
  # The Logstash hosts
  #hosts: ["localhost:5044"]

  # Optional SSL. By default is off.
  # List of root certificates for HTTPS server verifications
  #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]

  # Certificate for SSL client authentication
  #ssl.certificate: "/etc/pki/client/cert.pem"

  # Client Certificate Key
  #ssl.key: "/etc/pki/client/cert.key"

# ================================= Processors =================================
processors:
  - add_host_metadata:
      when.not.contains.tags: forwarded
  - add_cloud_metadata: ~
  - add_docker_metadata: ~
  - add_kubernetes_metadata: ~

# ================================== Logging ===================================

# Sets log level. The default log level is info.
# Available log levels are: error, warning, info, debug
#logging.level: debug

# At debug level, you can selectively enable logging only for some components.
# To enable all selectors use ["*"]. Examples of other selectors are "beat",
# "publish", "service".
#logging.selectors: ["*"]

# ============================= X-Pack Monitoring ==============================
# Filebeat can export internal metrics to a central Elasticsearch monitoring
# cluster.  This requires xpack monitoring to be enabled in Elasticsearch.  The
# reporting is disabled by default.

# Set to true to enable the monitoring reporter.
#monitoring.enabled: false

# Sets the UUID of the Elasticsearch cluster under which monitoring data for this
# Filebeat instance will appear in the Stack Monitoring UI. If output.elasticsearch
# is enabled, the UUID is derived from the Elasticsearch cluster referenced by output.elasticsearch.
#monitoring.cluster_uuid:

# Uncomment to send the metrics to Elasticsearch. Most settings from the
# Elasticsearch output are accepted here as well.
# Note that the settings should point to your Elasticsearch *monitoring* cluster.
# Any setting that is not set is automatically inherited from the Elasticsearch
# output configuration, so if you have the Elasticsearch output configured such
# that it is pointing to your Elasticsearch monitoring cluster, you can simply
# uncomment the following line.
#monitoring.elasticsearch:

# ============================== Instrumentation ===============================

# Instrumentation support for the filebeat.
#instrumentation:
    # Set to true to enable instrumentation of filebeat.
    #enabled: false

    # Environment in which filebeat is running on (eg: staging, production, etc.)
    #environment: ""

    # APM Server hosts to report instrumentation results to.
    #hosts:
    #  - http://localhost:8200

    # API Key for the APM Server(s).
    # If api_key is set then secret_token will be ignored.
    #api_key:

    # Secret token for the APM Server(s).
    #secret_token:


# ================================= Migration ==================================

# This allows to enable 6.7 migration aliases
#migration.6_to_7.enabled: true

fortinet.yml

# Module: fortinet
# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.10/filebeat-module-fortinet.html

- module: fortinet
  firewall:
    enabled: true

    # Set which input to use between tcp, udp (default) or file.
    var.input: udp

    # The interface to listen to syslog traffic. Defaults to
    # localhost. Set to 0.0.0.0 to bind to all available interfaces.
    var.syslog_host: 0.0.0.0

    # The port to listen for syslog traffic. Defaults to 9004.
    var.syslog_port: 514

  clientendpoint:
    enabled: true

    # Set which input to use between udp (default), tcp or file.
     var.input: udp
     var.syslog_host: 0.0.0.0
     var.syslog_port: 514

    # Set paths for the log files when file input is used.
    # var.paths:

    # Toggle output of non-ECS fields (default true).
    # var.rsa_fields: true

    # Set custom timezone offset.
    # "local" (default) for system timezone.
    # "+02:00" for GMT+02:00
    # var.tz_offset: local

  fortimail:
    enabled: true

    # Set which input to use between udp (default), tcp or file.
    # var.input: udp
    # var.syslog_host: localhost
    # var.syslog_port: 9529

    # Set paths for the log files when file input is used.
    # var.paths:

    # Toggle output of non-ECS fields (default true).
    # var.rsa_fields: true

    # Set custom timezone offset.
    # "local" (default) for system timezone.
    # "+02:00" for GMT+02:00
    # var.tz_offset: local

  fortimanager:
    enabled: true

    # Set which input to use between udp (default), tcp or file.
     var.input: udp
     var.syslog_host: 0.0.0.0
     var.syslog_port: 514

    # Set paths for the log files when file input is used.
    # var.paths:

    # Toggle output of non-ECS fields (default true).
    # var.rsa_fields: true

    # Set custom timezone offset.
    # "local" (default) for system timezone.
    # "+02:00" for GMT+02:00
    # var.tz_offset: local
#3

I can't see anything immediately wrong with your config myself. Do you have any other modules enabled?
What if you run that again with filebeat -e -d "*" to enable debug?

#4

Hi warkolm,

I have try debug by that command but it's still return: Exiting: 1 error: error loading config file: invalid config: yaml: line 21: did not find

[root@localhost ~]# filebeat modules list
Enabled:
fortinet

This is my full report ( Can't upload here cause limit characters)

1 Like
#5

Thanks, hopefully someone else will pop in and take another look.

1 Like
#6

Try to comment the filebeat.yml like below:

processors:
  - add_host_metadata:
      when.not.contains.tags: forwarded
  - add_cloud_metadata: ~
  - add_docker_metadata: ~
  #- add_kubernetes_metadata: ~
#7

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.