How can I get the message field split up? When I set up the module, I followed all the steps mentioned in the documentation. The module is listed as enabled and is sending logs to logstash. I also disabled and enabled the module. It didn't help.
Same here. I can't visualize anything because the message field isn't being parsed. I can see all the data being logged, can't visualize anything at all. Been driving me nuts. Any ideas?
Hi there. I found the reason for my problem: the ingest pipeline is not loaded into ES.
Check this website: https://www.elastic.co/guide/en/logstash/current/use-ingest-pipelines.html
When you execute the command 'filebeat setup --pipelines --modules fortinet' you need to be connected to ES, so the output section in your filebeat.yml must be configured.
In my case it was set to logstash, so that was the issue.
But I still couldn't fix everything yet because now I can't establish a connection to ES. It says connection refused.
Uh ok, now I get what you mean. Did you update your index pattern? Sometime that can cause trouble.
There might also be something wrong with the mapping and sometimes you have to adjust the fields you want to use manually. But I'm not really familiar with those things.
Redownloaded everything, and recreated it all from scratch again. Same issue.
Here are my Fortinet configs - not sure if I'm missing something?
config log syslogd2 setting
set status enable
set server "10.100.11.50"
set mode reliable
set port 5513
set facility local7
set source-ip ''
set format default
set priority default
set max-log-rate 0
set enc-algorithm disable
set interface-select-method auto
end
config log syslogd2 filter
set severity information
set forward-traffic enable
set local-traffic enable
set multicast-traffic enable
set sniffer-traffic enable
set anomaly enable
set voip enable
set filter ''
set filter-type include
end
Filebeat.yml default elasticsearch output:
output.elasticsearch:
# Array of hosts to connect to.
hosts: ["localhost:9200"]
Fortinet.yml from module.d:
- module: fortinet
firewall:
enabled: true
# Set which input to use between tcp, udp (default) or file.
var.input: tcp
# The interface to listen to syslog traffic. Defaults to
# localhost. Set to 0.0.0.0 to bind to all available interfaces.
var.syslog_host: 0.0.0.0
# The port to listen for syslog traffic. Defaults to 9004.
var.syslog_port: 5513
clientendpoint:
enabled: true
I can't find any issue in your configs but I'm also new to the topic.
Maybe go to stack management ->Kibana->Index pattern->your index filebeat-*. and refresh you index pattern. In my case, those other fields were added then.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.