Filebeat Fortinet module doesn't parse message field

anon56147639 · August 23, 2020, 10:49am

Hi everyone, I'm facing issues with the Fortinet module in Filebeat. It stores the whole log in the message field instead of seperate fields.

This is an example of my log (I removed some info such as IPs): https://pastebin.com/5Te8SiHX

How can I get the message field split up? When I set up the module, I followed all the steps mentioned in the documentation. The module is listed as enabled and is sending logs to logstash. I also disabled and enabled the module. It didn't help.

This is how my fortinet.yml looks like: https://pastebin.com/WPkmMQS6

I know I could add a filter to logstash but that would make the module redundant.

Has anyone faced a similar issue before? Any help is appreciated!

tocheeba · August 25, 2020, 8:32pm

Same here. I can't visualize anything because the message field isn't being parsed. I can see all the data being logged, can't visualize anything at all. Been driving me nuts. Any ideas?

anon56147639 · August 26, 2020, 6:27am

Hi there. I found the reason for my problem: the ingest pipeline is not loaded into ES.
Check this website: https://www.elastic.co/guide/en/logstash/current/use-ingest-pipelines.html
When you execute the command 'filebeat setup --pipelines --modules fortinet' you need to be connected to ES, so the output section in your filebeat.yml must be configured.

In my case it was set to logstash, so that was the issue.
But I still couldn't fix everything yet because now I can't establish a connection to ES. It says connection refused.

tocheeba · August 26, 2020, 12:45pm

Weird. I had done that already. I see them in the Ingest Node Pipelines section. Still only 17 'available' fields when creating visualizations

anon56147639 · August 26, 2020, 1:58pm

Uh ok, now I get what you mean. Did you update your index pattern? Sometime that can cause trouble.
There might also be something wrong with the mapping and sometimes you have to adjust the fields you want to use manually. But I'm not really familiar with those things.

tocheeba · August 26, 2020, 2:42pm

Redownloaded everything, and recreated it all from scratch again. Same issue.

Here are my Fortinet configs - not sure if I'm missing something?

config log syslogd2 setting
    set status enable
    set server "10.100.11.50"
    set mode reliable
    set port 5513
    set facility local7
    set source-ip ''
    set format default
    set priority default
    set max-log-rate 0
    set enc-algorithm disable
    set interface-select-method auto
end

config log syslogd2 filter
    set severity information
    set forward-traffic enable
    set local-traffic enable
    set multicast-traffic enable
    set sniffer-traffic enable
    set anomaly enable
    set voip enable
    set filter ''
    set filter-type include
end

Filebeat.yml default elasticsearch output:

output.elasticsearch:
  # Array of hosts to connect to.
  hosts: ["localhost:9200"]

Fortinet.yml from module.d:

- module: fortinet
  firewall:
    enabled: true

    # Set which input to use between tcp, udp (default) or file.
    var.input: tcp

    # The interface to listen to syslog traffic. Defaults to
    # localhost. Set to 0.0.0.0 to bind to all available interfaces.
    var.syslog_host: 0.0.0.0

    # The port to listen for syslog traffic. Defaults to 9004.
    var.syslog_port: 5513

  clientendpoint:
    enabled: true

anon56147639 · August 26, 2020, 3:35pm

I can't find any issue in your configs but I'm also new to the topic.

Maybe go to stack management ->Kibana->Index pattern->your index filebeat-*. and refresh you index pattern. In my case, those other fields were added then.

system · September 23, 2020, 5:35pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.