Filebeat Fortinet Module + Kibana SIEM

Hi there,

I have an installation of kibana and Elasticsearch, I have tried to use the fortinet filebeat module, even the elastic agent, and send the logs by syslogd, I understand that I should be able to see the fortigate information in the SIEM part of Kibana, but I don't see anything at all. The logs are coming through fine as I can view them inside Kibana in Analytics, any idea what it could be?

Regards and thanks!

Can you share the logs you are getting in Kibana?

The module and the elastic agent integration expects the logs to come in a specific format, if the format is different they will not be parsed and you may not be able to see them in the SIEM application.

Where logs are coming? FB or Elastic? Can you see data in index?

Yes,

{
    "@timestamp":[
        "2022-10-31T07:35:52.000Z"
    ],
    "agent.ephemeral_id":[
        "7e188737-6d0d-4fad-a905-25854b7ac05f"
    ],
    "agent.hostname":[
        "ip-host-name"
    ],
    "agent.id":[
        "79b41c4a-a45f-457e-a3ab-3325cc4d11ae"
    ],
    "agent.name":[
        "ip-host-name"
    ],
    "agent.type":[
        "filebeat"
    ],
    "agent.version":[
        "8.3.3"
    ],
    "cloud.account.id":[
        "777******"
    ],
    "cloud.availability_zone":[
        "eu-west-3a"
    ],
    "cloud.image.id":[
        "ami-0D********"
    ],
    "cloud.instance.id":[
        "i-040404******"
    ],
    "cloud.machine.type":[
        "t3.medium"
    ],
    "cloud.provider":[
        "aws"
    ],
    "cloud.region":[
        "eu-west-1"
    ],
    "cloud.service.name":[
        "EC2"
    ],
    "destination.ip":[
        "192.168.60.1"
    ],
    "destination.port":[
        53
    ],
    "dns.id":[
        "38357"
    ],
    "dns.question.class":[
        "IN"
    ],
    "dns.question.name":[
        "ipinfo.io"
    ],
    "dns.question.type":[
        "A"
    ],
    "ecs.version":[
        "1.12.0"
    ],
    "event.category":[
        "network"
    ],
    "event.code":[
        "1500054000"
    ],
    "event.dataset":[
        "fortinet.firewall"
    ],
    "event.ingested":[
        "2022-10-31T07:35:52.312Z"
    ],
    "event.kind":[
        "event"
    ],
    "event.module":[
        "fortinet"
    ],
    "event.start":[
        "2022-10-31T07:35:52.209Z"
    ],
    "event.timezone":[
        "+0100"
    ],
    "event.type":[
        "info"
    ],
    "fileset.name":[
        "firewall"
    ],
    "fortinet.firewall.eventtype":[
        "dns-query"
    ],
    "fortinet.firewall.qtypeval":[
        1
    ],
    "fortinet.firewall.sessionid":[
        47186159
    ],
    "fortinet.firewall.srcintfrole":[
        "lan"
    ],
    "fortinet.firewall.subtype":[
        "dns"
    ],
    "fortinet.firewall.type":[
        "utm"
    ],
    "fortinet.firewall.vd":[
        "root"
    ],
    "input.type":[
        "udp"
    ],
    "log.level":[
        "information"
    ],
    "log.source.address":[
        "192.168.10.10:22051"
    ],
    "network.community_id":[
        "1:B/Ajexvt2aTkNRh33qL6beWwym8="
    ],
    "network.direction":[
        "unknown"
    ],
    "network.iana_number":[
        "17"
    ],
    "network.transport":[
        "udp"
    ],
    "network.type":[
        "ipv4"
    ],
    "observer.egress.interface.name":[
        "root"
    ],
    "observer.ingress.interface.name":[
        "ssl.root"
    ],
    "observer.name":[
        "OFFICE"
    ],
    "observer.product":[
        "Fortigate"
    ],
    "observer.serial_number":[
        "FGT40*******"
    ],
    "observer.type":[
        "firewall"
    ],
    "observer.vendor":[
        "Fortinet"
    ],
    "related.hosts":[
        "ipinfo.io"
    ],
    "related.ip":[
        "10.10.10.10",
        "192.160.60.10"
    ],
    "related.user":[
        "test_user"
    ],
    "rule.id":[
        "3"
    ],
    "rule.ruleset":[
        "test-aws"
    ],
    "service.type":[
        "fortinet"
    ],
    "source.ip":[
        "11.111.111.100"
    ],
    "source.port":[
        55847
    ],
    "source.user.name":[
        "test_user"
    ],
    "source.user.name.text":[
        "test_user"
    ],
    "tags":[
        "fortinet-firewall",
        "forwarded",
        "_geoip_database_unavailable_GeoLite2-City.mmdb",
        "_geoip_database_unavailable_GeoLite2-City.mmdb",
        "_geoip_database_unavailable_GeoLite2-ASN.mmdb",
        "_geoip_database_unavailable_GeoLite2-ASN.mmdb",
        "_geoip_database_unavailable_GeoLite2-City.mmdb",
        "_geoip_database_unavailable_GeoLite2-City.mmdb",
        "_geoip_database_unavailable_GeoLite2-ASN.mmdb",
        "_geoip_database_unavailable_GeoLite2-ASN.mmdb"
    ],
    "_id":"Sjn3LIQBkzt5sq6x3FX8",
    "_index":".ds-filebeat-8.3.3-2022.10.27-000001",
    "_score":null
}

Have you import dashboards in Kibana?
Is your timezone correct?
"@timestamp": "2022-10-31T07:35:52.000Z"

I have a dashboard in kibana that came along with the integration, but I am not able to visualize anything here.

Regarding the timezone it seems that it is not ok, but would it be a problem that in the logs it appears with an hour delay?

Change a time filter in top right corner to 24h and check will you see data.
You can import dashboard from ./filebeat setup --dashboards

Thanks @Rios i can see now the dashboards, but not the security info in SIEM

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.