Filebeat Fortinet Module + Kibana SIEM

Elastic Stack Beats
1

Hi there,

I have an installation of kibana and Elasticsearch, I have tried to use the fortinet filebeat module, even the elastic agent, and send the logs by syslogd, I understand that I should be able to see the fortigate information in the SIEM part of Kibana, but I don't see anything at all. The logs are coming through fine as I can view them inside Kibana in Analytics, any idea what it could be?

Regards and thanks!

2

Can you share the logs you are getting in Kibana?

The module and the elastic agent integration expects the logs to come in a specific format, if the format is different they will not be parsed and you may not be able to see them in the SIEM application.

3

Where logs are coming? FB or Elastic? Can you see data in index?

4

Yes,

{
    "@timestamp":[
        "2022-10-31T07:35:52.000Z"
    ],
    "agent.ephemeral_id":[
        "7e188737-6d0d-4fad-a905-25854b7ac05f"
    ],
    "agent.hostname":[
        "ip-host-name"
    ],
    "agent.id":[
        "79b41c4a-a45f-457e-a3ab-3325cc4d11ae"
    ],
    "agent.name":[
        "ip-host-name"
    ],
    "agent.type":[
        "filebeat"
    ],
    "agent.version":[
        "8.3.3"
    ],
    "cloud.account.id":[
        "777******"
    ],
    "cloud.availability_zone":[
        "eu-west-3a"
    ],
    "cloud.image.id":[
        "ami-0D********"
    ],
    "cloud.instance.id":[
        "i-040404******"
    ],
    "cloud.machine.type":[
        "t3.medium"
    ],
    "cloud.provider":[
        "aws"
    ],
    "cloud.region":[
        "eu-west-1"
    ],
    "cloud.service.name":[
        "EC2"
    ],
    "destination.ip":[
        "192.168.60.1"
    ],
    "destination.port":[
        53
    ],
    "dns.id":[
        "38357"
    ],
    "dns.question.class":[
        "IN"
    ],
    "dns.question.name":[
        "ipinfo.io"
    ],
    "dns.question.type":[
        "A"
    ],
    "ecs.version":[
        "1.12.0"
    ],
    "event.category":[
        "network"
    ],
    "event.code":[
        "1500054000"
    ],
    "event.dataset":[
        "fortinet.firewall"
    ],
    "event.ingested":[
        "2022-10-31T07:35:52.312Z"
    ],
    "event.kind":[
        "event"
    ],
    "event.module":[
        "fortinet"
    ],
    "event.start":[
        "2022-10-31T07:35:52.209Z"
    ],
    "event.timezone":[
        "+0100"
    ],
    "event.type":[
        "info"
    ],
    "fileset.name":[
        "firewall"
    ],
    "fortinet.firewall.eventtype":[
        "dns-query"
    ],
    "fortinet.firewall.qtypeval":[
        1
    ],
    "fortinet.firewall.sessionid":[
        47186159
    ],
    "fortinet.firewall.srcintfrole":[
        "lan"
    ],
    "fortinet.firewall.subtype":[
        "dns"
    ],
    "fortinet.firewall.type":[
        "utm"
    ],
    "fortinet.firewall.vd":[
        "root"
    ],
    "input.type":[
        "udp"
    ],
    "log.level":[
        "information"
    ],
    "log.source.address":[
        "192.168.10.10:22051"
    ],
    "network.community_id":[
        "1:B/Ajexvt2aTkNRh33qL6beWwym8="
    ],
    "network.direction":[
        "unknown"
    ],
    "network.iana_number":[
        "17"
    ],
    "network.transport":[
        "udp"
    ],
    "network.type":[
        "ipv4"
    ],
    "observer.egress.interface.name":[
        "root"
    ],
    "observer.ingress.interface.name":[
        "ssl.root"
    ],
    "observer.name":[
        "OFFICE"
    ],
    "observer.product":[
        "Fortigate"
    ],
    "observer.serial_number":[
        "FGT40*******"
    ],
    "observer.type":[
        "firewall"
    ],
    "observer.vendor":[
        "Fortinet"
    ],
    "related.hosts":[
        "ipinfo.io"
    ],
    "related.ip":[
        "10.10.10.10",
        "192.160.60.10"
    ],
    "related.user":[
        "test_user"
    ],
    "rule.id":[
        "3"
    ],
    "rule.ruleset":[
        "test-aws"
    ],
    "service.type":[
        "fortinet"
    ],
    "source.ip":[
        "11.111.111.100"
    ],
    "source.port":[
        55847
    ],
    "source.user.name":[
        "test_user"
    ],
    "source.user.name.text":[
        "test_user"
    ],
    "tags":[
        "fortinet-firewall",
        "forwarded",
        "_geoip_database_unavailable_GeoLite2-City.mmdb",
        "_geoip_database_unavailable_GeoLite2-City.mmdb",
        "_geoip_database_unavailable_GeoLite2-ASN.mmdb",
        "_geoip_database_unavailable_GeoLite2-ASN.mmdb",
        "_geoip_database_unavailable_GeoLite2-City.mmdb",
        "_geoip_database_unavailable_GeoLite2-City.mmdb",
        "_geoip_database_unavailable_GeoLite2-ASN.mmdb",
        "_geoip_database_unavailable_GeoLite2-ASN.mmdb"
    ],
    "_id":"Sjn3LIQBkzt5sq6x3FX8",
    "_index":".ds-filebeat-8.3.3-2022.10.27-000001",
    "_score":null
}
5

Have you import dashboards in Kibana?
Is your timezone correct?
"@timestamp": "2022-10-31T07:35:52.000Z"

6

I have a dashboard in kibana that came along with the integration, but I am not able to visualize anything here.

Regarding the timezone it seems that it is not ok, but would it be a problem that in the logs it appears with an hour delay?

7

Change a time filter in top right corner to 24h and check will you see data.
You can import dashboard from ./filebeat setup --dashboards

8

Thanks @Rios i can see now the dashboards, but not the security info in SIEM

9

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.