Filebeat Fortinet Module: Mismatch between event.action and event.type in Fortigate Logs

Hello Elastic Community,

We have set up Filebeat to use the Fortinet module for parsing logs from local files that are sent via Syslog to a Syslog server. We are currently running ELK Kibana and Filebeat version 8.7. As we are trying to find a common field for different types of firewalls, we've noticed some inconsistencies in the logs from Fortigate.

Specifically, when the field event.action or fortinet.firewall.action contains the value "close," the field event.type consistently shows the value [denied, connection, end]. The term "denied" in this context seems problematic. Interestingly, when event.action shows "deny," the event.type also shows the same values [denied, connection, end].

Our configuration does not include a final pipeline; everything is handled through the ELK stack tools. We've checked the Filebeat documentation, and there doesn't appear to be any mention of how the event.type field is populated for these logs.


Where does the event.type field originate from in these logs? It's not mentioned in the Filebeat documentation.
Why does the "close" action, which implies that a flow has been successfully terminated, result in an event.type value that includes "denied"?
Any insights would be greatly appreciated. Thank you in advance for your help!

Best regards

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.