Just to confirm, when you mention that it did work with UDP, do you mean that you sent data directly from fortigate to filebeat UDP input, or that fortinet is sending to rsyslog first?
Is there any reason why the data needs to enter rsyslog first? For example you want to send it to a second location for backup purposes?
Most likely, once the data is received by rsyslog, and it writes it to a file, it modifies the format slightly, would you be able to provide a sample logline from the file?
Previously, i sent logs from fortigate to UDP port 9004 and to syslog.
I have to communicate logs with TLS, so i configured forti syslog like this.
config log syslogd setting
set status enable
set server "xxxxx"
set mode reliable
set port 6514
set facility local0
set enc-algorithm high-medium
set ssl-min-proto-version TLSv1-2
set certificate "syslog"
set source-ip "xxxx"
end
I 'd like to send logs TCP with TLS directly to filebeat but it seems that fortinet filebeat module does not include TLS communication.
Here's a sample of logs by syslog.
Format from syslog is modified as you said.
Soooo, i understand why i 've got this issue with grok. Is it possible to communicate forti logs with forti filebeat module with TLS? (seems not )
The project is in fine to have the beautiful graphs from this project
I have read all those scripts and i can choose input syslog for logstash. Is it possible to communicate forti logs with logstash input syslog with TLS? (seems not again )
So if you use the 7.12 version, and set the input type to tcp and configure the TLS settings it should work just fine
Something like this in the fortinet.yml under the firewall module, together with the rest of your settings, though remove things like client auth if its not used:
ssl:
enabled: true
certificate: "foo.crt"
key: "foo.key"
client_authentication: true
verification_mode: true # or none if it shouldn't check the hostname of the cert
I have updated filebeat and made configuration but in logs :
Exiting: Failed to start crawler: creating module reloader failed: could not create module registry for filesets: fileset fortinet/ssl is configured but doesn't exist
Documentation seems not to be updated for fortinet filebeat module
# Module: fortinet
# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.10/filebeat-module-fortinet.html
- module: fortinet
firewall:
enabled: true
# Set which input to use between tcp, udp (default) or file.
var.input: tcp
# The interface to listen to syslog traffic. Defaults to
# localhost. Set to 0.0.0.0 to bind to all available interfaces.
var.syslog_host: 0.0.0.0
# The port to listen for syslog traffic. Defaults to 9004.
var.syslog_port: 9004
ssl:
enabled: true
certificate: "/etc/filebeat/xxx.pem"
key: "/etc/filebeat/xxx.key"
client_authentication: true
verification_mode: none # or none if it shouldn't check the hostname of the cert
clientendpoint:
enabled: true
# Set which input to use between udp (default), tcp or file.
# var.input: udp
# var.syslog_host: localhost
# var.syslog_port: 9510
# Set paths for the log files when file input is used.
# var.paths:
# Toggle output of non-ECS fields (default true).
# var.rsa_fields: true
# Set custom timezone offset.
# "local" (default) for system timezone.
# "+02:00" for GMT+02:00
# var.tz_offset: local
fortimail:
enabled: true
# Set which input to use between udp (default), tcp or file.
# var.input: udp
# var.syslog_host: localhost
# var.syslog_port: 9529
# Set paths for the log files when file input is used.
# var.paths:
# Toggle output of non-ECS fields (default true).
# var.rsa_fields: true
# Set custom timezone offset.
# "local" (default) for system timezone.
# "+02:00" for GMT+02:00
# var.tz_offset: local
fortimanager:
enabled: true
# Set which input to use between udp (default), tcp or file.
# var.input: udp
# var.syslog_host: localhost
# var.syslog_port: 9530
# Set paths for the log files when file input is used.
# var.paths:
# Toggle output of non-ECS fields (default true).
# var.rsa_fields: true
# Set custom timezone offset.
# "local" (default) for system timezone.
# "+02:00" for GMT+02:00
# var.tz_offset: local
# Module: fortinet
# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.10/filebeat-module-fortinet.html
- module: fortinet
firewall:
enabled: true
# Set which input to use between tcp, udp (default) or file.
var.input: tcp
# The interface to listen to syslog traffic. Defaults to
# localhost. Set to 0.0.0.0 to bind to all available interfaces.
var.syslog_host: 0.0.0.0
# The port to listen for syslog traffic. Defaults to 9004.
var.syslog_port: 9004
var.ssl:
enabled: true
certificate: "/etc/filebeat/xxx.pem"
key: "/etc/filebeat/xxx.key"
client_authentication: true
verification_mode: none # or none if it shouldn't check the hostname of the cert
I added both the var.ssl and changed the indentation so that its under the firewall line, instead of on the same indentation
Provided Grok expressions do not match field value: [\u0016\u0003\u0001\u0001�\u0001\u0000\u0001�\u0003\u0003��\u0004�#\u0006�^\u0006Jn�M�j\u001A\u0002M\r��\t���ҏ���)C \u0000{\u001F�h7\r���9�-H;���]
Is there an option to add CA certificate like logstash or winlogbeat?
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
)