FILEBEAT module Fortinet : Provided Grok expressions do not match field value

Marius_Iversen · April 14, 2021, 11:11am

Ah so that explains it. The TLS and TCP actually uses a totally different way to communicate when it comes from fortinet, support for tcp and tls was added in 7.12 here: [Filebeat] rfc6587 framing for fortinet firewall by leehinman · Pull Request #23837 · elastic/beats · GitHub

So if you use the 7.12 version, and set the input type to tcp and configure the TLS settings it should work just fine

Something like this in the fortinet.yml under the firewall module, together with the rest of your settings, though remove things like client auth if its not used:

ssl:
  enabled: true
  certificate: "foo.crt"
  key: "foo.key"
  client_authentication: true
  verification_mode: true # or none if it shouldn't check the hostname of the cert

Topic		Replies	Views
Filebeat Fortinet have error message Beats filebeat	8	1191	January 19, 2021
Provided Grok expressions do not match field value: Fortinet 7.12.1 Beats filebeat	9	3536	May 27, 2021
Filebeat: Fortinet Module not processing data as it should Beats filebeat	15	2106	June 3, 2021
Provided expression do not match field value filebeat 8.15.0 fortinet module Beats beats-module , filebeat	1	59	August 29, 2024
Filebeats: Fortinet Module not processing data as it should Beats beats-module , filebeat	5	3218	October 9, 2020

FILEBEAT module Fortinet : Provided Grok expressions do not match field value

Related topics