Hi all,
I am having trouble integrating Fortigate firewall logs into Elastic using Filebeat. I have set everything up correctly, but Filebeat is unable to capture the logs. I am certain the Fortigate firewall is sending the logs because I can capture them using tcpdump. Here is my configuration:
- Set up Filebeat using the DNF package (on Rocky Linux distribution).
- Set up and enable the Fortinet Filebeat module.
PS: fortigate version 7.2.5
my filebeat.yml config
filebeat.inputs:
# filestream is an input for collecting log messages from files.
- type: filestream
# Unique ID among all inputs, an ID is required.
id: my-filestream-id
# Change to true to enable this input configuration.
enabled: false
# Paths that should be crawled and fetched. Glob based paths.
paths:
- /var/log/*.log
filebeat.config.modules:
# Glob pattern for configuration loading
path: ${path.config}/modules.d/*.yml
#path: /etc/filebeat/modules.d/*.yml
# Set to true to enable config reloading
reload.enabled: true
setup.template.settings:
index.number_of_shards: 1
#index.codec: best_compression
#_source.enabled: false
setup.kibana:
host: "https://10.1.10.112:5601"
ssl.verification_mode: "none"
output.elasticsearch:
hosts: ["https://10.30.100.90:9200"]
# bulk_max_size: 3200
#worker: 16
# compression_level: 9
ssl.verification_mode: "none"
preset: balanced
# Protocol - either `http` (default) or `https`.
protocol: "https"
ssl.certificate_authorities: ["/root/http_ca.crt"]
# Authentication credentials - either API key or username/password.
#api_key: "id:api_key"
username: "elastic"
password: "*********"
ssl.ca_trusted_fingerprint: "450687644d3ec832924d472963329c9ee883dd22f3b5878e3bcdb45bcf64f662"
my fortinet.yml config:
- module: fortinet
firewall:
enabled: true
# Set which input to use between tcp, udp (default) or file.
var.input: udp
var.syslog_host: 0.0.0.0
var.syslog_port: 514
######### added by Abderrahmane#########################
#
#var.tz_offset: +01:00
#
###################################################
# Set internal interfaces. used to override parsed network.direction
# based on a tagged interface. Both internal and external interfaces must be
# set to leverage this functionality.
#var.internal_interfaces: [ "192.168.122.210" ]
# Set external interfaces. used to override parsed network.direction
# based on a tagged interface. Both internal and external interfaces must be
# set to leverage this functionality.
#var.external_interfaces: [ "10.30.100.93" ]
For debugging purposes, I am outputting to the console using this configuration (I have commented out the output to Elasticsearch).
output.console:
pretty: true
on the fortigate here is the forwarding config :
BKH-CGNAT-Node0 (override-setting) # get
status : enable
server : 192.168.122.210
mode : udp
port : 514
facility : user
source-ip :
format : rfc5424
priority : default
max-log-rate : 0
interface-select-method: auto
Here's the rephrased version of that message:
When I start Filebeat using the -e
option, I can't see any logs being captured. Meanwhile, I am sure that the logs are being forwarded because I can capture them via tcpdump.
Thanks in advance.