Filebeat not Capturing Fortifate CGNAT logs

abounhidja · June 3, 2024, 4:56pm

Hi all,

I am having trouble integrating Fortigate firewall logs into Elastic using Filebeat. I have set everything up correctly, but Filebeat is unable to capture the logs. I am certain the Fortigate firewall is sending the logs because I can capture them using tcpdump. Here is my configuration:

Set up Filebeat using the DNF package (on Rocky Linux distribution).
Set up and enable the Fortinet Filebeat module.

PS: fortigate version 7.2.5

my filebeat.yml config

filebeat.inputs:

# filestream is an input for collecting log messages from files.
- type: filestream

  # Unique ID among all inputs, an ID is required.
  id: my-filestream-id

  # Change to true to enable this input configuration.
  enabled: false

  # Paths that should be crawled and fetched. Glob based paths.
  paths:
    - /var/log/*.log
filebeat.config.modules:
  # Glob pattern for configuration loading
  path: ${path.config}/modules.d/*.yml
    #path: /etc/filebeat/modules.d/*.yml
  # Set to true to enable config reloading
  reload.enabled: true

setup.template.settings:
  index.number_of_shards: 1
  #index.codec: best_compression
  #_source.enabled: false

setup.kibana:

  host: "https://10.1.10.112:5601"
  ssl.verification_mode: "none"

output.elasticsearch:
  hosts: ["https://10.30.100.90:9200"]

    #  bulk_max_size: 3200
    #worker: 16
    # compression_level: 9
  
  ssl.verification_mode: "none"
  preset: balanced

  # Protocol - either `http` (default) or `https`.
  protocol: "https"
  ssl.certificate_authorities: ["/root/http_ca.crt"]
  # Authentication credentials - either API key or username/password.
  #api_key: "id:api_key"
  username: "elastic"
  password: "*********"
  ssl.ca_trusted_fingerprint: "450687644d3ec832924d472963329c9ee883dd22f3b5878e3bcdb45bcf64f662"

my fortinet.yml config:

- module: fortinet
  firewall:
    enabled: true

    # Set which input to use between tcp, udp (default) or file.
    var.input: udp
    var.syslog_host: 0.0.0.0
    var.syslog_port: 514

    ######### added by Abderrahmane#########################
    #
    #var.tz_offset: +01:00
    #
    ###################################################
    # Set internal interfaces. used to override parsed network.direction
    # based on a tagged interface. Both internal and external interfaces must be
    # set to leverage this functionality.
    #var.internal_interfaces: [ "192.168.122.210" ]

    # Set external interfaces. used to override parsed network.direction
    # based on a tagged interface. Both internal and external interfaces must be
    # set to leverage this functionality.
    #var.external_interfaces: [ "10.30.100.93" ]

For debugging purposes, I am outputting to the console using this configuration (I have commented out the output to Elasticsearch).

output.console:
  pretty: true

on the fortigate here is the forwarding config :

BKH-CGNAT-Node0 (override-setting) # get
status              : enable
server              : 192.168.122.210
mode                : udp
port                : 514
facility            : user
source-ip           :
format              : rfc5424
priority            : default
max-log-rate        : 0
interface-select-method: auto

Here's the rephrased version of that message:

When I start Filebeat using the -e option, I can't see any logs being captured. Meanwhile, I am sure that the logs are being forwarded because I can capture them via tcpdump.

Thanks in advance.

wsouza · June 4, 2024, 12:36am

Hi @abounhidja Please check this information:

When running the command netstat -nlupt | grep 514 can you see the socket created to receive the data?
Have you checked the status of the filebeat service and whether the module is active?
systemctl status filebeat
filebeat modules enable fortinet
Have you tested filebeat communication with elasticsearch?

filebeat output config
filebeat output test

abounhidja · June 4, 2024, 7:47am

Hi @wsouza, thanks for your reply :
1. When running the command netstat -nlupt | grep 514 can you see the socket created to receive the data?

yes, here is the output :

# netstat -nlupt | grep 514
udp6       0      0 :::514                  :::*                                2705456/filebeat

2.Have you checked the status of the filebeat service and whether the module is active?
systemctl status filebeat

No, but i am starting the filebeat manually (filebeat -e) for testing purpose.

3. Have you tested filebeat communication with elasticsearch?

yes, i tested it and it work, what i have done it to start filebeat and then manullay telnet on port 514 and past data, filebeat did capture the data that i have pasted, but not the trafic comming from fortigate.

nc -u 192.168.122.210 514

results when i past something, successfully captured at the filebeat level.

{
  "@timestamp": "2024-06-04T07:29:38.651Z",
  "@metadata": {
    "beat": "filebeat",
    "type": "_doc",
    "version": "8.11.4",
    "truncated": false
  },
  "host": {
    "ip": [
      "10.30.100.93",
      "fe80::20c:29ff:fe28:51a2",
      "192.168.122.210",
      "fe80::99b1:4946:ce97:266c"
    ],
    "mac": [
      "00-0C-29-28-51-A2",
      "00-0C-29-28-51-AC"
    ],
    "hostname": "syslog-bkh.wataniya-algerie.com",
    "name": "syslog-bkh.wataniya-algerie.com",
    "architecture": "x86_64",
    "os": {
      "type": "linux",
      "platform": "rocky",
      "version": "9.3 (Blue Onyx)",
      "family": "redhat",
      "name": "Rocky Linux",
      "kernel": "5.14.0-362.13.1.el9_3.x86_64",
      "codename": "Blue Onyx"
    },
    "id": "248b7b734dbe4766b389761276258ab4",
    "containerized": false
  },
  "log": {
    "source": {
      "address": "192.168.122.210:57757"
    }
  },
  "message": "trassadza\n",
  "input": {
    "type": "udp"
  },
  "agent": {
    "ephemeral_id": "77125b90-34b8-4318-8af7-bdc8cbb5500f",
    "id": "6e521d88-a325-4ddb-8bdd-534e205e5f49",
    "name": "syslog-bkh.wataniya-algerie.com",
    "type": "filebeat",
    "version": "8.11.4"
  },
  "ecs": {
    "version": "8.0.0"
  }
}

PS: for testing and troubleshooting i did disable fortinet module and edited the filebeat config as below to capture all udp trafic:

filebeat.inputs:
#############Add by Abderrahmane###############
#
- type: udp
  #max_message_size: 500MiB
  host: "0.0.0.0:514"
  syslog_mode: rfc5424

output.console:
  pretty: true