Filebeat not sending logs to elastic from fortinet module

mn0o7 · November 2, 2020, 9:24am

Hi Everyone,

I have enabled the fortinet/firewall module all looks great i see traffic being received at in the filebeat logs but never forwarded to elastic, can someone please point me in the right direction ?

filebeat.yml config:

logging.to_stder: true
logging.level: debug
setup.template.name: "logs_k8s"
setup.template.pattern: "logs_*"

filebeat.modules:

module: fortinet
firewall:
enabled: true
var.input: tcp
var.syslog_host: "0.0.0.0"
var.syslog_port: 9004
setup.ilm.enabled: false
ilm.enabled: false
logging.metrics.enabled: false
output.elasticsearch:
enabled: true
index: "logs_forti"
hosts: ['localhost:9200']

fortinet.yml

filebeat.modules:

module: fortinet
firewall:
enabled: true
var.input: tcp
var.syslog_host: "0.0.0.0"
var.syslog_port: 9004

2020-11-02T09:05:40.204Z 2020-11-02T09:05:40.204Z 2020-11-02T09:05:40.204Z 2020-11-02T09:05:40.204Z 2020-11-02T09:05:40.204Z 2020-11-02T09:05:40.205Z 2020-11-02T09:05:40.205Z 2020-11-02T09:05:40.206Z 2020-11-02T09:05:40.206Z 2020-11-02T09:05:40.207Z 2020-11-02T09:05:40.207Z 2020-11-02T09:05:40.207Z 2020-11-02T09:05:40.207Z 2020-11-02T09:05:40.208Z 2020-11-02T09:05:40.208Z 2020-11-02T09:05:40.213Z 2020-11-02T09:05:40.214Z 2020-11-02T09:05:40.214Z 2020-11-02T09:05:40.214Z 2020-11-02T09:05:40.214Z 2020-11-02T09:05:40.214Z 2020-11-02T09:05:40.214Z 2020-11-02T09:05:40.215Z 2020-11-02T09:05:40.215Z 2020-11-02T09:05:40.215Z 2020-11-02T09:05:40.215Z 2020-11-02T09:05:40.215Z 2020-11-02T09:05:40.215Z 2020-11-02T09:05:40.215Z 2020-11-02T09:05:40.216Z 2020-11-02T09:05:40.216Z 2020-11-02T09:05:40.220Z 2020-11-02T09:05:44.190Z 2020-11-02T09:05:50.220Z 2020-11-02T09:06:00.221Z 2020-11-02T09:06:10.221Z INFO instance/beat.go:647 Home path: [/usr/share/filebeat] Config path: [//filebeat/logs]
DEBUG [beat] instance/beat.go:699 Beat metadata path: /usr/share/filebeat/
INFO instance/beat.go:655 Beat ID: 76a6ab0b-7cbb-4948-8881-bbd9ce0f4d3e
DEBUG [seccomp] seccomp/seccomp.go:117 Loading syscall filter {"seccom","syscalls":[{"names":["accept","accept4","access","arch_prctl","bind","brk","chmod","chown","clock_gettime","c"epoll_pwait","epoll_wait","exit","exit_group","fchdir","fchmod","fchmodat","fchown","fchownat","fcntl","fdatasyetdents64","geteuid","getgid","getpeername","getpid","getppid","getrandom","getrlimit","getrusage","getsockname"1","inotify_rm_watch","ioctl","kill","listen","lseek","lstat","madvise","mincore","mkdirat","mmap","mprotect","mread64","pselect6","pwrite64","read","readlink","readlinkat","recvfrom","recvmmsg","recvmsg","rename","renameat"","sendfile","sendmmsg","sendmsg","sendto","set_robust_list","setitimer","setsockopt","shutdown","sigaltstack","nk","unlinkat","wait4","waitid","write","writev"],"action":"allow"}]}}}
INFO [seccomp] seccomp/seccomp.go:124 Syscall filter successfully inst
INFO [beat] instance/beat.go:983 Beat info {"system_info": {"beat":"home": "/usr/share/filebeat", "logs": "/usr/share/filebeat/logs"}, "type": "filebeat", "uuid": "76a6ab0b-7cbb-4
INFO [beat] instance/beat.go:992 Build info {"system_info": {"build"me": "2020-07-21T15:12:45.000Z", "version": "7.8.1"}}}
INFO [beat] instance/beat.go:995 Go runtime info {"system_info": {"go": {
INFO [beat] instance/beat.go:999 Host info {"system_info": {"host":e,"name":"21df9483e813","ip":["127.0.0.1/8","172.17.0.2/16"],"kernel_version":"5.3.0-1032-aws","mac":["02:42:ac:rsion":"7 (Core)","major":7,"minor":8,"patch":2003,"codename":"Core"},"timezone":"UTC","timezone_offset_sec":0,"
INFO [beat] instance/beat.go:1028 Process info {"system_info": {"procesill","setgid","setuid","setpcap","net_bind_service","net_raw","sys_chroot","mknod","audit_write","setfcap"],"percap","net_bind_service","net_raw","sys_chroot","mknod","audit_write","setfcap"],"effective":["chown","dac_overri_raw","sys_chroot","mknod","audit_write","setfcap"],"bounding":["chown","dac_override","fowner","fsetid","kill",udit_write","setfcap"],"ambient":null}, "cwd": "/usr/share/filebeat", "exe": "/usr/share/filebeat/filebeat", "na:true}, "start_time": "2020-11-02T09:05:38.860Z"}}}
INFO instance/beat.go:310 Setup Beat: filebeat; Version: 7.8.1
DEBUG [beat] instance/beat.go:336 Initializing output plugins
INFO eslegclient/connection.go:99 elasticsearch url: http://localhost:9200
DEBUG [publisher] pipeline/consumer.go:137 start pipeline event con
INFO [publisher] pipeline/module.go:113 Beat name: 21df9483e813
INFO beater/filebeat.go:96 Enabled modules/filesets: fortinet (firewall),
INFO instance/beat.go:463 filebeat start running.
DEBUG [test] registrar/migrate.go:159 isFile(/usr/share/filebeat/data/
DEBUG [test] registrar/migrate.go:159 isFile() -> false
DEBUG [test] registrar/migrate.go:152 isDir(/usr/share/filebeat/data/r
DEBUG [test] registrar/migrate.go:159 isFile(/usr/share/filebeat/data/
DEBUG [registrar] registrar/migrate.go:51 Registry type '0' found
DEBUG [registrar] registrar/registrar.go:125 Registry file set to: /u
INFO registrar/registrar.go:145 Loading registrar data from /usr/share/f
INFO registrar/registrar.go:152 States Loaded from registrar: 0
INFO [crawler] beater/crawler.go:71 Loading Inputs: 1
DEBUG [registrar] registrar/registrar.go:278 Starting Registrar
DEBUG [processors] processors/processor.go:101 Generated new processors
INFO [crawler] beater/crawler.go:141 Starting input (ID: 155424624740
INFO [crawler] beater/crawler.go:108 Loading and starting Inputs comp
INFO [input.tcp] tcp/input.go:110 Starting TCP input {"addres
INFO [tcp] common/listener.go:89 Started listening for TCP connection
DEBUG [tcp] common/listener.go:132 New client {"address": "0.0.0.0:900
DEBUG [input] input/input.go:141 Run input
DEBUG [input] input/input.go:141 Run input
DEBUG [input] input/input.go:141 Run input

mn0o7 · November 3, 2020, 8:15am

Never mind the forti was faking sending the syslog messages

system · December 1, 2020, 10:15am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.