Hello i’m having problems dropping logs from filebeat to elastic using the fortinet module. This is the yml i have in filebeat but i does not seem to be dropping any logs since I still see traffic and notice and information logs.
filebeat.modules:
- module: fortinet
firewall:
enabled: true
var.input: udp
var.syslog_port: 514
# ============================== Filebeat modules ==============================
filebeat.config.modules:
# Glob pattern for configuration loading
path: ${path.config}/modules.d/*.yml
# Set to true to enable config reloading
reload.enabled: false
# Period on which files under path should be checked for changes
#reload.period: 10s
# ======================= Elasticsearch template setting =======================
setup.template.settings:
index.number_of_shards: 1
#index.codec: best_compression
#_source.enabled: false
# ================================== General ===================================
name: *********
tags: ["*********SecurityEvents", "Fortinet", "forwarded"]
# ================================= Dashboards =================================
# These settings control loading the sample dashboards to the Kibana index. Loading
# the dashboards is disabled by default and can be enabled either by setting the
# options here or by using the `setup` command.
#setup.dashboards.enabled: true
# The URL from where to download the dashboards archive. By default this URL
# has a value which is computed based on the Beat name and version. For released
# versions, this URL points to the dashboard archive on the artifacts.elastic.co
# website.
#setup.dashboards.url:
# =================================== Kibana ===================================
# Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API.
# This requires a Kibana endpoint configuration.
#setup.kibana:
# ---------------------------- Elasticsearch Output ----------------------------
output.elasticsearch:
hosts: ["*********"]
protocol: "https"
username: "*********"
password: *********
# ================================= Processors =================================
processors:
- drop_event:
when:
or:
- equals:
log.level: "notice"
- equals:
log.level: "information"
- equals:
fortinet.firewall.type: "traffic"
# ================================== Logging ===================================
# Sets log level. The default log level is info.
# Available log levels are: error, warning, info, debug
#logging.level: debug
# At debug level, you can selectively enable logging only for some components.
# To enable all selectors use ["*"]. Examples of other selectors are "beat",
# "publisher", "service".
#logging.selectors: ["*"]
# ============================= X-Pack Monitoring ==============================
monitoring.enabled: true