Fortigate 30E not sending any logs to ubuntu/logstash

Hi!

I have a problem that I need help with. I am using a Fortigate 30e firewall and a log server on a virtual machine with ELK stack and Logstash installed. The goal is to send logs from the Fortigate 30e to the log server's Logstash, and from there to Elasticsearch and then visualize them in Kibana.

I have configured the port 5144/udp and the log server's IP (Logstash's IP) from the Fortigate management panel. On the Ubuntu side, traffic has been allowed through the firewall. The port has been checked and is free to use.

The problem is that no logs are coming through to the log server or appearing in the log files /var/log/logstash-plain.log or /var/log/syslog. I have connected the WAN network from the internet cable > to the firewall > from the firewall to the switch > from the switch to a laptop that contains VMware and the log server virtual machine.

Ask if you need more information and thanks for the help.

Can you share your Logstash configuration?

This seems like a network issue, if Logstash is listening on the correct port and IP and you still do not get any logs, you need to check if everything is ok in the network, there is not much else to do in Logstash side.

Logstash conf:

input {
  udp {
    host => "192.168.138.140"
    port => 5145
  }
}

filter {}

output {
  stdout {}
}

i forgot to mention that i have also another virtual machine that goes through logstash to kibana. It uses different logstash conf and haves input { beat etc

Oops i forgot to replace port 5145 to 5144 in that message. Thats not causing the problem

Yeah, as mentioned, there is not much else to do on Logstash side.

Is logstash running without any issue? Can you see that it is listening on the port using a netstat?

If Logstash is running and listening on the port, then you need to troubleshoot your network.

root@ubuntulokipalvelin2:/etc# netstat -an | grep 5144
udp 0 0 192.168.138.140:5144 0.0.0.0:*

Do i need to make changes in rsyslog.conf file or do i need rsyslog at all. I used execute ping 192.168.138.140(logserver ip) in fortigate CLI-console and it has 100% packet loss.

There is no relation between Rsyslog and Logstash, if you want to send logs directly to Logstash you do not need Rsyslog.

This could mean basically two things:

  • ICMP is blockec
  • Your firewall cannot connect to the Logstash machine

Not sure if you have a telnet inthe fortigate console, but if you have try to telnet into the logstash server and port to see if it can connect to it.

This looks like a network issue, something is not correctly configured.

Ok. I also have NAT enabled in VMware, can this cause the problem? Do i have to use "Bridged".

I'm not sure, you will need to troubleshoot it, Network issues aren't the scope of this forum.

I'm not able to help with network issues since I do not do much networking anymore, but I would recommend that you check every step to find what is missing.

Ok thanks for your time!

You will need to enable port forwarding via the network editor (I think that's what it's called) otherwise the NAT translation will not forward the incoming packets to the VM. NAT allows many devices to share the same egress IP and so the port forwarding rule helps the NAT determine which inside host should receive the traffic.

Have you enabled port forwarding?

You may also find that, depending on the NAT implementation, and due to the NAT translation, that the source address on the messages is incorrect after translation.

HI!


Do you mean to add the fortigates ip address here? Can you specify.

Yes,

You need to add a port forward for a specific host port (5144) to get forwarded to your virtual machines NAT internal IP address which I think is 192.168.138.140

image
Does this looks fine?

Have you considered using the Fortinet module for filebeat? Specifically, the firewall fileset? Check it out here

No need to parse the syslogs yourself, the module handles all of that, and you have ECS-compliant logs in Elastic.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.