I have a problem that I need help with. I am using a Fortigate 30e firewall and a log server on a virtual machine with ELK stack and Logstash installed. The goal is to send logs from the Fortigate 30e to the log server's Logstash, and from there to Elasticsearch and then visualize them in Kibana.
I have configured the port 5144/udp and the log server's IP (Logstash's IP) from the Fortigate management panel. On the Ubuntu side, traffic has been allowed through the firewall. The port has been checked and is free to use.
The problem is that no logs are coming through to the log server or appearing in the log files /var/log/logstash-plain.log or /var/log/syslog. I have connected the WAN network from the internet cable > to the firewall > from the firewall to the switch > from the switch to a laptop that contains VMware and the log server virtual machine.
Ask if you need more information and thanks for the help.
This seems like a network issue, if Logstash is listening on the correct port and IP and you still do not get any logs, you need to check if everything is ok in the network, there is not much else to do in Logstash side.
i forgot to mention that i have also another virtual machine that goes through logstash to kibana. It uses different logstash conf and haves input { beat etc
Do i need to make changes in rsyslog.conf file or do i need rsyslog at all. I used execute ping 192.168.138.140(logserver ip) in fortigate CLI-console and it has 100% packet loss.
I'm not sure, you will need to troubleshoot it, Network issues aren't the scope of this forum.
I'm not able to help with network issues since I do not do much networking anymore, but I would recommend that you check every step to find what is missing.
You will need to enable port forwarding via the network editor (I think that's what it's called) otherwise the NAT translation will not forward the incoming packets to the VM. NAT allows many devices to share the same egress IP and so the port forwarding rule helps the NAT determine which inside host should receive the traffic.
Have you enabled port forwarding?
You may also find that, depending on the NAT implementation, and due to the NAT translation, that the source address on the messages is incorrect after translation.
You need to add a port forward for a specific host port (5144) to get forwarded to your virtual machines NAT internal IP address which I think is 192.168.138.140
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.