Fortigate Firewall Logs to Elasticsearch

Hi Team,
I am trying to get the Fortigate firewall logs to Elasticsearch via logstash but not able to get the data to Elasticsearch, But i can see the data coming via tcpdump udp port 514.

and my logstash config as below

Sample Logstash configuration for creating a simple

Beats -> Logstash -> Elasticsearch pipeline.

input {
stdin {}
beats {
port => 514
}
}

output {
Elasticsearch {
hosts => ["http://192.168.0.60:9204"]
manage_template => false
index => "%{[@metadata][fortigate]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
#user => "elastic"
#password => "changeme"
}
stdout { codec => rubydebug }
}

Presently not filtering the data presently and is it possible to get the output to CSV file .
Using version Elasticsearch7.14,kibana 7.14,logstash7.14,filebeat 7.14

Thanks

You have two issues, one is that the beats input is to be used with the beats agents, filebeat, metricbeat etc, if you send anything that is not using the beats protocol to a beats input, it will be dropped in the input and will log an error or warn.

So, you need to change the beats input for the udp input, this way your logstash will be able to receive data using udp.

Just use:

input {
    udp {
        port => 514
    }
}

The second issue is that you are using the port 514 in the input, so you are probably running logstash a root, right? This is not recommended for security reasons.

I would suggest that you change the port to a higher port, something like 5514 and reconfigure your firewall device to ship logs using this port.

@leandrojmp Thanks! I have changed the input and port also and Now i am able to get the data to Elasticsearch.
How to filter the log and get log output to .csv or .log file and is it possible to write the data both Elasticsearch and .csv or .log file.

Thanks
Yogi

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.