Hi Team,
I am trying to get the Fortigate firewall logs to Elasticsearch via logstash but not able to get the data to Elasticsearch, But i can see the data coming via tcpdump udp port 514.
Presently not filtering the data presently and is it possible to get the output to CSV file .
Using version Elasticsearch7.14,kibana 7.14,logstash7.14,filebeat 7.14
You have two issues, one is that the beats input is to be used with the beats agents, filebeat, metricbeat etc, if you send anything that is not using the beats protocol to a beats input, it will be dropped in the input and will log an error or warn.
So, you need to change the beats input for the udp input, this way your logstash will be able to receive data using udp.
Just use:
input {
udp {
port => 514
}
}
The second issue is that you are using the port 514 in the input, so you are probably running logstash a root, right? This is not recommended for security reasons.
I would suggest that you change the port to a higher port, something like 5514 and reconfigure your firewall device to ship logs using this port.
@leandrojmp Thanks! I have changed the input and port also and Now i am able to get the data to Elasticsearch.
How to filter the log and get log output to .csv or .log file and is it possible to write the data both Elasticsearch and .csv or .log file.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.