Hi All,
I am trying to parse the FortiGate firewall syslog in Logstash and still failing after spending many times.
Need your expertise for standard FortiGate syslog logstash config.
Here is current config. I'm getting the logs but all have _grokparsefailure error. I am seeing whole "message" full of long output.
I would like to retrieve, dstip, srcip, srcport, dstport, geoip, etc.
Thanks in advance.
input {
udp {
port => 5514
type => syslog
}
}
filter {
if [type] == "syslog" {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:[%{POSINT:syslog_pid}])?: %{GREEDYDATA:syslog_message}" }
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
}
date {
match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}
}
}
output {
elasticsearch { hosts => ["localhost:9200"] }
stdout { codec => rubydebug }
}