Fortigate integration with ELK


I am trying to integrate fortigate with Elasticstack. What should be the optimal solution for this integration?
1- Should I use logstash, send fortigate logs to logstash and parse them.
2- Should I use filebeat server, send fortigate logs to this server and use fortinet module to parse.
3- Setup filebeat in fortigate to ship logs directly to stack.
4- Or others

What options are recommended by ELK and what community is using?

I would said that it depends on your infrastructure and what you need to do what the logs.

For example, I collect log from a couple of Fortigate devices, I use logstash instead of filebeat because filebeat does not have the flexibility I need for enriching the data as I use a couple of translate and memcached filters.

In my use case I have the fortigate devices configured to send logs to a udp port as it was sending to a syslog, on this port I have a logstash pipeline listening that sends this data to a Kafka cluster, then I have other logstash consuming from this Kafka, I use this structure because of the number of events per second.

Fortigate logs are pretty easy to parse, you can use a combination of the dissect filter and a kv filter to parse it.

Thank you for responding. This answers my question.
One question though, if we use logstash, how will you troubleshoot if you are not receiving logs, can we create any alert on that.

Hi @Hamzah - the Elastic Agent + Fortigate integration is another option and incredibly easy to configure. You can simply deploy the Elastic Agent on an intermediary host which is used to send the data to Elastic. The Fortigate integration can then be enabled to automatically parse your events and map to ECS. You can view the relevant integration docs here.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.