Hi there,
I'm a beginner with Elastic and I'm trying to add the "Fortinet FortiGate Firewall Logs" integration to my Elastic setup. I have configured my firewall to send syslog messages to UDP port 9004 on host 192.168.1.200, where the Elastic Agent is installed.
I can see syslog traffic arriving using tcpdump, but I don't see any logs in my Elasticsearch. How can I verify that my Elastic Agent is sending traffic to Elasticsearch?
First please do not post images of text... please paste the text and formate with with 2 backticks ``` before and after ...images can not be searched debugged etc.. some people can not see them.
This
and this show you are ingesting data....
When I ask for this please provide some of the sample results... not just "Some interesting stuff" otherwise I can not help...
Please post a few of those results...
You probably have a timezone issue... please see this post...
Set the time picker in Discover to 24 hours ago to 24 hours to now... and see if you have results... I am sure you do.
######################################
The other logs error logs...
What are you doing with logstash?... this is why do not paste image of text... I can not help much... This is probably not the issue with the fortigate logs... but whatever you are doing with logstasth it is trying to connect to Elasticsearch at the default address... http://localhost:9200 which above is probably not correct...
Ok nice it works after change the Timezone settings.
Yes, I understand about the image and the text.
I apologize for my beginner questions, but I would really appreciate your help with the following:
Can I get the dashboard titled “[Fortinet Fortigate] Firewall Overview” directly under Security Views instead of having it under Custom Dashboards?
How can I add panels to the dashboard? I can’t seem to find anywhere to edit it.
If I want to perform a free text search, where should I go? I want it within Security; I know there are tabs for Search, Observability, and Analytics. Is it just in Analytics -> Discover?
In the logs I receive from the firewall, I only see "agent.name X," where X is the name of my Linux server hosting the agent. I don’t see the name of the firewall; it should be "fw-home" somewhere.
If I add another firewall, should I use this existing agent, right? Then its important to have a firewall name like the mention in 4. question.
I must say, this is a really nice product. Thanks again!
You will need to check and see which field refers the to actual firewall source it may require setting on the fortgate side... not my expertise... BUT you certainly you add fields or tags per integrations to identify / set what you like
log.source.address look like the IP that is forwarding the FW Logs aka the firewall (unless you are using a syslog forwarder)
With respect to the number of Agents that depends on the Volume you can assign 2 fortigate fw integrations to single policy / agent... very flexible...
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.