Fortigate Integrations

Elastic Security SIEM
1

Hi there,
I'm a beginner with Elastic and I'm trying to add the "Fortinet FortiGate Firewall Logs" integration to my Elastic setup. I have configured my firewall to send syslog messages to UDP port 9004 on host 192.168.1.200, where the Elastic Agent is installed.
I can see syslog traffic arriving using tcpdump, but I don't see any logs in my Elasticsearch. How can I verify that my Elastic Agent is sending traffic to Elasticsearch?

I did made this with tls cert, (for now.)

sudo ./elastic-agent install --url=httpX://192.168.1.200:8220 --enrollment-token=WGp4ajBwRUJfdVVXdnBPeG9EcDM6bTVpTnlMUEFTM21sNHlTRTgwa0tRdw== --insecure

Thanks for your help!

5
51416×1200 129 KB

2

Hi @arcsons Welcome to the community.

There a couple next places to check.

Kibana -Stack Management - Data Streams

Look for fortigate data stream...

Then is should show number of indices... Click on that it should show if there are documents in the index...

Also try .. assuming you did not change the dataset or namespace

Kibana - Dev Tools

GET logs-fortinet_fortigate.log-*/_search

And see if there are any results.

You can also click on the

Fleet - Agent and it should show if the integration is healthy

3

Hi Stephen, thanks for your replay :slight_smile:

Stack Mangment / Index Mangement / Data Streams:

logs-fortinet_fortigate.log-default

indices: 1
Storage size: 11.7mb
Health: Yellow

Stack Mangment / Index Mangement / Indices:

.ds-logs-fortinet_fortigate.log-default-2024.09.08-000001
Health: Yellow
Status: Open
Docs:
18,788

Kibana - Dev Tools

GET logs-fortinet_fortigate.log-*/_search
shows me 200 OK and some interesting stuff but not all.

Observability / Logs / Stream:

I see some errors in :

7
71912×555 31.2 KB

4

6
61577×383 39 KB

5

First please do not post images of text... please paste the text and formate with with 2 backticks ``` before and after ...images can not be searched debugged etc.. some people can not see them.

This

and this show you are ingesting data....

When I ask for this please provide some of the sample results... not just "Some interesting stuff" otherwise I can not help...

Please post a few of those results...

You probably have a timezone issue... please see this post...

Set the time picker in Discover to 24 hours ago to 24 hours to now... and see if you have results... I am sure you do.

######################################

The other logs error logs...

What are you doing with logstash?... this is why do not paste image of text... I can not help much... This is probably not the issue with the fortigate logs... but whatever you are doing with logstasth it is trying to connect to Elasticsearch at the default address... http://localhost:9200 which above is probably not correct...

Screenshot 2024-09-08 at 2.54.19 PM
Screenshot 2024-09-08 at 2.54.19 PM3860×216 218 KB

I would think you are trying to do

Fortigate -> UDP Elastic Agent -> Elasticsearch

Or are you trying

Fortigate -> UDP Elastic Agent -> Logstash -> Elasticsearch

If so why?

6

Ok nice it works after change the Timezone settings.
Yes, I understand about the image and the text.

I apologize for my beginner questions, but I would really appreciate your help with the following:

  1. Can I get the dashboard titled “[Fortinet Fortigate] Firewall Overview” directly under Security Views instead of having it under Custom Dashboards?
  2. How can I add panels to the dashboard? I can’t seem to find anywhere to edit it.
  3. If I want to perform a free text search, where should I go? I want it within Security; I know there are tabs for Search, Observability, and Analytics. Is it just in Analytics -> Discover?
  4. In the logs I receive from the firewall, I only see "agent.name X," where X is the name of my Linux server hosting the agent. I don’t see the name of the firewall; it should be "fw-home" somewhere.
  5. If I add another firewall, should I use this existing agent, right? Then its important to have a firewall name like the mention in 4. question.

I must say, this is a really nice product. Thanks again!

7

Please anyone?

8

  1. No, not as far as I know.. those are "Curated Views"

  2. The OOTB Dashboards are "Managed" so Duplicate the Dashboard then you can edit

    Screenshot 2024-09-11 at 8.48.43 PM
    Screenshot 2024-09-11 at 8.48.43 PM1154×374 29.2 KB

  3. Yes Discover, but you can save your search as a Saved Search and then add to a Custom Dashboard

  4. Here are all the fields... You need to look at
    Fortinet FortiGate Firewall Logs | Documentation

You will need to check and see which field refers the to actual firewall source it may require setting on the fortgate side... not my expertise... BUT you certainly you add fields or tags per integrations to identify / set what you like

log.source.address look like the IP that is forwarding the FW Logs aka the firewall (unless you are using a syslog forwarder)

  1. With respect to the number of Agents that depends on the Volume you can assign 2 fortigate fw integrations to single policy / agent... very flexible...
9

Thanks alot :slight_smile: