Fortinet firewall logs in ELK

HI Team,

I am getting logs from Fortinet firewall and config file for this
input {
tcp {
port => 5014
type => syslog
}
udp {
port => 5014
type => syslog
}
}

filter {
if [type] == "syslog" {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:[%{POSINT:syslog_pid}])?: %{GREEDYDATA:syslog_message}" }
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
}
date {
match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}
}
}

and full message is coming in "message" field on kibana, but I am looking separate column for all details

full message -
"<43>date=2019-12-24 time=18:58:48 devname=master devid=FG3K0B3I11700430 logid=0101037130 type=event subtype=vpn level=error vd="Eicher_VPN" logdesc="Progress IPsec phase 2" msg="progress IPsec phase 2" action=negotiate remip=123.63.173.45 locip=125.21.195.51 remport=38308 locport=4500 outintf="Vlan192-Eicher" cookies="7cb0fd762c55cedb/7984875dd4f6d284" user="huawei" group="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="Eicher_vpn" status=failure init=remote mode=quick dir=inbound stage=1 role=responder result=ERROR"

Is it possible to separate out all fields in separate column ?
like -
devname=master
devid=FG3K0B3I11700430
logid=0101037130
type=event
and so on

You can add "kv" in your filter :

kv {
source => "message"
}

Thanks for reply.

My all devices log are coming from 5014 port, so "kv" will impact other logs as well.

Add input port and TAG incoming data like this

input {
udp {
port => XXXX
tags => Fortigate
type => syslog
}
}

After add IF section in your filter :

if "Fortigate" in [tags] {
...
}

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.