Fortinet FortiGate Firewall Logs integration

francesco.amato · September 1, 2023, 11:10am

Hi to all
I can't figure out why the Fortigate Firewall Logs Integration doesn't send logs to my Elasticsearch server
I can use the filebeat module but not the fleet integration
I have setup the Fortigate Firewall to send syslog log to my syslog server
The last one is a Ubuntu Server machine with Elastic-Agent installed and configured as fleet agent
With tcpdump I see the raw record that firewall sends to syslogserver
If I run the command netstat -ln, I see that the server is listening on port 9004
I also tried to stop the elastic-agent service and the open port disappeared
In the elastic-agent log, I can't see any error

Can anyone help me?

Marius_Iversen · September 1, 2023, 11:46am

Are you using the TCP input for this? Remember to disable the ones you are not using when in the integration configuration UI.
If you are using TCP, try to open the advance option section, under TCP options there is a field commented out called framing

All the options look like this:

  #max_connections: 1
  #framing: delimitier
  #line_delimiter: "\n"

Uncomment framing, and change its value from delimiter to rfc6587, it will look like this:

  #max_connections: 1
  framing: rfc6587
  #line_delimiter: "\n"

Save that, and see if it helps

francesco.amato · September 1, 2023, 12:40pm

Thank you for your help
I found what I missed
I forgot to change the listen address from localhost to 0.0.0.0
What stupid error ...

I try anyway your suggestion and I confirm that it works

system · October 2, 2023, 10:23am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.