Fortinet logs not showing

Hi Guys,

I need help with pulling Fortinet logs. I have set my firewall to push logs to my Syslog server(/var/log/syslog) and installed the Fortinet integration which installed successfully but I can't see the logs in analytics.

My Firewall version : Fortinet 7.2.5

and config :

set status enable
set server "Syslog-server-IP"
set mode udp
set port 514
set facility local7
set source-ip "X.X.X.X"
set format default
set priority default
set max-log-rate 0
set interface-select-method auto
end

I am using Elastic cloud. I'm hoping someone with a similar setup can help ?

Hello,

Where is your Elastic Agent running? How did you configure the Fortinet integration? Also, does your syslog has any routing configuration to save the Fortinate logs on a separated file?

The Fortinet integration can consume fortigate logs in two ways:

  • Listening on a TCP/UDP port to receive the logs directly from the firewall
  • Reading a log file where you will have fortigate logs

If you configured your firewall to send logs to a syslog server, you need to configure this syslog server to redirect the logs to a TCP/UDP port of the Elastic Agent or to save the fortigate logs into a separated file.

Blockquote
Where is your Elastic Agent running?
Blockquote

My Agent is running on the syslog server.

Blockquote
How did you configure the Fortinet integration?
Blockquote

I configured the udp section to listen on udp (0.0.0.0) and port 514 as configured on the firewall.

Blockquote
Also, does your syslog has any routing configuration to save the Fortinate logs on a separated file?
Blockquote

if I understand your question, my firewall is writing it's logs to /var/log/syslog

The Fortinet integration can consume fortigate logs in two ways:

Blockquote
Listening on a TCP/UDP port to receive the logs directly from the firewall > Blockquote

can you recommend a guide i canfollow to achieve this ?

Reading a log file where you will have fortigate logs

Blockquote
If you configured your firewall to send logs to a syslog server, you need to configure this syslog server to redirect the logs to a TCP/UDP port of the Elastic Agent or to save the fortigate logs into a separated file.
Blockquote

I believe this is how I configured it. I am not an expert in anyway but following documentation I assumed that if my firewall writes to a logfile my integration should be able to pull the logs without extensive configurations

But do you have a syslog server in the same server? If you already have a syslog server in the same server you cannot use the port 514 for the agent as the syslog server is probably already using it, you need to choose a different port and then use the same port in your firewall configuration.

Syslog servers use the port 514 on UDP, you cannot have 2 services using the same port.

Try to change this port for something like 5514 and then in your Firewall use the same port.