I need help with pulling Fortinet logs. I have set my firewall to push logs to my Syslog server(/var/log/syslog) and installed the Fortinet integration which installed successfully but I can't see the logs in analytics.
My Firewall version : Fortinet 7.2.5
and config :
set status enable
set server "Syslog-server-IP"
set mode udp
set port 514
set facility local7
set source-ip "X.X.X.X"
set format default
set priority default
set max-log-rate 0
set interface-select-method auto
end
I am using Elastic cloud. I'm hoping someone with a similar setup can help ?
Where is your Elastic Agent running? How did you configure the Fortinet integration? Also, does your syslog has any routing configuration to save the Fortinate logs on a separated file?
The Fortinet integration can consume fortigate logs in two ways:
Listening on a TCP/UDP port to receive the logs directly from the firewall
Reading a log file where you will have fortigate logs
If you configured your firewall to send logs to a syslog server, you need to configure this syslog server to redirect the logs to a TCP/UDP port of the Elastic Agent or to save the fortigate logs into a separated file.
Blockquote
Where is your Elastic Agent running?
Blockquote
My Agent is running on the syslog server.
Blockquote
How did you configure the Fortinet integration?
Blockquote
I configured the udp section to listen on udp (0.0.0.0) and port 514 as configured on the firewall.
Blockquote
Also, does your syslog has any routing configuration to save the Fortinate logs on a separated file?
Blockquote
if I understand your question, my firewall is writing it's logs to /var/log/syslog
The Fortinet integration can consume fortigate logs in two ways:
Blockquote
Listening on a TCP/UDP port to receive the logs directly from the firewall > Blockquote
can you recommend a guide i canfollow to achieve this ?
Reading a log file where you will have fortigate logs
Blockquote
If you configured your firewall to send logs to a syslog server, you need to configure this syslog server to redirect the logs to a TCP/UDP port of the Elastic Agent or to save the fortigate logs into a separated file.
Blockquote
I believe this is how I configured it. I am not an expert in anyway but following documentation I assumed that if my firewall writes to a logfile my integration should be able to pull the logs without extensive configurations
But do you have a syslog server in the same server? If you already have a syslog server in the same server you cannot use the port 514 for the agent as the syslog server is probably already using it, you need to choose a different port and then use the same port in your firewall configuration.
Syslog servers use the port 514 on UDP, you cannot have 2 services using the same port.
Try to change this port for something like 5514 and then in your Firewall use the same port.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.