I've been trying to get this working for the past 3 weeks, and have read literally every forum post, reddit post, etc., on this. I'm spinning my wheels and can't figure out what is going wrong.
I've tried using Filebeats-->ES with the Fortinet plugin, and Filebeats-->Logstash-->ES, and both result in the same thing. I see data, but the 'message' field isn't parsed, so I can't visualize anything worthwhile.
Here is my Fortinet syslog setup:
config log syslogd2 setting
set status enable
set server "10.100.11.50"
set mode reliable
set port 5513
set facility local7
set source-ip 0.0.0.0
set format default
set priority default
set max-log-rate 0
set enc-algorithm disable
set interface-select-method auto
end
config log syslogd2 filter
set severity information
set forward-traffic enable
set local-traffic enable
set multicast-traffic enable
set sniffer-traffic enable
set anomaly enable
set voip enable
set filter ''
set filter-type include
end
Filebeat Config (going to ES)
output.elasticsearch:
# Array of hosts to connect to.
hosts: ["localhost:9200"]
Filebeat Config (when going to Logstash):
output.logstash:
# The Logstash hosts
hosts: ["localhost:5522"]
Logstash Config:
input {
beats {
port => 5522
}
}
output {
elasticsearch {
pipeline => "%{[@metadata][pipeline]}"
hosts => ["localhost:9200"]
index => "fortios-%{+YYYY.MM.dd}"
}
}
Pipelines were injected just fine:
Fields are populating, but 'messages' isn't parsed out:
Also, probably unrelated, but even the fields/message data is just showing information for one machine - the syslog/ELK server. Based on my config, I'd imagine that ALL logs from all traffic/machines should be being sent. It's just data for this one machine - not sure why. Message field still not parsed, but there should be a LOT more data flowing through too.
Not sure what I'm missing. Any suggestions/ideas? I'm completely lost.