Hello,
I'm using filebeat with elastic and kibana to manage my fortinet (7.2.4) logs.
I cannot understand how to create a dashboard that is showing me how much traffic a host is doing.
I thought that I could use destination.bytes as field, so executing a sum of all destination.bytes field generated from a host, I could have an idea on how much traffic it did in, let's say, 15 minutes.
In my mind, if a client has to download 1 GB of data from a remote site, the sum of the field destination.bytes of all the logs concerning the transfer would have resulted in a grand total of 1 GB.
But as far as I can see, if I try to download a 1 GB file from a remote site, there are many log entries cocerning it with destionation.bytes field valued with "1 GB" "880Mb" "1GB"... I seems that that field doesn't represent the actual data transfered, so the sum of 20 lines of logs results in something like 20 GB.
Where am I wrong? How can I check the actual traffic of a host that shows me the actual rtaffic done?