How to collect all types of logs from my fortinet firewall using ELK

Elastic Stack Elasticsearch
9
  1. Where is Filebeat installed? Is it installed on your ELK server?
    Filebeat Installation Location in ubuntu: /usr/bin/filebeat /etc/filebeat /usr/share/filebeat

It is installed on the same server where ELK was installed.

2.If Filebeat is installed on your ELK server, you say that you did packet sniffing to validate that the Firewall was sending logs to the ELK server.

Yes, I done the packet sniffing from my firewall to check that syslog sends data to ELK server.

2.1 Did you validate that it was sending to the correct port (514) and protocol (udp)?

Yes.

2.2 Did you validate that the ELK server was actually receiving the packets with something like tcpdump?

Yes. I done the packet sniffing on the ELK server using wireshark and I could see the data receive on the UDP port in ELK server where the command is udp.port == 514

  1. If validate that both 2.1 and 2.2 are working as intended, I'd then say configure Filebeat to listen on 0.0.0.0 , just to keep things simple. If both 2.1 and 2.2 are true, and Filebeat is listening on 0.0.0.0 :

Yes, I configured the fortinet module in Filebeat. I configured the output.Elasticsearch in the filebeat.yml file.

3.1 What do the Filebeat logs show when you start it up?

Below are the content of filebeat log file from the location /var/log/filebeat

"log.level":"info","@timestamp":"2022-02-21T15:37:54.508+0530","log.origin":{"file.name":"instance/beat.go","file.line":679},"message":"Home path: [/usr/share/filebeat] Config path: [/etc/filebeat] Data path: [/var/lib/filebeat] Logs path: [/var/log/filebeat]","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-02-21T15:37:54.509+0530","log.origin":{"file.name":"instance/beat.go","file.line":687},"message":"Beat ID: e7ebe7ac-88da-4bdb-9fe7-d02e1ada5f7f","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"warn","@timestamp":"2022-02-21T15:37:57.511+0530","log.logger":"add_cloud_metadata","log.origin":{"file.name":"add_cloud_metadata/provider_aws_ec2.go","file.line":80},"message":"read token request for getting IMDSv2 token returns empty: Put "http://169.254.169.254/latest/api/token": context deadline exceeded (Client.Timeout exceeded while awaiting headers). No token in the metadata request will be used.","service.name":"filebeat","ecs.version":"1.6.0"}