I’ve been experimenting with getting FortiManager and FortiGate logs into Elasticsearch for centralized analysis and visualization. The main goal is to have all network and security events searchable in one place using Kibana dashboards. So far, I’ve tried forwarding logs via syslog directly from FortiGate to a Logstash pipeline, which works fine for basic traffic and event data. However, when it comes to FortiManager, the log format appears to be slightly different, and I’m not getting clean field mappings in Elasticsearch.
Has anyone configured this integration successfully?
I’m curious whether using CEF or JSON output from FortiManager helps make the data cleaner in Elasticsearch. Also, any advice on filters or field mapping would be appreciated. While going through FCP - FortiManager 7.6 Administrator exam material on Pass4Future, I noticed a few scenarios describing centralized log management setups with third-party analytics tools. That actually pushed me to try Elastic as a data sink, but the real-world configuration is proving trickier than expected.
If anyone has tuned Grok patterns or Ingest pipelines for Fortinet logs, please share what worked for you. It could really help others trying to link FortiManager with Elastic for unified monitoring.