I am required to pull logs from the firewall(fortigate), and Office365. I have registered the application on microsoft AZURE for office365 and assigned permissions(Office365 management API(ActivityFeed.Read, ActivityFeed.ReadDlp)) but am not receiving logs even though i have granted concent on the AZUre. Fortigate i have provisioned the vm and installed an agent, the agent has been enrolled on fleet but it is only ingesting the vm’s windows events but not the firewall. kindly assist in resolving the issue.
Hi,
You can find logs from the Elastic agent which might help you with these problems in Kibana. At Assets→Agents, select your agent, and then view the Logs tab. There may be error logs here that explain the problems. For Office365, errors such as “Unauthorized” or “Forbidden” indicate your credentials are not set up correctly, or other integration settings, such as Tenant ID are not correct.
For Fortigate, if you don’t see any errors in the logs, syslog may not be set up correctly either in Fortigate or the integration settings. Logs are collected from by the Elastic agent running as a syslog server. So to fix the issue you’re experiencing, you’ll need to ensure the syslog data is being sent and received correctly between the Fortigate appliance and your VM. First, you’ll need to confirm Fortigate is configured to write syslog to your VM address, and the network port the Elastic agent will listen on. Next, in your integration settings in Kibana, confirm the integration is configured to listen for syslog on the same protocol and port you configured in Fortigate (I believe UDP is the default protocol for Fortigate).
If that doesn’t work, you can confirm if syslog is being received on your VM by using a different syslog server. Stop the elastic agent, and then start an alternative syslog server running on the same port and protocol that the integration is configured to run on. If you receive logs, then you’ll know the VM can receive syslog messages, and the problem may be somewhere else in the integration configuration. If you don’t receive messages, it indicates the problem is not with the Elastic agent or configuration. Either Fortigate isn’t configured to send messages correctly, or something else is stopping messages from being received on the system, maybe another firewall.