I'm trying to analyze Fortinet FortiGate logs with the filebeat module "Fortinet". The only informations and solutions I found about this was Topics from 2019-2020 with a filebeat version 7.5 which was way too long ago.
I get the logs via syslog and send all the log into a specific file with rsyslog :
if ($fromhost-ip == '10.10.10.10') then {
action(type="omfile" file="/var/log/fortinet.log")
stop
}
And it works well.
In the Fortinet module I did :
- module: fortinet
firewall:
enabled: true
var.input: "file"
var.paths: ["/var/log/fortinet.log"]
var.tags: [fortinet-firewall, forwarded]
Which is working, I have no issue with the service and no error is showing up.
The thing is that in the documentation, both the module and integration for elastic are saying :
But my FortiGate is in version 7.2.x
Does anyone have an issue with the module and is there any modification needed to make this error disappear ?
Currently, I recieve the logs, the logs are treated by filebeat but he doesn't do anything he's not adding the data into the designated fields. He's just adding a "error.message" field with the sentence "Provided expression do not match field value".
just after there is the whole line of log which I'm not showing because of the information it contains
Hope someone can help.