Ship FortiGate logs to ELK 6.8.6 with TLS enabled

Hi,

I'm trying to ship FortiGate 6.0 logs to ELK 6.8.6.

With udp input plugin all works fine on another ELK 6.8.6 stack without TLS, I can't see all the logs into Kibana.

If I try to enable the tcp input plugin with certificate and TLS on ELK 6.8.6 I can't see any FortiGate logs into Kibana.

Anyway, syslog logs of linux server are working fine with TLS on ELK stack.

No relevant errors into logs except for something related to timestamp mapping for ES.

Here are my FortiGate config:

status : enable
server : 192.168.XXX.XXX
mode : reliable
port : 5044
facility : local7
source-ip :
format : default
enc-algorithm : high-medium
ssl-min-proto-version: default
certificate : elastic-stack-ca

My logstash conf file:

input {
tcp {
port => 5044
type => firewall
ssl_enable => true
ssl_key => '/etc/logstash/logstash.key'
ssl_cert => '/etc/logstash/logstash.crt'
ssl_certificate_authorities => '/etc/logstash/elastic-ca.pem'
ssl_verify => false
}
}
filter {
if [type] == "firewall" {
mutate {
add_tag => ["fortigate"]
}
grok {
break_on_match => false
match => ["message", "%{SYSLOG5424PRI:syslog_index}%{GREEDYDATA:message}"]
overwrite => [ "message" ]
tag_on_failure => [ "failure_grok_fortigate" ]
}
kv { }
if [msg] {
mutate {
replace => [ "message", "%{msg}" ]
}
}
mutate {
convert => { "duration" => "integer" }
convert => { "rcvdbyte" => "integer" }
convert => { "rcvdpkt" => "integer" }
convert => { "sentbyte" => "integer" }
convert => { "sentpkt" => "integer" }
convert => { "cpu" => "integer" }
convert => { "disk" => "integer" }
convert => { "disklograte" => "integer" }
convert => { "fazlograte" => "integer" }
convert => { "mem" => "integer" }
convert => { "totalsession" => "integer" }
}
mutate {
add_field => ["logTimestamp", "%{date} %{time}"]
add_field => ["loglevel", "%{level}"]
replace => [ "fortigate_type", "%{type}"]
replace => [ "fortigate_subtype", "%{subtype}"]
remove_field => [ "msg", "level", "date", "time" ]
}
date {
locale => "en"
match => ["logTimestamp", "YYYY-MM-dd HH:mm:ss"]
remove_field => ["logTimestamp", "year", "month", "day", "time", "date"]
#add_field => ["type", "syslog"]
}
if [status] == "clash" {
grok {
match => { "new_status" => "state=%{GREEDYDATA:new_status_state1} tuple-num=%{GREEDYDATA:new_status_tuple-num1} policyid=%{GREEDYDATA:new_status_policyid1} identidx=%{GREEDYDATA:new_status_identidx1} dir=%{GREEDYDATA:new_status_dir1} act=%{GREEDYDATA:new_status_act1} hook=%{GREEDYDATA:new_status_hook1} dir=%{GREEDYDATA:new_status_dir2} act=%{GREEDYDATA:new_status_act2} hook=%{GREEDYDATA:new_status_hook2} dir=%{GREEDYDATA:new_status_dir3} act=%{GREEDYDATA:new_status_act3} hook=%{GREEDYDATA:new_status_hook3}" }
}
grok {
match => { "old_status" => "state=%{GREEDYDATA:old_status_state1} tuple-num=%{GREEDYDATA:old_status_tuple-num1} policyid=%{GREEDYDATA:old_status_policyid1} identidx=%{GREEDYDATA:old_status_identidx1} dir=%{GREEDYDATA:old_status_dir1} act=%{GREEDYDATA:old_status_act1} hook=%{GREEDYDATA:old_status_hook1} dir=%{GREEDYDATA:old_status_dir2} act=%{GREEDYDATA:old_status_act2} hook=%{GREEDYDATA:old_status_hook2} dir=%{GREEDYDATA:old_status_dir3} act=%{GREEDYDATA:old_status_act3} hook=%{GREEDYDATA:old_status_hook3}" }
}
}
}
}
output {
if "fortigate" in [tags] {
elasticsearch {
hosts => [ "https://logserver-dev1:9200", "https://logserver-dev2:9200" ]
index => "fortigate-%{+YYYY.MM.dd}"
user => "logstash_internal"
password => "password"
cacert => '/etc/logstash/elastic-ca.pem'
ssl_certificate_verification => false
ssl => true
}
}
stdout { codec => rubydebug }
}

This directive:

stdout { codec => rubydebug }

seems to have no effect, I can't enable debug and most of all I can't see anything into Kibana!

Any support will be appreciated :slight_smile:

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.