Hi, I need a bit of help from those wiser.
I've built a virtual machine log server that runs on Ubuntu. The log server has an ELK stack installed through which logs from other virtual machines (normal Ubuntu and Windows Server) are already passing. The problem is that I can't get any logs from FortiGate into Logstash on the log server; the
/var/log/logstash/logstash-plain.log file doesn't show any information about the FortiGate logs. I have set the virtual machine's IP address and the port 5144, which I use in the Logstash configuration file, from the firewall's management panel. I've also modified the virtual machine's NAT port forwarding settings. I wonder where the problem might be and where I could ask for help.
can you share the fortigate syslog configuration?
Have you opened UDP 5144 on the Ubuntu firewall? Something like
sudo ufw allow 5144/udp if it's a recent version of Ubuntu.
For troubleshooting your next step might be taking a packet capture on the fortigate to verify that it's sending traffic and a packet capture on the ubuntu host to make sure that it's receiving the traffic.
Yes i have opened UDP 5144 in ubuntu firewall. Here is some screenshots. I can ping Fortigate in linux but i cannot ping linux in Fortigate CLI-console.
wan out in the last screenshot I think means it is trying to send the syslog out the wan interface, is your wan also a 192 address space?
You could try adding a static route to the firewall for the syslog server to use the right interface or you can configure syslog over a specific IP and interface:
config log syslogd setting
set source-ip y.y.y.y
With source ip being the inside interface IP from the fortigate
If that doesn't work you can also try:
set interface-select-method specify
set interface "<inside interface to syslog server>"