A fortigate(v7) firewall sending the logs to the logstash server and sending the logs back to the elasticsearch server, even calm, I can receive the logs from the firewall. But I can't see the logs referring to the IPS, I noticed that they are not being sent to the logstash server. I already enabled the firewall to send all the logs.
Below is a print of the firewall and logstash settings
For FORTIGATE log collection, I recommend the Elastic Agent Fortinet integration:
In this way, the fields are already normalized for the ECS.
Another thing you mentioned is the logs of IPS actions. This information needs to be configured on your equipment when sending the logs. Once everything is well configured, the field that receives this information is fortinet.firewall.attack. Here, I've even created a detection rule to alert you when an IPS rule kicks in.
It is also possible to use filebeat to collect logs from FORtinet solutions:
Hello Wagner, thank you very much for your explanation, it cleared my doubts. About your "Fortinet IPS Detect Attack" rule is it available in version 8.8.1? If not, could you pass the filter you used. Thank you very much in advance.
Note: I'm a fan of your linkedin posts on the subject.
I'm grateful for the feedback. This filter that I applied to the rule, can be done in version 8.8.1 also provided that this field is being populated when data arrives from your firewall.
Anything, call me on Linkedin and we can exchange an idea.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.