[Working example]Fortigate config for Logstash

Hi,

I've been working on a Logstash filter for Fortigate syslogs and I finally have it working. I noticed a lot of people on this board and other places asking for a Fortigate config so I decided to upload mine here. Hopefully the board search and Google search pick this up so others can use it.

Thanks to @magnusbaeck for all the help.

Readme

  • This config expects you have csv output set to enable on your Fortigate.
  • Tested on FortiOS 5.2 but should work on other versions as well.
  • For some reason certain fields get a bit messed up, I've seen fields renamed as tran_sdip while the Fortigate documentation shows it should be transdip (from memory, example might be wrong but I definitely show some field naming issues so compare the fields Elasticsearch is creating with the Fortigate documentation if you need to). I might look into what is causing this later.
  • I'm sure this isn't the best or fastest way to processes Fortigate logs but it works. Feel free to make modifications.
input {
   udp {
     port => 9910
     type => "forti_log"
     tags => ["location_a"]
  }
}


filter {
#The Fortigate syslog contains a type field as well, we'll need to rename that field in order for this to work
 if [type] == "forti_log" {

	grok {
			match => ["message", "%{SYSLOG5424PRI:syslog_index}%{GREEDYDATA:message}"]
			overwrite => [ "message" ]
			tag_on_failure => [ "forti_grok_failure" ]
		}


        kv {
    source => "message"
    value_split => "="
#Expects you have csv enable set on your Fortigate. If not I think you'll have to change it to " " but I didn't test that.
    field_split => ","
}

    mutate {
#I want to use the timestamp inside the logs instead of Logstash's timestamp so we'll first create a new field containing the date and time fields from the syslog before we convert that to the @timestamp field
    add_field => { "temp_time" => "%{date} %{time}" }
#The syslog contains a type field which messes with the Logstash type field so we have to rename it.
    rename => { "type" => "ftg_type" }
    rename => { "subtype" => "ftg_subtype" }
    add_field => { "type" => "forti_log" }
    convert => { "rcvdbyte" => "integer" }
    convert => { "sentbyte" => "integer" }
}

date {
    match => [ "temp_time", "yyyy-MM-dd HH:mm:ss" ]
    timezone => "UTC"
    target => "@timestamp"
    }

    mutate {
#add/remove fields as you see fit.
    remove_field => ["syslog_index","syslog5424_pri","path","temp_time","service","date","time","sentpkt","rcvdpkt","log_id","message","poluuid"]
}
}
}


output {
if [type] == "forti_log" {
elasticsearch {
hosts => "yourip:9200"
http_compression => "true"
index => "forti-%{+YYYY.MM.dd}"
}
}
}
5 Likes

Thanks for sharing this!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.