Hi,
I've been working on a Logstash filter for Fortigate syslogs and I finally have it working. I noticed a lot of people on this board and other places asking for a Fortigate config so I decided to upload mine here. Hopefully the board search and Google search pick this up so others can use it.
Thanks to @magnusbaeck for all the help.
Readme
- This config expects you have csv output set to enable on your Fortigate.
- Tested on FortiOS 5.2 but should work on other versions as well.
- For some reason certain fields get a bit messed up, I've seen fields renamed as tran_sdip while the Fortigate documentation shows it should be transdip (from memory, example might be wrong but I definitely show some field naming issues so compare the fields Elasticsearch is creating with the Fortigate documentation if you need to). I might look into what is causing this later.
- I'm sure this isn't the best or fastest way to processes Fortigate logs but it works. Feel free to make modifications.
input {
udp {
port => 9910
type => "forti_log"
tags => ["location_a"]
}
}
filter {
#The Fortigate syslog contains a type field as well, we'll need to rename that field in order for this to work
if [type] == "forti_log" {
grok {
match => ["message", "%{SYSLOG5424PRI:syslog_index}%{GREEDYDATA:message}"]
overwrite => [ "message" ]
tag_on_failure => [ "forti_grok_failure" ]
}
kv {
source => "message"
value_split => "="
#Expects you have csv enable set on your Fortigate. If not I think you'll have to change it to " " but I didn't test that.
field_split => ","
}
mutate {
#I want to use the timestamp inside the logs instead of Logstash's timestamp so we'll first create a new field containing the date and time fields from the syslog before we convert that to the @timestamp field
add_field => { "temp_time" => "%{date} %{time}" }
#The syslog contains a type field which messes with the Logstash type field so we have to rename it.
rename => { "type" => "ftg_type" }
rename => { "subtype" => "ftg_subtype" }
add_field => { "type" => "forti_log" }
convert => { "rcvdbyte" => "integer" }
convert => { "sentbyte" => "integer" }
}
date {
match => [ "temp_time", "yyyy-MM-dd HH:mm:ss" ]
timezone => "UTC"
target => "@timestamp"
}
mutate {
#add/remove fields as you see fit.
remove_field => ["syslog_index","syslog5424_pri","path","temp_time","service","date","time","sentpkt","rcvdpkt","log_id","message","poluuid"]
}
}
}
output {
if [type] == "forti_log" {
elasticsearch {
hosts => "yourip:9200"
http_compression => "true"
index => "forti-%{+YYYY.MM.dd}"
}
}
}