Hello, I installed Elasticsearch and kibana and filebeat in ubuntu 22.04 VM and i installed FortiGate 7.2.0 in other VM in VMware workstation, I follow the steps to upload the Fortinet logs in elastic and kibana as the first screenshot, and the data is successfully received from the Filebeat Fortinet module but when i clic in "security App" i don't find anything
this my nano /etc/filebeat/modules.d/fortinet.yml:
- module: fortinet
firewall:
enabled: true
# Set which input to use between tcp, udp (default) or file.
var.input: udp
# The interface to listen to syslog traffic. Defaults to
# localhost. Set to 0.0.0.0 to bind to all available interfaces.
var.syslog_host: 192.168.37.2
# The port to listen for syslog traffic. Defaults to 9004.
var.syslog_port: 9004
# Set internal interfaces. used to override parsed network.direction
# based on a tagged interface. Both internal and external interfaces must be
# set to leverage this functionality.
and this my config log syslogd setting of fortigate :
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello Firasbg,
Thank you for using the Community Forum.
I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.
Regards,
Hi Firasbg,
with a packet capture you should see whether FortiGate sends logs on the respective port 9004. Cannot really help on kibana or elasticsearch, but first I would make sure the devices receive the data from the FortiGate.
Then see whether the devices can read the data as to see the correct syslog format, separated correctly with correct delimiters.
Best regards,
Markus
how to do that? how to do capture? how to see if the devices receive the FortiGate logs ??
i'am new in fortigate
Hey Firasberg,
regarding a capture on FortiGate, you can check as outlined in the screenshot below:
Once you click on start, the screen will show a display of the ongoing capture with some basic info; if you end the capture, you can download a resulting pcap file and look at it in wireshark or similar.
This way you can verify if FortiGate is actually sending on port 9004.
As for checking on the receiving hosts, you should be able to use the tcpdump command in Ubuntu for example, but I'm not terribly familiar with it, my apologies.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1517 | |
1013 | |
749 | |
443 | |
209 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.