Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Firasbg
New Contributor III

Where is my data of fortinet?

Hello, I installed Elasticsearch and kibana and filebeat in ubuntu 22.04 VM and i installed FortiGate 7.2.0 in other VM in VMware workstation, I follow the steps to upload the Fortinet logs in elastic and kibana as the first screenshot, and the data is successfully received from the Filebeat Fortinet module but when i clic in "security App" i don't find anything

Firasbg_0-1659176241769.pngFirasbg_1-1659176253108.png

this my nano /etc/filebeat/modules.d/fortinet.yml:

- module: fortinet
firewall:
enabled: true

# Set which input to use between tcp, udp (default) or file.
var.input: udp

# The interface to listen to syslog traffic. Defaults to
# localhost. Set to 0.0.0.0 to bind to all available interfaces.
var.syslog_host: 192.168.37.2

# The port to listen for syslog traffic. Defaults to 9004.
var.syslog_port: 9004

# Set internal interfaces. used to override parsed network.direction
# based on a tagged interface. Both internal and external interfaces must be
# set to leverage this functionality.

and this my config log syslogd setting of fortigate :

FortiGate-VM64 # config log syslogd setting 
 
FortiGate-VM64 (setting) # show 
config log syslogd setting
    set status enable
    set server "192.168.37.2"
    set port 9004
end
 
FortiGate-VM64 (setting) #

 

 

4 REPLIES 4
Anthony_E
Community Manager
Community Manager

Hello Firasbg,

 

Thank you for using the Community Forum.

I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.

 

Regards,

Anthony-Fortinet Community Team.
Markus_M
Staff
Staff

Hi Firasbg,

 

with a packet capture you should see whether FortiGate sends logs on the respective port 9004. Cannot really help on kibana or elasticsearch, but first I would make sure the devices receive the data from the FortiGate.

Then see whether the devices can read the data as to see the correct syslog format, separated correctly with correct delimiters.

 

Best regards,

 

Markus

Firasbg
New Contributor III

how to do that? how to do capture? how to see if the devices receive the FortiGate logs ??

i'am new in fortigate 

Debbie_FTNT

Hey Firasberg,

regarding a capture on FortiGate, you can check as outlined in the screenshot below:

Debbie_FTNT_0-1659629127018.png

Once you click on start, the screen will show a display of the ongoing capture with some basic info; if you end the capture, you can download a resulting pcap file and look at it in wireshark or similar.

This way you can verify if FortiGate is actually sending on port 9004.

As for checking on the receiving hosts, you should be able to use the tcpdump command in Ubuntu for example, but I'm not terribly familiar with it, my apologies.

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors