Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Firasbg
New Contributor III

Created on ‎07-30-2022 03:18 AM Edited on ‎07-30-2022 03:20 AM

Where is my data of fortinet?

Hello, I installed Elasticsearch and kibana and filebeat in ubuntu 22.04 VM and i installed FortiGate 7.2.0 in other VM in VMware workstation, I follow the steps to upload the Fortinet logs in elastic and kibana as the first screenshot, and the data is successfully received from the Filebeat Fortinet module but when i clic in "security App" i don't find anything

Firasbg_0-1659176241769.pngFirasbg_1-1659176253108.png

this my nano /etc/filebeat/modules.d/fortinet.yml:

- module: fortinet
firewall:
enabled: true

# Set which input to use between tcp, udp (default) or file.
var.input: udp

# The interface to listen to syslog traffic. Defaults to
# localhost. Set to 0.0.0.0 to bind to all available interfaces.
var.syslog_host: 192.168.37.2

# The port to listen for syslog traffic. Defaults to 9004.
var.syslog_port: 9004

# Set internal interfaces. used to override parsed network.direction
# based on a tagged interface. Both internal and external interfaces must be
# set to leverage this functionality.

and this my config log syslogd setting of fortigate :

FortiGate-VM64 # config log syslogd setting 
 
FortiGate-VM64 (setting) # show 
config log syslogd setting
    set status enable
    set server "192.168.37.2"
    set port 9004
end
 
FortiGate-VM64 (setting) #

 

 

Labels:
1105
0 Kudos
4 REPLIES 4
Anthony_E
Community Manager
Community Manager

Created on ‎08-01-2022 10:33 PM

Hello Firasbg,

 

Thank you for using the Community Forum.

I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.

 

Regards,

Anthony-Fortinet Community Team.
1075
0 Kudos
Markus_M
Staff
Staff

Created on ‎08-02-2022 02:32 AM

Hi Firasbg,

 

with a packet capture you should see whether FortiGate sends logs on the respective port 9004. Cannot really help on kibana or elasticsearch, but first I would make sure the devices receive the data from the FortiGate.

Then see whether the devices can read the data as to see the correct syslog format, separated correctly with correct delimiters.

 

Best regards,

 

Markus

1067
Firasbg
New Contributor III
In response to Markus_M

Created on ‎08-04-2022 06:15 AM

how to do that? how to do capture? how to see if the devices receive the FortiGate logs ??

i'am new in fortigate 

1049
0 Kudos
Debbie_FTNT
Staff
Staff
In response to Firasbg

Created on ‎08-04-2022 09:07 AM

Hey Firasberg,

regarding a capture on FortiGate, you can check as outlined in the screenshot below:

Debbie_FTNT_0-1659629127018.png

Once you click on start, the screen will show a display of the ongoing capture with some basic info; if you end the capture, you can download a resulting pcap file and look at it in wireshark or similar.

This way you can verify if FortiGate is actually sending on port 9004.

As for checking on the receiving hosts, you should be able to use the tcpdump command in Ubuntu for example, but I'm not terribly familiar with it, my apologies.

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
1042
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.