Fortigate Firewall log not being sent to NLS

This support forum board is for support questions relating to Nagios Log Server, our solution for managing and monitoring critical log data.
frankyeung0422
Posts: 1
Joined: Mon Mar 23, 2020 1:48 am

Fortigate Firewall log not being sent to NLS

Post by frankyeung0422 »

Dear All,

I have configured the log forwarding to the IP address of NLS but from NLS, it seems that there are no logs being received in the NLS.

I have configured a global configuration for syslog UDP port 514 but there is still no log.

Any advice on that ?
Top
scottwilkerson
DevOps Engineer
Posts: 19396
Joined: Tue Nov 15, 2011 3:11 pm
Location: Nagios Enterprises

Re: Fortigate Firewall log not being sent to NLS

Post by scottwilkerson »

For listening on ports less than 1024 there is an additional step
See:
https://assets.nagios.com/downloads/nag ... Server.pdf
Former Nagios employee
Creator:
Human Design Website
Get Your Human Design Chart
Top
Envera IT
Posts: 159
Joined: Wed Jun 19, 2013 10:21 am

Re: Fortigate Firewall log not being sent to NLS

Post by Envera IT »

Incase you need it this is the filter we're using for Fortigate logs. It's usually easier to just change the syslog port to something above 1024 and then assign a port per type of device so its easy to set the "type" based on the port the log's are coming in on.

Input

Code: Select all

udp {
	port => 5514
	type => 'fortigate'
}
Filter

Code: Select all

if [type] == "fortigate" {
	mutate {
		add_tag => ["fortigate"]
	}
	grok {
	    break_on_match => false
		match => ["message", "%{SYSLOG5424PRI:syslog_index}%{GREEDYDATA:message}"]
		overwrite => [ "message" ]
		tag_on_failure => [ "failure_grok_fortigate" ]
	}
		kv { }
	if [msg] {
		mutate {
			replace => [ "message", "%{msg}" ]
		}
	}
	mutate {
		convert => { "duration" => "integer" }
		convert => { "rcvdbyte" => "integer" }
		convert => { "rcvdpkt" => "integer" }
		convert => { "sentbyte" => "integer" }
		convert => { "sentpkt" => "integer" }
		convert => { "cpu" => "integer" }
		convert => { "disk" => "integer" }
		convert => { "disklograte" => "integer" }
		convert => { "fazlograte" => "integer" }
		convert => { "mem" => "integer" }
		convert => { "totalsession" => "integer" }
	}
	mutate {
		add_field => ["logTimestamp", "%{date} %{time}"]
		add_field => ["loglevel", "%{level}"]
		replace => [ "fortigate_type", "%{type}"]
		replace => [ "fortigate_subtype", "%{subtype}"]
		remove_field => [ "msg", "type", "level", "date", "time" ]
	}
	date {
		locale => "en"
		match => ["logTimestamp", "YYYY-MM-dd HH:mm:ss"]
		remove_field => ["logTimestamp", "year", "month", "day", "time", "date"]
		add_field => ["type", "syslog"]
	}
}
I like graphs...
Top
scottwilkerson
DevOps Engineer
Posts: 19396
Joined: Tue Nov 15, 2011 3:11 pm
Location: Nagios Enterprises

Re: Fortigate Firewall log not being sent to NLS

Post by scottwilkerson »

thanks for sharing @Ehamby!
Former Nagios employee
Creator:
Human Design Website
Get Your Human Design Chart
Top

Return to “Nagios Log Server”