Fortigate logs not parsed #22675
Comments
botelastic
bot
added
the
needs_team
|
Pinging @elastic/security-external-integrations (Team:Security-External Integrations) |
botelastic
bot
removed
the
needs_team
|
Hi @lynxium69! We have a Filebeat module which parses Fortinet logs and maps them to Elastic Common Schema fields. Based on your screenshots, it looks like you don't have that module enabled. Please see here for the steps involved. You will need to enable 'firewall' dataset to parse the FortiOS logs. |
|
Hello @jamiehynds ,
I use a rsyslog server to receive log from fortigate, does the problem can be this choice ? |
|
Hello @lynxium69 , did you also run the "filebeat setup" command from the docs as well? This mostly happens when that step is forgotten. You can forward data from a rsyslog server, as long as you are sending the raw unchanged message, default templates often modifies the message before forwarding. |
|
Thanks @P1llus ! , i run filebeat setup with debug mode enable and i found this error
Do you know how can it be resolved ? |
|
Hello, sorry to insist , but nobody now how to resolve "Error setting up ML for apache_ecs" ? Regards |
|
Hello @lynxium69 . Unfortunately github is here to report bugs. You are indeed hitting a issue that has been tracked on a few modules like here: #22567 I won't be able to give a concrete answer, but I can give you a workaround in the meantime and hope that helps. Please run filebeat setup and defining what the setup should install, this should get you going: |
|
Hello @P1llus ,
Thanks a lot @P1llus !! |
Hello,
I've just install a new ELK server on debian , with a rsylog server in debian 10 also
fortigate syslog are send to syslog server then to ELK server.
I have a problem , logs are not parsed on ELK , all the data arrived in one field (message).
On ELK
On syslog server
Fortigate syslog config
fortigate 300E version 6.2.2
filebeat 7.10.0
elk v 7.10.0
Thanks for you help
The text was updated successfully, but these errors were encountered: