Nagios Support Forum

Support for Nagios products and services
https://support.nagios.com/forum/

Fortigate Firewall log not being sent to NLS

https://support.nagios.com/forum/viewtopic.php?t=58015

Page 1 of 1

Fortigate Firewall log not being sent to NLS

Posted: Tue Mar 31, 2020 12:37 am
by frankyeung0422
Dear All,

I have configured the log forwarding to the IP address of NLS but from NLS, it seems that there are no logs being received in the NLS.

I have configured a global configuration for syslog UDP port 514 but there is still no log.

Any advice on that ?

Re: Fortigate Firewall log not being sent to NLS

Posted: Tue Mar 31, 2020 1:38 pm
by scottwilkerson
For listening on ports less than 1024 there is an additional step
See:
https://assets.nagios.com/downloads/nag ... Server.pdf

Re: Fortigate Firewall log not being sent to NLS

Posted: Thu Apr 09, 2020 11:18 am
by Envera IT
Incase you need it this is the filter we're using for Fortigate logs. It's usually easier to just change the syslog port to something above 1024 and then assign a port per type of device so its easy to set the "type" based on the port the log's are coming in on.

Input

Code: Select all

udp {
	port => 5514
	type => 'fortigate'
}
Filter

Code: Select all

if [type] == "fortigate" {
	mutate {
		add_tag => ["fortigate"]
	}
	grok {
	    break_on_match => false
		match => ["message", "%{SYSLOG5424PRI:syslog_index}%{GREEDYDATA:message}"]
		overwrite => [ "message" ]
		tag_on_failure => [ "failure_grok_fortigate" ]
	}
		kv { }
	if [msg] {
		mutate {
			replace => [ "message", "%{msg}" ]
		}
	}
	mutate {
		convert => { "duration" => "integer" }
		convert => { "rcvdbyte" => "integer" }
		convert => { "rcvdpkt" => "integer" }
		convert => { "sentbyte" => "integer" }
		convert => { "sentpkt" => "integer" }
		convert => { "cpu" => "integer" }
		convert => { "disk" => "integer" }
		convert => { "disklograte" => "integer" }
		convert => { "fazlograte" => "integer" }
		convert => { "mem" => "integer" }
		convert => { "totalsession" => "integer" }
	}
	mutate {
		add_field => ["logTimestamp", "%{date} %{time}"]
		add_field => ["loglevel", "%{level}"]
		replace => [ "fortigate_type", "%{type}"]
		replace => [ "fortigate_subtype", "%{subtype}"]
		remove_field => [ "msg", "type", "level", "date", "time" ]
	}
	date {
		locale => "en"
		match => ["logTimestamp", "YYYY-MM-dd HH:mm:ss"]
		remove_field => ["logTimestamp", "year", "month", "day", "time", "date"]
		add_field => ["type", "syslog"]
	}
}

Re: Fortigate Firewall log not being sent to NLS

Posted: Thu Apr 09, 2020 11:20 am
by scottwilkerson
thanks for sharing @Ehamby!
All times are UTC-05:00
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited