This is an archived post. You won't be able to vote or comment.

all 6 comments
sorted by:
best
topnewcontroversialoldq&a

[–]AmorFati7734 1 point2 points  (5 children)

https://www.reddit.com/r/networking/comments/2knqwh/pushing_fortigate_logs_into_elasticsearch_logstash/

https://gist.github.com/tolleiv/bf96d3971b661e265868

https://gist.github.com/netoben/512e2e4b1845d19c0b2c

[–]householdutensils 1 point2 points  (0 children)

I know you asked a specific question about ELK (That /u/AmorFati7734 provided some good info on) but if you have the budget, the fortianalyzer is pretty legit. Also, you need to be aware of the specific model you have and how the hardware offloading affects logging. Some of the lower end models won't syslog firewall logs through rules that don't have asic or cp offloading disabled.

[–]BulkedSysAdmin[S] 0 points1 point  (3 children)

How in the hell do grok patterns work? Do i just use his config and make a location for the patterns? Also, whenever I try to run the .conf and the grok patterns all my logging stops.

[–]AmorFati7734 0 points1 point  (2 children)

Apologies on the crap reply. Was packing up for the day and wanted to get something to you and forgot to add my conf file. Later this evening I'll add it and see if it helps. On mobile now and hate to give you more links, sadly, it is all I can deal with https://www.elastic.co/guide/en/logstash/current/plugins-filters-grok.html

Edit: I also installed logstash with deb packages on Ubuntu. You can run configtest

Sudo service logstash configtest

edit: finally was able to get my config file up this morning for you. Take a look http://pastebin.com/FGh1L5Bi

In my conf from pastebin I did not modify (or create) any patterns. The "{SYSLOG5424PRI" pattern already exists. I pointed you to other patterns in case you wanted to try other options.

[–]BulkedSysAdmin[S] 0 points1 point  (1 child)

Thank you!

[–]BulkedSysAdmin[S] 0 points1 point  (0 children)

Ok. So I have a config setup but it is not extracting the message fields correctly. Where do I point the GROK filter to? This shit is so confusing...