no Data or events on the alerts or Dashboards (SO integration with FortiGate )

[soceng]

Version

2.4.50

Installation Method

Security Onion ISO image

Description

configuration

Installation Type

Standalone

Location

on-prem with Internet access

Hardware Specs

Meets minimum requirements

CPU

6

RAM

24

Storage for /

500

Storage for /nsm

200 GB

Network Traffic Collection

other (please provide detail below)

Network Traffic Speeds

1Gbps to 10Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

Yes, there are salt failures (please provide detail below)

Logs

Yes, there are additional clues in /opt/so/log/ (please provide detail below)

Detail

HI
i had sent the log of FG FW with IOS version 7, the log received on the interface when i executed the tcpdump . but when i browse the alerts or Dashboards on SO no events or alert there. I checked if there is drop log via the kernel but there is no dropping.

i browse the content of the logstash.log file and i found the below error

all services and agents are healthy and running.

//////////////////////////////// Logstash.log /////////////////////////////////
client_loop: send disconnect: Connection reseter ] SIGTERM received. Shutting down.
[2024-05-26T06:57:47,863][WARN ][logstash.inputs.redis ] Redis connection error {:message=>"Error connecting to Redis on hsa-so:9>
[logstash.inputs.redis ] Redis connection error {:message=>"Error connecting to Redis on hsa-so:9>[2024-05-26T06:57:47,864][WARN ][logstash.inputs.redis ] Redis connection error {:message=>"Error connecting to Redis on hsa-so:9>[2024-05-26T06:57:47,864][WARN ][logstash.inputs.redis ] Redis connection error {:message=>"Error connecting to Redis on hsa-so:9>[2024-05-26T06:57:50,835][INFO ][logstash.javapipeline ] Pipeline terminated {"pipeline.id"=>"search"}
[2024-05-26T06:57:51,417][INFO ][logstash.pipelinesregistry] Removed pipeline from registry successfully {:pipeline_id=>:search}
[2024-05-26T06:57:51,663][WARN ][logstash.outputs.redis ] Failed to flush outgoing items {:outgoing_count=>50, :exception=>"Redis:>[2024-05-26T06:57:51,668][WARN ][logstash.outputs.redis ] Failed to send backlog of events to Redis {:identity=>"redis://[2024-05-26T06:57:52,689][WARN ][logstash.outputs.redis ] Failed to flush outgoing items {:outgoing_count=>50, :exception=>"Redis:>[2024-05-26T06:57:52,690][WARN ][logstash.outputs.redis ] Failed to send backlog of events to Redis {:identity=>"redis://[2024-05-26T06:57:53,693][WARN ][logstash.outputs.redis ] Failed to flush outgoing items {:outgoing_count=>50, :exception=>"Redis:>[2024-05-26T06:57:53,693][WARN ][logstash.outputs.redis ] Failed to send backlog of events to Redis {:identity=>"redis://[2024-05-26T06:57:54,704][WARN ][logstash.outputs.redis ] Failed to flush outgoing items {:outgoing_count=>50, :exception=>"Redis:>[2024-05-26T06:57:54,704][WARN ][logstash.outputs.redis ] Failed to send backlog of events to Redis {:identity=>"redis://[2024-05-26T06:57:55,707][WARN ][logstash.outputs.redis ] Failed to flush outgoing items {:outgoing_count=>50, :exception=>"Redis:>[2024-05-26T06:57:55,708][WARN ][logstash.outputs.redis ] Failed to send backlog of events to Redis {:identity=>"redis://[2024-05-26T06:57:56,712][WARN ][logstash.outputs.redis ] Failed to flush outgoing items {:outgoing_count=>50, :exception=>"Redis:>[2024-05-26T06:57:56,712][WARN ][logstash.outputs.redis ] Failed to send backlog of events to Redis {:identity=>"redis://[2024-05-26T07:06:58,824][INFO ][logstash.runner ] Log4j configuration path used is: /usr/share/logstash/config/log4j2.prop>[2024-05-26T07:06:58,837][INFO ][logstash.runner ] Starting Logstash {"logstash.version"=>"8.10.4", "jruby.version"=>"jruby>[2024-05-26T07:06:58,840][INFO ][logstash.runner ] JVM bootstrap flags: [-Dlog4j2.formatMsgNoLookups=true, -Xms1000m, -Xmx1>[2024-05-26T07:07:03,216][INFO ][logstash.agent ] Successfully started Logstash API endpoint {:port=>9600, :ssl_enabled=>f>[2024-05-26T07:07:05,675][INFO ][org.reflections.Reflections] Reflections took 442 ms to scan 1 urls, producing 132 keys and 464 val>[2024-05-26T07:07:06,843][WARN ][logstash.inputs.http ] You are using a deprecated config setting "ssl_verify_mode" set in http.>[2024-05-26T07:07:06,850][WARN ][logstash.inputs.http ] You are using a deprecated config setting "ssl" set in http. Deprecated >[2024-05-26T07:07:07,239][WARN ][logstash.inputs.beats ] You are using a deprecated config setting "ssl_verify_mode" set in beats>[2024-05-26T07:07:07,266][WARN ][logstash.inputs.beats ] You are using a deprecated config setting "ssl" set in beats. Deprecated>[2024-05-26T07:07:07,271][WARN ][logstash.outputs.elasticsearch] You are using a deprecated config setting "ssl_ce

2024-05-26T07:07:08,186][INFO ][logstash.outputs.elasticsearch] Elasticsearch pool URLs updated {:changes=>{:removed=>[], :added=>[>[2024-05-26T07:07:09,488][WARN ][logstash.outputs.elasticsearch] Restored connection to ES instance {:url=>"https://so_elastic:xxxxx>[2024-05-26T07:07:09,527][INFO ][logstash.outputs.elasticsearch] Elasticsearch version determined (8.10.4) {:es_version=>8}
[2024-05-26T07:07:09,527][WARN ][logstash.outputs.elasticsearch] Detected a 6.x and above cluster: the type event field won't be u>[2024-05-26T07:07:09,592][INFO ][logstash.outputs.elasticsearch] New Elasticsearch output {:class=>"LogStash::Outputs::ElasticSearch>[2024-05-26T07:07:09,592][WARN ][logstash.outputs.elasticsearch] You have enabled encryption but DISABLED certificate verification, >[2024-05-26T07:07:09,598][INFO ][logstash.outputs.elasticsearch] Elasticsearch pool URLs updated {:changes=>{:removed=>[], :added=>[>[2024-05-26T07:07:09,709][WARN ][logstash.outputs.elasticsearch] Restored connection to ES instance {:url=>"https://so_elastic:xxxxx>[2024-05-26T07:07:09,721][INFO ][logstash.outputs.elasticsearch] Elasticsearch version determined (8.10.4) {:es_version=>8}
[2024-05-26T07:07:09,722][WARN ][logstash.outputs.elasticsearch] Detected a 6.x and above cluster: the type event field won't be u>[2024-05-26T07:07:09,760][INFO ][logstash.outputs.elasticsearch] New Elasticsearch output {:class=>"LogStash::Outputs::ElasticSearch>[2024-05-26T07:07:09,761][WARN ][logstash.outputs.elasticsearch] You have enabled encryption but DISABLED certificate verification, >[2024-05-26T07:07:09,770][INFO ][logstash.outputs.elasticsearch] Elasticsearch pool URLs updated {:changes=>{:removed=>[], :added=>[>[2024-05-26T07:07:09,867][WARN ][logstash.outputs.elasticsearch] Restored connection to ES instance {:url=>"https://so_elastic:xxxxx>[2024-05-26T07:07:09,876][INFO ][logstash.outputs.elasticsearch] Elasticsearch version determined (8.10.4) {:es_version=>8}
[2024-05-26T07:07:09,876][WARN ][logstash.outputs.elasticsearch] Detected a 6.x and above cluster: the type event field won't be u>[2024-05-26T07:07:09,900][INFO ][logstash.outputs.elasticsearch] New Elasticsearch output {:class=>"LogStash::Outputs::ElasticSearch>[2024-05-26T07:07:09,901][WARN ][logstash.outputs.elasticsearch] You have enabled encryption but DISABLED certificate verification, >[2024-05-26T07:07:09,908][INFO ][logstash.outputs.elasticsearch] Elasticsearch pool URLs updated {:changes=>{:removed=>[], :added=>[>[2024-05-26T07:07:10,111][WARN ][logstash.outputs.elasticsearch] Restored connection to ES instance {:url=>"https://so_elastic:xxxxx>[2024-05-26T07:07:10,144][INFO ][logstash.outputs.elasticsearch] Elasticsearch version determined (8.10.4) {:es_version=>8}
[2024-05-26T07:07:10,144][WARN ][logstash.outputs.elasticsearch] Detected a 6.x and above cluster: the type event field won't be u>[2024-05-26T07:07:10,190][INFO ][logstash.outputs.elasticsearch] Not eligible for data streams because ecs_compatibility is not enab>[2024-05-26T07:07:10,190][INFO ][logstash.outputs.elasticsearch] Data streams auto configuration (data_stream => auto or unset) re>[2024-05-26T07:07:10,202][INFO ][logstash.javapipeline ] Starting pipeline {:pipeline_id=>"search", "pipeline.workers"=>4, "pipel>[2024-05-26T07:07:10,223][INFO ][logstash.outputs.elasticsearch] Using a default mapping template {:es_version=>8, :ecs_compatibilit>[2024-05-26T07:07:11,202][INFO ][logstash.javapipeline ] Pipeline Java execution initialization time {"seconds"=>3.24}
[2024-05-26T07:07:11,596][INFO ][logstash.javapipeline ] Pipeline Java execution initialization time {"seconds"=>1.39}
[2024-05-26T07:07:11,719][INFO ][logstash.inputs.redis ] Registering Redis {:identity=>"redis://@hsa-so:9696/0 list:log>

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

[dougburks]

Have you checked the redis and elasticsearch logs for additional clues?

[soceng]

@dougburks : thanks for reply
yes , here is the output

////////////////// samples of log on logstash.log file //////////////////////////
[2024-06-05T12:26:17,138][WARN ][logstash.outputs.redis ] Failed to send backlog of events to Redis {:identity=>"redis://@hsaso:6379/0 list:logstash:unparsed", :exception=>#<Redis::CannotConnectError: Error connecting to Redis on hsaso:6379 (Errno::ECONNREFUSED)>, :backtrace=>["/usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/redis-4.8.1/lib/redis/client.rb:398:in establish_connection'", "/usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/redis-4.8.1/lib/redis/client.rb:115:in block in connect'", "/usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/redis-4.8.1/lib/redis/client.rb:344:in with_reconnect'", "/usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/redis-4.8.1/lib/redis/client.rb:114:in connect'", "/usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/redis-4.8.1/lib/redis/client.rb:409:in ensure_connected'", "/usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/redis-4.8.1/lib/redis/client.rb:269:in block in process'", "/usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/redis-4.8.1/lib/redis/client.rb:375:in logging'", "/usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/redis-4.8.1/lib/redis/client.rb:268:in process'", "/usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/redis-4.8.1/lib/redis/client.rb:161:in call'", "/usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/redis-4.8.1/lib/redis.rb:270:in block in send_command'", "org/jruby/ext/monitor/Monitor.java:82:in synchronize'", "/usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/redis-4.8.1/lib/redis.rb:269:in send_command'", "/usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/redis-4.8.1/lib/redis/commands/lists.rb:11:in llen'", "/usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/logstash-output-redis-5.0.0/lib/logstash/outputs/redis.rb:138:in congestion_check'", "/usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/logstash-output-redis-5.0.0/lib/logstash/outputs/redis.rb:151:in `flush'", "/usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/stud-0

and here is sample of redis.log file
//////////////////////////////////////////////
redis-server-20240605.log.gz redis-server.log
[soc@hsaso redis]$ cat redis-server.log
1:M 06 Jun 2024 00:01:54.307 * 1000 changes in 60 seconds. Saving...
1:M 06 Jun 2024 00:01:54.308 * Background saving started by pid 405
405:C 06 Jun 2024 00:01:54.310 * DB saved on disk
405:C 06 Jun 2024 00:01:54.313 * RDB: 0 MB of memory used by copy-on-write
1:M 06 Jun 2024 00:01:54.409 * Background saving terminated with success
1:M 06 Jun 2024 00:03:09.343 * 1000 changes in 60 seconds. Saving...
1:M 06 Jun 2024 00:03:09.344 * Background saving started by pid 406
406:C 06 Jun 2024 00:03:09.345 * DB saved on disk
406:C 06 Jun 2024 00:03:09.346 * RDB: 0 MB of memory used by copy-on-write
1:M 06 Jun 2024 00:03:09.444 * Background saving terminated with success
1:M 06 Jun 2024 00:04:10.033 * 1000 changes in 60 seconds. Saving...
1:M 06 Jun 2024 00:04:10.034 * Background saving started by pid 407
407:C 06 Jun 2024 00:04:10.035 * DB saved on disk
407:C 06 Jun 2024 00:04:10.036 * RDB: 0 MB of memory used by copy-on-write
1:M 06 Jun 2024 00:04:10.134 * Background saving terminated with success
1:M 06 Jun 2024 00:05:11.002 * 1000 changes in 60 seconds. Saving...
1:M 06 Jun 2024 00:05:11.002 * Background saving started by pid 408
408:C 06 Jun 2024 00:05:11.003 * DB saved on disk
408:C 06 Jun 2024 00:05:11.004 * RDB: 0 MB of memory used by copy-on-write
1:M 06 Jun 2024 00:05:11.103 * Background saving terminated with success
1:M 06 Jun 2024 00:06:12.051 * 1000 changes in 60 seconds. Saving...
1:M 06 Jun 2024 00:06:12.053 * Background saving started by pid 409
409:C 06 Jun 2024 00:06:12.055 * DB saved on disk
409:C 06 Jun 2024 00:06:12.058 * RDB: 0 MB of memory used by copy-on-write
1:M 06 Jun 2024 00:06:12.154 * Background saving terminated with success
1:M 06 Jun 2024 00:09:09.361 * 1000 changes in 60 seconds. Saving...
1:M 06 Jun 2024 00:09:09.363 * Background saving started by pid 410
410:C 06 Jun 2024 00:09:09.371 * DB saved on disk
410:C 06 Jun 2024 00:09:09.373 * RDB: 0 MB of memory used by copy-on-write
1:M 06 Jun 2024 00:09:09.463 * Background saving terminated with success
1:M 06 Jun 2024 00:12:04.450 * 1000 changes in 60 seconds. Saving...
1:M 06 Jun 2024 00:12:04.452 * Background saving started by pid 411
411:C 06 Jun 2024 00:12:04.455 * DB saved on disk
411:C 06 Jun 2024 00:12:04.457 * RDB: 0 MB of memory used by copy-on-write
1:M 06 Jun 2024 00:12:04.552 * Background saving terminat
///////////////////////////////////////////////

and here is sample of elasticsearch .log file
//////////////////////////////
cron-elasticsearch-indices-delete-20240605.log.gz securityonion-2024-06-05.log.gz
cron-elasticsearch-indices-delete.log securityonion.log
[soc@hsaso elasticsearch]$ cat securityonion.log
[2024-06-06T00:04:36,263][INFO ][org.elasticsearch.xpack.security.action.role.TransportPutRoleAction] updated role [analyst]
[2024-06-06T00:04:36,583][INFO ][org.elasticsearch.xpack.security.action.role.TransportPutRoleAction] updated role [auditor]
[2024-06-06T00:04:36,837][INFO ][org.elasticsearch.xpack.security.action.role.TransportPutRoleAction] updated role [limited-analyst]
[2024-06-06T00:04:37,084][INFO ][org.elasticsearch.xpack.security.action.role.TransportPutRoleAction] updated role [limited-auditor]
[2024-06-06T00:19:12,768][INFO ][org.elasticsearch.xpack.security.action.role.TransportPutRoleAction] updated role [analyst]
[2024-06-06T00:19:12,871][INFO ][org.elasticsearch.xpack.security.action.role.TransportPutRoleAction] updated role [auditor]
[2024-06-06T00:19:12,998][INFO ][org.elasticsearch.xpack.security.action.role.TransportPutRoleAction] updated role [limited-analyst]
[2024-06-06T00:19:13,191][INFO ][org.elasticsearch.xpack.security.action.role.TransportPutRoleAction] updated role [limited-auditor]
[2024-06-06T00:34:16,109][INFO ][org.elasticsearch.xpack.security.action.role.TransportPutRoleAction] updated role [analyst]
[2024-06-06T00:34:16,330][INFO ][org.elasticsearch.xpack.security.action.role.TransportPutRoleAction] updated role [auditor]
[2024-06-06T00:34:16,510][INFO ][org.elasticsearch.xpack.security.action.role.TransportPutRoleAction] updated role [limited-analyst]
[2024-06-06T00:34:16,637][INFO ][org.elasticsearch.xpack.security.action.role.TransportPutRoleAction] updated role [limited-auditor]
[2024-06-06T00:49:44,494][INFO ][org.elasticsearch.xpack.security.action.role.TransportPutRoleAction] updated role [analyst]
[2024-06-06T00:49:44,654][INFO ][org.elasticsearch.xpack.security.action.role.TransportPutRoleAction] updated role [auditor]
[2024-06-06T00:49:44,868][INFO ][org.elasticsearch.xpack.security.action.role.TransportPutRoleAction] updated role [limited-analyst]
[2024-06-06T00:49:45,119][INFO ][org.elasticsearch.xpack.security.action.role.TransportPutRoleAction] updated role [limited-auditor]
[2024-06-06T01:04:34,532][INFO ][org.elasticsearch.xpack.security.action.role.TransportPutRoleAction] updated role [analyst]
[2024-06-06T01:04:34,691][INFO ][org.elasticsearch.xpack.security.action.role.TransportPutRoleAction] updated role [auditor]
[2024-06-06T01:04:34,867][INFO ][org.elasticsearch.xpack.security.action.role.TransportPutRoleAction] updated role [limited-analyst]
[2024-06-06T01:04:35,001][INFO ][org.elasticsearch.xpack.security.action.role.TransportPutRoleAction] updated role [limited-auditor]
[2024-06-06T01:19:18,690][INFO ][org.elasticsearch.xpack.security.action.role.TransportPutRoleAction] updated role [analyst]
[2024-06-06T01:19:18,786][INFO ][org.elasticsearch.xpack.security.action.role.TransportPutRoleAction] updated role [auditor]
[2024-06-06T01:19:18,872][INFO ][org.elasticsearch.xpack.security.action.role.TransportPutRoleAction] updated role [limited-analyst]
[2024-06-06T01:19:18,962][INFO ][org.elasticsearch.xpack.security.action.role.TransportPutRoleAction] updated role [limited-auditor]
[2024-06-06T01:30:00,039][INFO ][org.elasticsearch.xpack.slm.SnapshotRetentionTask] starting SLM retention snapshot cleanup task
[2024-06-06T01:30:00,044][INFO ][org.elasticsearch.xpack.slm.SnapshotRetentionTask] there are no repositories to fetch, SLM retention snapshot cleanup task complete
[2024-06-06T01:34:13,291][INFO ][org.elasticsearch.xpack.security.action.role.TransportPutRoleAction] updated role [analyst]
[2024-06-06T01:34:13,409][INFO ][org.elasticsearch.xpack.security.action.role.TransportPutRoleAction] updated role [auditor]
[2024-06-06T01:34:13,582][INFO ][org.elasticsearch.xpack.security.action.role.TransportPutRoleAction] updated role [limited-analyst]
[2024-06-06T01:34:13,808][INFO ][org.elasticsearch.xpack.security.action.role.TransportPutRoleAction] updated role [limited-auditor]
[2024-06-06T01:49:40,272][INFO ][org.elasticsearch.xpack.security.action.role.TransportPutRoleAction] updated role [analyst]
[2024-06-06T01:49:40,499][INFO ][org.elasticsearch.xpack.security.action.role.TransportPutRoleAction] updated role [auditor]
[2024-06-06T01:49:40,752][INFO ][org.elasticsearch.xpack.security.action.role.TransportPutRoleAction] updated role [limited-analyst]
[2024-06-06T01:49:40,953][INFO ][org.elasticsearch.xpack.security.action.role.TransportPutRoleAction] updated role [limited-auditor]
[2024-06-06T02:04:41,261][INFO ][org.elasticsearch.xpack.security.action.role.TransportPutRoleAction] updated role [analyst]
[2024-06-06T02:04:41,373][INFO ][org.elasticsearch.xpack.security.action.role.TransportPutRoleAction] updated role [auditor]
[2024-06-06T02:04:41,497][INFO ][org

[dougburks]

Logstash is having trouble connecting to Redis. Usually, there are additional clues in the redis and/or elasticsearch logs.

Have you made any changes to your configuration?

You state in your original post that there are salt failures. What are those salt failures?

[soceng]

@dougburks
no change on the configuration, only added the FG integration, and put the IP of FW on customhostgroup0 and put the port 9004 on customeportgroup0 then from the Role on the Firewall i traced this path chain –> INPUT –> hostgroups –> customhostgroup0 –> portgroups. On the right side, i added customportgroup0 and click the checkmark to save.

also, no salt failure

[dougburks]

Logstash is having trouble connecting to Redis. If you can't find additional clues as to why in the logs, then perhaps it's time to try a fresh installation from the latest 2.4.70 ISO image.

[soceng]

@dougburks
I installed the new version of SO , no event or alert is shown .
I executed the tcpdump to check the log had sent fro FG FW to the SO VM , it's arrived .
I browsed the content of logstah , redis files to any error but no error like past time as on the below

//////////////////////// samples of Logstash ////////////////
[2024-06-26T11:12:11,497][INFO ][logstash.outputs.elasticsearch] Using a default mapping template {:es_version=>8, :ecs_compatibility=>:disabled}
[2024-06-26T11:12:11,511][INFO ][logstash.javapipeline ] Pipeline Java execution initialization time {"seconds"=>1.76}
[2024-06-26T11:12:11,513][INFO ][logstash.outputs.elasticsearch] Installing Elasticsearch template {:name=>"logstash"}
[2024-06-26T11:12:12,323][INFO ][logstash.javapipeline ] Pipeline Java execution initialization time {"seconds"=>0.83}
[2024-06-26T11:12:12,393][INFO ][logstash.inputs.redis ] Registering Redis {:identity=>"redis://@sec-onion:9696/0 list:logstash:unparsed"}
[2024-06-26T11:12:12,393][INFO ][logstash.inputs.redis ] Registering Redis {:identity=>"redis://@sec-onion:9696/0 list:logstash:unparsed"}
[2024-06-26T11:12:12,394][INFO ][logstash.inputs.redis ] Registering Redis {:identity=>"redis://@sec-onion:9696/0 list:logstash:unparsed"}
[2024-06-26T11:12:12,394][INFO ][logstash.inputs.redis ] Registering Redis {:identity=>"redis://@sec-onion:9696/0 list:logstash:unparsed"}
[2024-06-26T11:12:12,491][INFO ][logstash.javapipeline ] Pipeline started {"pipeline.id"=>"search"}
[2024-06-26T11:12:13,121][INFO ][logstash.inputs.beats ] Starting input listener {:address=>"0.0.0.0:5055"}
[2024-06-26T11:12:13,527][INFO ][logstash.inputs.beats ] Starting input listener {:address=>"0.0.0.0:5056"}
[2024-06-26T11:12:13,809][INFO ][logstash.inputs.http ] Starting http input listener {:address=>"0.0.0.0:3765", :ssl=>"true"}
[2024-06-26T11:12:13,814][INFO ][logstash.javapipeline ] Pipeline started {"pipeline.id"=>"manager"}
[2024-06-26T11:12:13,828][INFO ][logstash.agent ] Pipelines running {:count=>2, :running_pipelines=>[:manager, :search], :non_running_pipelines=>[]}
[2024-06-26T11:12:13,828][INFO ][org.logstash.beats.Server] Starting server on port: 5056

You are using a deprecated config setting "ssl_verify_mode" set in beats. Deprecated settings will continue to work, but are scheduled for removal from logstash in the future. Set 'ssl_client_authentication' instead. If you have any questions about this, please visit the #logstash channel on freenode irc. {:name=>"ssl_verify_mode", :plugin=><LogStash::Inputs::Beats ssl_certificate=>"/usr/share/logstash/elasticfleet-logstash.crt", ssl_key=>"/usr/share/logstash/elasticfleet-logstash.key", ssl_verify_mode=>"force_peer", port=>5055, id=>"90e20e20e792a51724bfcf082d31b06c648ebd5ffb549e779e4be1b8ea49190f", ssl=>true, tags=>["elastic-agent", "input-sec-onion"], ssl_certificate_authorities=>["/usr/share/filebeat/ca.crt"], ecs_compatibility=>:v8, enable_metric=>true, debug=>false, codec=><LogStash::Codecs::Plain id=>"plain_1439dda8-b3c4-41a0-bd13-d56218a8048b", enable_metric=>true, charset=>"UTF-8">, host=>"0.0.0.0", ssl_enabled=>false, ssl_client_authentication=>"none", ssl_peer_metadata=>false, include_codec_tag=>true, ssl_handshake_timeout=>10000, ssl_cipher_suites=>["TLS_AES_256_GCM_SHA384", "TLS_AES_128_GCM_SHA256", "TLS_CHACHA20_POLY1305_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256"], ssl_supported_protocols=>["TLSv1.2", "TLSv1.3"], client_inactivity_timeout=>60, executor_threads=>4, add_hostname=>false, tls_min_version=>1, tls_max_version=>1.3>}

//////////////////////////////////////////////

i configured the SO to listen the Fortigate FW log on port 9004 but on the above sample of log i have seen the listening on port 5055

till now i didn't see any alert or event on the SO Dashboards

[soceng]

@dougburks

i found the below events on the Dashboard

failed to get udp stats from /proc: /proc/net/udp entry not found for [00000000:232C

i saerched on the google with this error message "failed to get udp stats from /proc: /proc/net/udp entry not found for [00000000:232C" and found the below

i executed the same command and the output is :

really , i didn't understand what is the issue ?

[dougburks]

and no log file for elasticfleet

Was there nothing inside of /opt/so/log/elasticfleet/elastic-agent-*?

[soceng]

@dougburks
there is as on the below screenshot

i browse the content of one of them , here are samples of the output

[weslambert]

What is the output of the following?

netstat -an | grep 9004

Where did you add the integration? If you added it to the Fleet server policy, you won't see output because it would be running inside of the Fleet container. In this case, there would be no way to route the traffic to the agent in the container. If this is what happened, you will need to move the integration to another policy, like the general policy.

Otherwise, Elastic Agent on the Security Onion machine should report it is listening.

[soceng]

@weslambert

i follow the same steps of pfsense on the documentation of SO , i added the Fortigate integration as below

[soceng]

@dougburks : appreciate your assistance