Retrive Fortigate 60E syslog with SecurityOnion 2.3.70

[Devil45]

Hello!
I’m working on a project and the objective is to found a solution to retrieve FortiGate Logs without using FortiAnalyzer. I’ve searched some other solutions and I’ve found SecurityOnion. I installed the eval version and I’ve tried to send those logs to SecurityOnion, but there’re things that I don’t understand:

• In the fortigate logs configuration, I have to precise the IP address(or FQDN) of the server. But the only IP that I’ve configured, on SecurityOnion, is the management (which is used to access security Onion via navigator). Can it retrieve the logs via this IP (I have some doubts) or does it has to go through the sniffing port?
• There’s also modules that can be installed for filebeat. And I saw a specific module about Fortinet logs. Does it include Fortigates logs types?

Maybe it’s not the appropriate version I’m using. I’ve some difficulties to understand certain of those versions.
I appreciate in advance for the attention given to my questions and for the informations and advices provided. If you need more information, let me know.

P.S : Sorry if my English is not the best. I’m from Switzerland.

[weslambert]

You should be able to use the Fortinet Filebeat module to achieve this:

fortinet:
      firewall:
        enabled: true 
        var.input: udp
        var.syslog_host: 0.0.0.0 
        var.syslog_port: 9004

https://docs.securityonion.net/en/latest/filebeat.html?#modules
https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-fortinet.html#filebeat-module-fortinet

Then make sure to allow the port using so-firewall, etc:

Ex. : https://docs.securityonion.net/en/latest/firewall.html?highlight=syslog#allow-hosts-to-send-syslog-to-a-sensor-node

[Devil45]

So i've putted the firewall rule and implemented the code.
Now, in kibana/elasticsearch, in the syslog category, i see some of my logs. But, some of them are not shown correctly (image for example).

I've tried to do some modifications in "Kibana - Index Patterns", but no success.

Any ideas ?

[palichx]

Hi,
check elasticsearch pipelines
so-elasticsearch-pipelines-list | grep forti

[amorphys]

Yes i do everything is up and running but syslog are not parsed ? Did you did something else in config ?

[amorphys]

So i've putted the firewall rule and implemented the code. Now, in kibana/elasticsearch, in the syslog category, i see some of my logs. But, some of them are not shown correctly (image for example).

I've tried to do some modifications in "Kibana - Index Patterns", but no success.

Any ideas ?

did you solved it ?
Same here the firmware is FortiOS > 7

[ebdavison]

I was able to solve this with the solution mentioned in this article:
#9705