Fortigate extractors

Hi, we’re using Graylog 5.0.13 and our Fortigate 401E is currently on v7.2.7. I created a raw/plaintext udp input but not getting any msgs. FGT is also configured on the right port and uses udp. Can anyone help with the extractors? Im pretty new with this stuff.


Fortigate defaults to port 514 UDP in syslog format, so you can configure your graylog input as syslog input UDP, extractors should be lesser needed in the first place in this way.

On the Fortigate:

# config log syslogd setting 
# show ( to show your settings)

to see if there are aberrations to the default config.

Some servers deny incoming traffic lower than port 1024 for security
reasons, so we are using 1514.

# config log syslogd setting 
    set status enable
    set server "<your graylog IP>"
    set port 1514
# end

@Arie is right. Unless you have a custom Fortigate output, you will need a syslog input on Graylog for your messages. UDP is the default, but you can choose TCP if it’s available on the Fortigate side. Just make sure they match on both sides.

Once you have messages showing up on the input, then you can define an extractor or pipeline to parse the datagram.

As for your current configuration, please try one thing and let me know if you see any messages. If it works, I’ll explain the details. If it doesn’t I was wrong and they don’t matter anyway.

It’s easy. Just run a search, with no query. For the time, click the dropdown on the top left and choose “All Messages”.

Screenshot 2024-03-28 at 3.02.45 PM

Then click the magnifying glass and see what you get.