I read about many fortigate log issues.
I use latest version of Graylog.
Until yesterday I can manage fortigate logs with syslog udp input, extractors and dashboards.
After a restart of the server (some problems of some indexes) I encounter two main issues:
- With extractor imported from Marketplace for Fortigate now Process Buffer is always in 100%, I had to remove the extractors to solve the issue, now from the 95 extractors I don’t know what extractor cause these issues
- Syslog udp stop to work, but only raw udp works. The problem is that with raw udp I need extractor to get field, and the other issue is that with raw udp Logs form linux and Switches don’t work anymore, so I have to set two input in different ports
- I have a lot of failure indexes because the field size of some messages are over 1000, but with raw this issue is solved
Can you share your experience with managing fortigate log, to advice about the best strategies?
Thank you for your support.