Fortigate Messages Coming in 4 hours behind starting after update

Graylog Central (peer support)
1

Today I got an alert stating that my firewall was not logging anymore, upon investigation it appears only my Fortigate logs are having their time stamps changed by 4 hours. This started happening after I applied the last update, though I made no changes to either system and previously this has been working for the last year properly.

As you can see in the attached picture I have the correct time stamp in the log, but graylog is not parsing that time correctly it appears. I have verified system time, graylog user time, and firewall time and they all match.

image.png1398×99 21.8 KB

Here is what the logs look like before and after the update.

2

When I look at my system overview here is what the time looks like.

3

I made sure to run this command but nothing changed.

sudo graylog-ctl set-timezone America/Detroit

The last thing in my Chef Script is this.

Recipe: timezone-ii::debian
  * bash[dpkg-reconfigure tzdata] action run
    - execute "bash"  "/tmp/chef-script20170411-2059-isgrko"
4

There have been some changes in the handling of Syslog messages in the latest release (Graylog 2.2.3). See https://www.graylog.org/blog/92-announcing-graylog-v2-2-3 for details.

FWIW, Graylog now tries to use the timestamp provided in the Syslog messages from FortiOS instead of simply using the ingest time, but it assumes the timezone to be UTC.

Please provide some raw Syslog messages from your FortiGate devices (captured via Wireshark or TCPdump) so we can test them against the current syslog parser.

5

Same issue for me. After upgrading to 2.2.3 my fortigate logs are coming in with UTC, even though it’s configured for my local timezone.

Is there a way to resolve this, other than changing my other inputs to UTC?

6

Hi you should create a new input as plaintext/ raw (tcp or udp). WORKS for me.

7

They are working on a fix right now as far as I know, I sent them a bunch of logs about 3 weeks ago and haven’t heard anything.

8

oh sweet. Thanks for the update!

9

Your input might be part of this commit that will be part of the upcoming version.

If you are waiting for something just sneak over to github and watch the development.

regards
Jan

10

Thanks for the hard work guys! Keep up the great work!

11

No, this was already part of Graylog 2.2.3: Add support for Cisco and FortiGate syslog messages by joschi · Pull Request #3674 · Graylog2/graylog2-server · GitHub

12

Jochen,

I am on Graylog 2.2.3+7adc951 and still not parsing my Fortigate logs correctly, do I need to make some changes after the update.

14

image.png818×26 2.67 KB

15

There hasn’t been any fix yet.

16

Oh, I thought you guys had said it was in 2.2.3, nevermind, feel free to ignore my stupidity. Keep up the hard work.

17

I’ve created an issue on GitHub for tracking these issues:

18

Hi you should create a new input as plaintext/ raw (tcp or udp). WORKS for me.

Nice. This works. Thanks!