It turns out that FortiGate CEF output is extremely buggy, so I built some dashboards for the Syslog output instead, and I actually like the results much better.
I also created a guide that explains how to set up a production-ready single node Graylog instance for analyzing FortiGate logs, complete with HTTPS, bidirectional TLS authentication.
I have installed graylog server 5.4.2
Just to check I created a new input ( my first input ) and here the settings on Graylog server
bind_address: 0.0.0.0
charset_name: UTF-8
number_worker_threads: 10
override_source:
port: 11514
recv_buffer_size: 262144
On FortyGate
KWM-FG # sh log syslogd setting
config log syslogd setting
set status enable
set server “Graylog Server IP”
set port 11514
end
The above config works fine when I select default stream
I installed your FortiGate content pack from github ( FortiGate 6.x Content Pack for graylog3 ) with no issues
Now if I select from the same search bar FortiGate traffic logs its empty but I see there in in/out bytes value changing.
I have attached 3 snapshots
default stream
fortigate traffic logs (selected from drop down menu) it is blank
Dashboard
appreciate your advice and assistance.
Server is enterprise