It turns out that FortiGate CEF output is extremely buggy, so I built some dashboards for the Syslog output instead, and I actually like the results much better.
I also created a guide that explains how to set up a production-ready single node Graylog instance for analyzing FortiGate logs, complete with HTTPS, bidirectional TLS authentication.
I have installed graylog server 5.4.2
Just to check I created a new input ( my first input ) and here the settings on Graylog server
bind_address: 0.0.0.0
charset_name: UTF-8
number_worker_threads: 10
override_source:
port: 11514
recv_buffer_size: 262144
On FortyGate
KWM-FG # sh log syslogd setting
config log syslogd setting
set status enable
set server “Graylog Server IP”
set port 11514
end
The above config works fine when I select default stream
I installed your FortiGate content pack from github ( FortiGate 6.x Content Pack for graylog3 ) with no issues
Now if I select from the same search bar FortiGate traffic logs its empty but I see there in in/out bytes value changing.
I have attached 3 snapshots
default stream
fortigate traffic logs (selected from drop down menu) it is blank
Dashboard
appreciate your advice and assistance.
Server is enterprise
Thank you, Sean, for this fantastic work. I would like to know if it is possible to connect your amazing work with FortiAnalyzer, as we have many FortiGate devices and would like to collect data directly from it… Is this possible?
Thank you very much for your work.
Looks good.
