FortiGate Syslog

It turns out that FortiGate CEF output is extremely buggy, so I built some dashboards for the Syslog output instead, and I actually like the results much better.

I also created a guide that explains how to set up a production-ready single node Graylog instance for analyzing FortiGate logs, complete with HTTPS, bidirectional TLS authentication.

Download from GitHub
GitHub project
Open issues

Be sure to add yourself as a watcher to the GitHub project to be notified of new Content Pack releases that fix bugs or add more features.


Thanks for sharing :+1: Looks good.

Thank you for this, its exactly what I needed.

Thank You for Sharing

Dear Sean,

I have installed graylog server 5.4.2
Just to check I created a new input ( my first input ) and here the settings on Graylog server
charset_name: UTF-8
number_worker_threads: 10
port: 11514
recv_buffer_size: 262144
On FortyGate
KWM-FG # sh log syslogd setting
config log syslogd setting
set status enable
set server “Graylog Server IP”
set port 11514
The above config works fine when I select default stream
I installed your FortiGate content pack from github ( FortiGate 6.x Content Pack for graylog3 ) with no issues
Now if I select from the same search bar FortiGate traffic logs its empty but I see there in in/out bytes value changing.
I have attached 3 snapshots

  1. default stream
  2. fortigate traffic logs (selected from drop down menu) it is blank
  3. Dashboard

appreciate your advice and assistance.
Server is enterprise

Thanks and regards