It turns out that FortiGate CEF output is extremely buggy, so I built some dashboards for the Syslog output instead, and I actually like the results much better.
I also created a guide that explains how to set up a production-ready single node Graylog instance for analyzing FortiGate logs, complete with HTTPS, bidirectional TLS authentication.
I have installed graylog server 5.4.2
Just to check I created a new input ( my first input ) and here the settings on Graylog server
bind_address: 0.0.0.0
charset_name: UTF-8
number_worker_threads: 10
override_source:
port: 11514
recv_buffer_size: 262144
On FortyGate
KWM-FG # sh log syslogd setting
config log syslogd setting
set status enable
set server “Graylog Server IP”
set port 11514
end
The above config works fine when I select default stream
I installed your FortiGate content pack from github ( FortiGate 6.x Content Pack for graylog3 ) with no issues
Now if I select from the same search bar FortiGate traffic logs its empty but I see there in in/out bytes value changing.
I have attached 3 snapshots
default stream
fortigate traffic logs (selected from drop down menu) it is blank
Dashboard
appreciate your advice and assistance.
Server is enterprise
Thank you, Sean, for this fantastic work. I would like to know if it is possible to connect your amazing work with FortiAnalyzer, as we have many FortiGate devices and would like to collect data directly from it… Is this possible?
Thank you very much for your work.
thanks for this piece of art, working so fine with me "fortiOS 7.2.11 and earlier".
I have question, I will upgrade soon to version 7.4.8, is there any changes expected with the stream fields or almost all fields will be same?
or any one had used it with the fortios 7.4.8 and how was it? compatible or any problems?
TIA