Fortinet/Fortigate - TCP Raw Input and delimiter

Hello Graylog community,

I’m trying to collect logs from Fortinet firewalls.
Currently configured in UDP, working well.
I have to switch to TCP+TLS for secure log collection.
The problem come is when I switch to TCP, messages are not recognize by Graylog because of the lack of delimiter (from Fortinet ?)…

So, with newline delimiter, if I start/stop the input I get one BIG message containing several messages.
If I understood well, in TCP the newline delimiter can’t work due to the transport itself.

If I use a ‘NULL delimiter’ in the input configuration, message are delimited, but like a delimiter is present in the middle of the message (messages are in CEF format).

Example : raffi:orwar server-rst|3|deviceExternalId=( CONTENT OF THE MESSAGE) CEF:0|Fortinet|Fortigate|v6.4.1|0013
So yes the “CEF:0” which is supposed to be at the begin of the message is nearly at the end…

There is something that I can do on Graylog side to solve that ? Is it possible to delimit the message at the input (extractor) level ?

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.