I get a log For Device system Alerts received message but No results on search page Help Me

Graylog Central (peer support)
1

I have get a log from fortigate device but I can’t see the message.
But the system informs that the message has been received What should i do :no_mouth:

image
image1360×625 49.9 KB

image
image1360×625 118 KB

image
image1360×625 31.2 KB

2

Normal behavour if you have problem with timestamps.

  1. Check your device and graylog uses NTP synchronized time
  2. Check that you use correct timezone in device
  3. Check that you use correct timezone in Linux in graylog box
    Run command timedatectl and check fields Timezone and Local Time, Timezone should be your real timezone, and Local Time should be your actual time.
  4. If you don’t have correct timezone in graylog box chage it:
    Run command sudo timedatectl set-timezone "Europe/Bratislava" after that reboot graylog box (Change "Europe/Bratislava" to your real timezone)
  5. If you login to graylog web interface with user admin, check correct timezone in server.conf (It can’t be updated in web interface for user admin):
    sudo vim /etc/graylog/server/server.conf
    Find line root_timezone =
    and change it to your real timezone, for example root_timezone = Europe/Bratislava
    After that reboot graylog service using command: sudo systemctl restart graylog-server
  6. If everything is correct (points 1-5), check logs in System - Input and click Show messages
  7. Fortigate uses 2 separate field to setup date and time, use can use this pipeline rule to fix it:
rule "fortigate_timestamp"
when
  has_field("devname") AND has_field("date") AND has_field("time")
then
    let build_message_0 = concat(to_string($message.date), " ");
    let build_message_1 = concat(build_message_0, to_string($message.time));
    let new_time = parse_date(value: build_message_1, pattern:"yyyy-MM-dd HH:mm:ss", timezone:"Europe/Bratislava");
    set_field("timestamp", new_time);
end

Hope this helps.

1 Like
3

Where do I have to go to set up this file?

rule “fortigate_timestamp”
when
has_field(“devname”) AND has_field(“date”) AND has_field(“time”)
then
let build_message_0 = concat(to_string($message.date), " ");
let build_message_1 = concat(build_message_0, to_string($message.time));
let new_time = parse_date(value: build_message_1, pattern:“yyyy-MM-dd HH:mm:ss”, timezone:“Europe/Bratislava”);
set_field(“timestamp”, new_time);
end

4

image
image1360×452 61.1 KB

I have set everything time. Not the same

5

Check docs, how to use pipeline and pipeline rules:
https://docs.graylog.org/en/3.3/pages/pipelines.html

6

Try to create UDP Raw input to and test to send it from fortigate, this way graylog don’t parse message, and you should see raw message…

7

I can work now

Thank you very much

8

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.