Problem displaying Fortigate log messages

Graylog Add-ons
1

Hi everyone,

Recently I have installed this content pack (https://github.com/pfitchie/graylog3.Fortigate6xContentPack) on my Graylog Server to capture the Fortigate logs. I use a Graylog OVA which version is 3.3.3. So my problem is this: the messages are arriving to my Graylog server but i cannot visualize it. Of course i am redirecting the messages from port 514 to 1025 with an Iptables rule.

llegada
llegada1332×245 19.3 KB

Best regards.

2

And what is your problem? You don’t see parsed fields or dashboard?

  1. Content pack contains extractors, so check if there are in Manage exctractor button in Input FortiGate
  2. Content pack contains parameters for input and stream. Did you setup correct fghostname parameter so it contains your real fortigage hostname e.g. FG123456789?
  3. I do not recomment forward logs from 514, it’s better to use higher number than 1024 for input and directly send to this port from fortigate.
  4. Content pack contains dashboard, but it will not probably work, because content pack was created for 3.1 version, and 3.2/3.3 hase different dashboard functionality.
3

OK! i check and configure all you say me but i cannot see anything on the section Show received messages However now i can see some statistics on Dashboard section

4

  1. Maybe you have problem with timestamps, try to select all messages in timeframe selector, or use absolute time selector and check also future messages.

  2. If you use admin user to login to graylog, specify correct timezone in parameter root_timezone in /etc/graylog/server/server.conf file, for example:
    root_timezone = Europe/Bratislava
    https://docs.graylog.org/en/3.3/pages/configuration/server.conf.html#general

  • Login as user ubuntu or root to linux console:
  • Edit file server.conf using your favourite editor:
  • if you’ve logged in as ubuntu user, you probably must use sudo
  • sudo vim /etc/graylog/server/server.conf
  • if you’ve logged in as root user use command:
  • vim /etc/graylog/server/server.conf
  • Find parameter root_timezone and change Europe/Bratislava to your real timezone:
  • root_timezone = Europe/Bratislava
  • Save file with: press Esc, type :wq and press Enter
  • Restart graylog service with:
  • sudo systemctl restart graylog.service
  • Done
  1. Also change real timezone in Ubuntu linux OVA using this command:
  • sudo timedatectl set-timezone Europe/Bratislava
  • reboot OVA
  1. Don’t forget to synchronize time using NTP on graylog and also fortigate.
5

Thank you for your help! I found another error in /var/log/graylog-server/server.log.

error-log
error-log1348×27 3.58 KB

What should i do? should i change the level extractor?

6

It’s normal problem, if first message which contains level setup as numeric (which uses elestic search for ), and another message want to insert another type (string) to elastic.

You can either:

  1. Create custom index mapping to type string, so field level will be string and not numeric
    https://docs.graylog.org/en/3.3/pages/configuration/elasticsearch.html#custom-index-mappings
  2. Rename field level before store for example pipeline rule
  3. Create own index for fortigate, and don’t send another type of messages
1 Like
7

My problem has been resolve! i have removed the input created by the content pack and then i have created my own. All this after sync the timestamps. Thank you so much.

8

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.