Fortinet#

Integration Details

Ingester

Simple Relay

Kit

Gravell Fortinet

Fortinet Configuration#

To get logs flowing from your Fortinet FortiGate/FortiOS device, configure remote syslog logging as described in the Fortinet documentation Log setting and target. Note that while this guide is specifically tailored for version 7.6.6, these steps may work for other versions. However, it is recommend to check the official documentation on remote logging for your specific version.

Recommended FortiGate syslog settings:

  • Use mode reliable (RFC6587 over TCP) for the config log syslogd setting.

  • Use format rfc5424 (best timestamp framing) or format default (simple key=value).

  • Point the syslog server to the Simple Relay host on port 6701.

Example FortiGate CLI config:

config log syslogd setting
    set status enable
    set server <SIMPLE_RELAY_IP>
    set mode reliable
    set port 6701
    set format rfc5424
end

Gravwell Configuration#

Gravwell Storage Well Configuration#

Setup the well configuration in your Gravwell indexers.

Sample well config:
Create or edit: /opt/gravwell/etc/gravwell.conf.d/fortinet-well.conf

[Storage-Well "fortinet"]
    Location=/opt/gravwell/storage/fortinet
    Tags=fortinet*

Gravwell Ingester Configuration: Simple Relay#

Sample Fortinet config:
Create or edit: /opt/gravwell/etc/simple_relay.conf.d/fortinet.conf

    [Listener "syslogtcp_fortinet"]
        Bind-String="tcp://0.0.0.0:6701"
        Reader-Type=rfc5424
        Tag-Name=fortinet-events
        Assume-Local-Timezone=true
        Preprocessor="Fortinet Type Router"
        Preprocessor="Fortinet System Router"

    [preprocessor "Fortinet Type Router"]
        Type=regexrouter
        Drop-Misses=false
        Regex=`\btype="(?P<type>traffic|utm|event?)?\"`
        #Regex=`^[^.]+\s[^.]+\s[^.]+\stype\=\"(?<type>.+?)?\"`
        Route-Extraction=type
        Route=traffic:fortinet-traffic
        Route=utm:fortinet-utm
        # event -> stays on default tag fortinet-events

    [preprocessor "Fortinet System Router"]
        Type=regexrouter
        Drop-Misses=false
        Regex=`\bsubtype="(?P<subtype>.+?)?\"`
        Route-Extraction=subtype
        Route=system:fortinet-system

Note

Remember to restart the service to apply the new config: sudo systemctl restart gravwell_simple_relay.service