Fortinet#
Integration Details |
|
Ingester |
|
Kit |
Fortinet Configuration#
To get logs flowing from your Fortinet FortiGate/FortiOS device, configure remote syslog logging as described in the Fortinet documentation Log setting and target. Note that while this guide is specifically tailored for version 7.6.6, these steps may work for other versions. However, it is recommend to check the official documentation on remote logging for your specific version.
Recommended FortiGate syslog settings:
Use mode reliable (RFC6587 over TCP) for the config log syslogd setting.
Use format rfc5424 (best timestamp framing) or format default (simple key=value).
Point the syslog server to the Simple Relay host on port 6701.
Example FortiGate CLI config:
config log syslogd setting
set status enable
set server <SIMPLE_RELAY_IP>
set mode reliable
set port 6701
set format rfc5424
end
Gravwell Configuration#
Gravwell Storage Well Configuration#
Setup the well configuration in your Gravwell indexers.
Sample well config:
Create or edit: /opt/gravwell/etc/gravwell.conf.d/fortinet-well.conf
[Storage-Well "fortinet"]
Location=/opt/gravwell/storage/fortinet
Tags=fortinet*
Gravwell Ingester Configuration: Simple Relay#
Sample Fortinet config:
Create or edit: /opt/gravwell/etc/simple_relay.conf.d/fortinet.conf
[Listener "syslogtcp_fortinet"]
Bind-String="tcp://0.0.0.0:6701"
Reader-Type=rfc5424
Tag-Name=fortinet-events
Assume-Local-Timezone=true
Preprocessor="Fortinet Type Router"
Preprocessor="Fortinet System Router"
[preprocessor "Fortinet Type Router"]
Type=regexrouter
Drop-Misses=false
Regex=`\btype="(?P<type>traffic|utm|event?)?\"`
#Regex=`^[^.]+\s[^.]+\s[^.]+\stype\=\"(?<type>.+?)?\"`
Route-Extraction=type
Route=traffic:fortinet-traffic
Route=utm:fortinet-utm
# event -> stays on default tag fortinet-events
[preprocessor "Fortinet System Router"]
Type=regexrouter
Drop-Misses=false
Regex=`\bsubtype="(?P<subtype>.+?)?\"`
Route-Extraction=subtype
Route=system:fortinet-system
Note
Remember to restart the service to apply the new config:
sudo systemctl restart gravwell_simple_relay.service