Fortinet moduleedit

This is a module for Fortinet logs sent in the syslog format. It supports the following devices:

  • firewall fileset: Supports FortiOS Firewall logs.
  • clientendpoint fileset: Supports FortiClient Endpoint Protection logs.
  • fortimail fileset: Supports FortiMail logs.
  • fortimanager fileset: Supports FortiManager logs.

To configure a remote syslog destination, please reference the Fortigate/FortiOS Documentation.

The syslog format choosen should be Default.

Read the quick start to learn how to configure and run modules.

Compatibilityedit

This module has been tested against FortiOS version 6.0.x and 6.2.x. Versions above this are expected to work but have not been tested.

Configure the moduleedit

You can further refine the behavior of the fortinet module by specifying variable settings in the modules.d/fortinet.yml file, or overriding settings at the command line.

Variable settingsedit

Each fileset has separate variable settings for configuring the behavior of the module. If you don’t specify variable settings, the fortinet module uses the defaults.

For advanced use cases, you can also override input settings. See Override input settings.

When you specify a setting at the command line, remember to prefix the setting with the module name, for example, fortinet.firewall.var.paths instead of firewall.var.paths.

firewall fileset settingsedit

- module: fortinet
  firewall:
    enabled: true
    var.input: udp
    var.syslog_host: 0.0.0.0
    var.syslog_port: 9004
var.paths
An array of glob-based paths that specify where to look for the log files. All patterns supported by Go Glob are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: /path/to/log/*/*.log. This fetches all .log files from the subfolders of /path/to/log. It does not fetch log files from the /path/to/log folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
var.input
The input to use, can be either the value tcp, udp or file.
var.syslog_host
The interface to listen to all syslog traffic. Defaults to localhost. Set to 0.0.0.0 to bind to all available interfaces.
var.syslog_port
The port to listen for syslog traffic. Defaults to 9004.
var.tags
A list of tags to include in events. Including forwarded indicates that the events did not originate on this host and causes host.name to not be added to events. Defaults to [fortinet-firewall, forwarded].

clientendpoint fileset settingsedit

This functionality is experimental and may be changed or removed completely in a future release. Elastic will take a best effort approach to fix any issues, but experimental features are not subject to the support SLA of official GA features.

This was converted from RSA NetWitness log parser XML "forticlientendpoint" device revision 0.

var.input
The input from which messages are read. One of file, tcp or udp.
var.syslog_host
The address to listen to UDP or TCP based syslog traffic. Defaults to localhost. Set to 0.0.0.0 to bind to all available interfaces.
var.syslog_port
The port to listen for syslog traffic. Defaults to 9510

Ports below 1024 require Filebeat to run as root.

var.tz_offset
By default, datetimes in the logs will be interpreted as relative to the timezone configured in the host where Filebeat is running. If ingesting logs from a host on a different timezone, use this field to set the timezone offset so that datetimes are correctly parsed. Valid values are in the form ±HH:mm, for example, -07:00 for UTC-7.
var.rsa_fields
Flag to control the addition of non-ECS fields to the event. Defaults to true, which causes both ECS and custom fields under rsa to be added.
var.keep_raw_fields
Flag to control the addition of the raw parser fields to the event. This fields will be found under rsa.raw. The default is false.

fortimail fileset settingsedit

This functionality is experimental and may be changed or removed completely in a future release. Elastic will take a best effort approach to fix any issues, but experimental features are not subject to the support SLA of official GA features.

This was converted from RSA NetWitness log parser XML "fortinetfortimail" device revision 131.

var.input
The input from which messages are read. One of file, tcp or udp.
var.syslog_host
The address to listen to UDP or TCP based syslog traffic. Defaults to localhost. Set to 0.0.0.0 to bind to all available interfaces.
var.syslog_port
The port to listen for syslog traffic. Defaults to 9529

Ports below 1024 require Filebeat to run as root.

var.tz_offset
By default, datetimes in the logs will be interpreted as relative to the timezone configured in the host where Filebeat is running. If ingesting logs from a host on a different timezone, use this field to set the timezone offset so that datetimes are correctly parsed. Valid values are in the form ±HH:mm, for example, -07:00 for UTC-7.
var.rsa_fields
Flag to control the addition of non-ECS fields to the event. Defaults to true, which causes both ECS and custom fields under rsa to be added.
var.keep_raw_fields
Flag to control the addition of the raw parser fields to the event. This fields will be found under rsa.raw. The default is false.

fortimanager fileset settingsedit

This functionality is experimental and may be changed or removed completely in a future release. Elastic will take a best effort approach to fix any issues, but experimental features are not subject to the support SLA of official GA features.

This was converted from RSA NetWitness log parser XML "fortinetmgr" device revision 134.

var.input
The input from which messages are read. One of file, tcp or udp.
var.syslog_host
The address to listen to UDP or TCP based syslog traffic. Defaults to localhost. Set to 0.0.0.0 to bind to all available interfaces.
var.syslog_port
The port to listen for syslog traffic. Defaults to 9530

Ports below 1024 require Filebeat to run as root.

var.tz_offset
By default, datetimes in the logs will be interpreted as relative to the timezone configured in the host where Filebeat is running. If ingesting logs from a host on a different timezone, use this field to set the timezone offset so that datetimes are correctly parsed. Valid values are in the form ±HH:mm, for example, -07:00 for UTC-7.
var.rsa_fields
Flag to control the addition of non-ECS fields to the event. Defaults to true, which causes both ECS and custom fields under rsa to be added.
var.keep_raw_fields
Flag to control the addition of the raw parser fields to the event. This fields will be found under rsa.raw. The default is false.

Fortinet ECS fieldsedit

This is a list of FortiOS fields that are mapped to ECS.

Fortinet Fields ECS Fields

action

event.action

agent

user_agent.original

app

network.application

appcat

rule.category

applist

rule.ruleset

catdesc

rule.category

ccertissuer

tls.client_issuer

collectedemail

source.user.email

comment

rule.description

daddr

destination.address

devid

observer.serial_number

dir

network.direction

direction

network.direction

dst_host

destination.address

dstcollectedemail

destination.user.email

dst_int

observer.egress.interface.name

dstintf

observer.egress.interface.name

dstip

destination.ip

dstmac

destination.mac

dstname

destination.address

dst_port

destination.port

dstport

destination.port

dstunauthuser

destination.user.name

dtype

vulnerability.category

duration

event.duration

errorcode

error.code

event_id

event.id

eventid

event.id

eventtime

event.start

eventtype

event.action

file

file.name

filename

file.name

filesize

file.size

filetype

file.extension

filehash

file.hash.crc32

from

source.user.email

group

source.user.group

hostname

url.domain

infectedfilename

file.name

infectedfilesize

file.size

infectedfiletype

file.extension

ipaddr

dns.resolved_ip

level

log.level

locip

source.ip

locport

source.port

logdesc

rule.description

logid

event.code

matchfilename

file.name

matchfiletype

file.extension

msg

message

error_num

error.code

policyid

rule.id

policy_id

rule.id

policyname

rule.name

policytype

rule.ruleset

poluuid

rule.uuid

profile

rule.ruleset

proto

network.iana_number

qclass

dns.question.class

qname

dns.question.name

qtype

dns.question.type

rcvdbyte

source.bytes

rcvdpkt

source.packets

recipient

destination.user.email

ref

event.reference

remip

destination.ip

remport

destination.port

saddr

source.address

scertcname

tls.client.server_name

scertissuer

tls.server.issuer

sender

source.user.email

sentbyte

source.bytes

sentpkt

source.packets

service

network.protocol

sess_duration

event.duration

srcdomain

source.domain

srcintf

observer.ingress.interface.name

srcip

source.ip

source_mac

source.mac

srcmac

source.mac

srcport

source.port

tranip

destination.nat.ip

tranport

destination.nat.port

transip

source.nat.ip

transport

source.nat.port

tz

event.timezone

unauthuser

source.user.name

url

url.path

user

source.user.name

xid

dns.id

Fieldsedit

For a description of each field in the module, see the exported fields section.