Modern cybersecurity relies on robust tools like FortiGate firewalls to protect network traffic and resources. However, managing and analyzing firewall logs effectively requires the right parsing tools. Logstash, part of the ELK (Elasticsearch, Logstash, Kibana) stack, is an ideal solution for ingesting, parsing, and forwarding logs to a destination like Elasticsearch for analysis and visualization.
In this guide, we’ll explore how to parse FortiGate firewall logs using Logstash, focusing on real-world use cases, configurations, and practical examples.
FortiGate is a leading Next-Generation Firewall (NGFW) offering advanced threat protection, intrusion detection, and Unified Threat Management (UTM). It generates detailed logs for traffic, events, and security actions. These logs help administrators:
– Monitor network activity.
– Identify anomalies.
– Troubleshoot configuration or operational issues.
Example log:
Nov 27 14:12:16 10.228.0.3 date=2024-11-27 time=14:12:16 devname="ABC" devid="FGT1KD3915800262" eventtime=1732696937077741946 tz="+0530" logid="1501054200" type="utm" subtype="dns" eventtype="dns-response" level="error" vd="root" policyid=1 poluuid="d3a4f5ea-dc60-51e5-e201-293489ada8f2" policytype="policy" sessionid=97967410 srcip=10.225.11.19 srcport=62863 srccountry="Reserved" srcintf="port25" srcintfrole="lan" dstip=218.248.114.129 dstport=53 dstcountry="India" dstintf="port9" dstintfrole="wan" proto=17 profile="ORG_DNS_Filter" srcmac="0c:85:25:6b:0f:c4" xid=29624 qname="optimizationguide-pa.googleapis.com" qtype="A" qtypeval=1 qclass="IN" msg="A DNS resolution error occurs" action="pass" error="DNS query timeout" rcode=2
Logstash is a powerful log processing pipeline that collects, parses, and forwards logs to destinations like Elasticsearch. Its flexibility and plugin-based architecture make it a top choice for processing complex logs such as those from FortiGate.
To parse FortiGate logs, Logstash requires the following stages:
1. Input Configuration
Configures how logs are received (e.g., via Syslog server):
input {
tcp {
port => 514
type => "syslog"
}
udp {
port => 514
type => "syslog"
}
}
2. Filter Configuration
Uses patterns like Grok and Key-Value (KV) to parse logs.
Example filter for FortiGate logs:
filter {
grok {
match => {
"message" => [
"%{SYSLOGTIMESTAMP:timestamp} %{IPORHOST:forti_hostname} date=%{DATA:forti_date} time=%{DATA:forti_date} %{GREEDYDATA:ngfw_message}",
"%{GREEDYDATA:unparsed_message}"
]
}
}
if [ngfw_message] {
mutate {
add_field => {"FORTIDATETIME" => "%{forti_date} %{forti_time}"}
}
date {
match => ["FORTIDATETIME", "YYYY-MM-dd HH:mm:ss"]
timezone => "Asia/Kolkata"
target => "@timestamp"
}
kv {
source => "ngfw_message"
prefix => "ngfw_"
}
mutate { remove_field => ["FORTIDATETIME"] }
}
}
3. Output Configuration
Defines where the parsed logs are sent:
output {
elasticsearch {
hosts => ["http://localhost:9200"]
index => "fortigate-logs-%{+YYYY.MM.dd}"
}
stdout { codec => rubydebug }
}
The filter section of the Logstash configuration uses Grok to parse these fields, ensuring structured logs for Elasticsearch ingestion.
After parsing and indexing logs in Elasticsearch, administrators can use Kibana to:
- Visualize DNS errors, traffic flows, and policy matches.
- Create dashboards for real-time monitoring.
- Set alerts for anomalies like excessive DNS timeouts.
Conclusion
Parsing FortiGate logs with Logstash transforms raw data into structured, actionable insights. By leveraging the ELK stack, organizations can enhance their security posture, troubleshoot issues efficiently, and meet compliance requirements.
Follow the provided configurations to set up your FortiGate log processing pipeline and unlock the full potential of your network logs.
You may also like:- Categorizing IPs with Logstash – Private, Public, and GeoIP Enrichment
- 9 Rules of Engagement for Penetration Testing
- Google vs. Oracle – The Epic Copyright Battle That Shaped the Tech World
- Introducing ChatGPT Search – Your New Gateway to Instant, Up-to-date Information
- Python Has Surpassed JavaScript as the No. 1 Language on GitHub
- [Solution] Missing logstash-plain.log File in Logstash
- Top 7 Essential Tips for a Successful Website
- Sample OSINT Questions for Investigations on Corporations and Individuals
- Top 10 Most Encryption Related Key Terms
- Top 10 Key Guidelines For Designing A Robust Web Application