How To Parse FortiGate Firewall Logs with Logstash

FortiGate Firewall

Modern cybersecurity relies on robust tools like FortiGate firewalls to protect network traffic and resources. However, managing and analyzing firewall logs effectively requires the right parsing tools. Logstash, part of the ELK (Elasticsearch, Logstash, Kibana) stack, is an ideal solution for ingesting, parsing, and forwarding logs to a destination like Elasticsearch for analysis and visualization.

In this guide, we’ll explore how to parse FortiGate firewall logs using Logstash, focusing on real-world use cases, configurations, and practical examples.

FortiGate is a leading Next-Generation Firewall (NGFW) offering advanced threat protection, intrusion detection, and Unified Threat Management (UTM). It generates detailed logs for traffic, events, and security actions. These logs help administrators:

– Monitor network activity.
– Identify anomalies.
– Troubleshoot configuration or operational issues.

Example log:

Nov 27 14:12:16 10.228.0.3 date=2024-11-27 time=14:12:16 devname="ABC" devid="FGT1KD3915800262" eventtime=1732696937077741946 tz="+0530" logid="1501054200" type="utm" subtype="dns" eventtype="dns-response" level="error" vd="root" policyid=1 poluuid="d3a4f5ea-dc60-51e5-e201-293489ada8f2" policytype="policy" sessionid=97967410 srcip=10.225.11.19 srcport=62863 srccountry="Reserved" srcintf="port25" srcintfrole="lan" dstip=218.248.114.129 dstport=53 dstcountry="India" dstintf="port9" dstintfrole="wan" proto=17 profile="ORG_DNS_Filter" srcmac="0c:85:25:6b:0f:c4" xid=29624 qname="optimizationguide-pa.googleapis.com" qtype="A" qtypeval=1 qclass="IN" msg="A DNS resolution error occurs" action="pass" error="DNS query timeout" rcode=2

Logstash is a powerful log processing pipeline that collects, parses, and forwards logs to destinations like Elasticsearch. Its flexibility and plugin-based architecture make it a top choice for processing complex logs such as those from FortiGate.

To parse FortiGate logs, Logstash requires the following stages:

1. Input Configuration

Configures how logs are received (e.g., via Syslog server):

input {
  tcp {
    port => 514
    type => "syslog"
  }
  udp {
    port => 514
    type => "syslog"
  }
}

2. Filter Configuration

Uses patterns like Grok and Key-Value (KV) to parse logs.

Example filter for FortiGate logs:

filter {
  grok {
    match => {
      "message" => [
        "%{SYSLOGTIMESTAMP:timestamp} %{IPORHOST:forti_hostname} date=%{DATA:forti_date} time=%{DATA:forti_date} %{GREEDYDATA:ngfw_message}",
        "%{GREEDYDATA:unparsed_message}"
      ]
    }
  }

  if [ngfw_message] {
    mutate {
      add_field => {"FORTIDATETIME" => "%{forti_date} %{forti_time}"}
    }
    date {
      match => ["FORTIDATETIME", "YYYY-MM-dd HH:mm:ss"]
      timezone => "Asia/Kolkata"
      target => "@timestamp"
    }
    kv {
      source => "ngfw_message"
      prefix => "ngfw_"
    }
    mutate { remove_field => ["FORTIDATETIME"] }
  }
}

3. Output Configuration

Defines where the parsed logs are sent:

output {
  elasticsearch {
    hosts => ["http://localhost:9200"]
    index => "fortigate-logs-%{+YYYY.MM.dd}"
  }
  stdout { codec => rubydebug }
}

The filter section of the Logstash configuration uses Grok to parse these fields, ensuring structured logs for Elasticsearch ingestion.

After parsing and indexing logs in Elasticsearch, administrators can use Kibana to:

  • Visualize DNS errors, traffic flows, and policy matches.
  • Create dashboards for real-time monitoring.
  • Set alerts for anomalies like excessive DNS timeouts.

Conclusion

Parsing FortiGate logs with Logstash transforms raw data into structured, actionable insights. By leveraging the ELK stack, organizations can enhance their security posture, troubleshoot issues efficiently, and meet compliance requirements.

Follow the provided configurations to set up your FortiGate log processing pipeline and unlock the full potential of your network logs.

You may also like:

Related Posts

Leave a Reply