This Graylog content pack includes a steam and dashboards for Fortinet Fortigate Common Event Format (CEF) logs.
Routes CEF logs from Fortigates to the Fortigate CEF Logs Graylog index set
Analysis of devices and application traffic
Includes IP addresses, MAC addresses, device manufacturers, and application layer network traffic
Details of DNS queries and responses
Includes details of the query, response, action, and category
Intrusion Prevention System (IPS) alert details
Includes signature, action, severity, source, and destination information
An overview of incoming messages from Fortigates
Includes Fortigate hostnames, serial numbers, and full message details
SSL/TLS actions taken by Fortigates
Provides records of when Fortigates intervened (with or without decrypting) in SSL/TLS traffic
Web traffic details
Includes category, action, and more
All Fortigate CEF logs
Edit the Graylog server configuration file at /etc/graylog/server/server.conf. Locate the allow_leading_wildcard_searches and allow_highlighting options, and set both to true. Restart the Graylog server by running sudo systemctl restart graylog-server.service.
Import the Content Pack into Graylog by navigating to System> Content Packs, clicking on the upload button, and uploading the Content Pack JSON file.
In Graylog an Input accepts log traffic from a source an parses it. That data is sent to Streams, which filters and routes log traffic to Index Sets. Index Sets manage the Elasticsearch indexes that Graylog uses as a backend.
The Stream that comes with this content pack is configured to route the logs to a separate Index Set called Fortigate CEF Logs. It does not create the Index Set, so the Index Set needs to be created.
Navigate to System> Indices, and create a new Index Set with a title of Fortigate CEF Logs and an index prefix of fortigate_cef. Then, click on Streams in the main navigation bar. Edit the Fortigate CEF Logs Stream and ensure it is configured to use the Index Set that you just created.
Important: Leave Remove matches from ‘All messages’ stream box checked, or the data will be duplicated over two Index Sets.
Create a CEF UDP or a CEF TCP input by navigating to System> Inputs as a Graylog administrator, and clicking on Launch New Input.
Before creating a CEF TCP input:
Ensure that your certificate and and key are readable by the user running Graylog, or Graylog will create it's own self-signed certificate (which Fortigates will not trust) without informing you in the web UI (this error can be found in server.log.)
It is recommended to use a commercial external Certificate Authority (CA). Documentation contributions for using internal CAs would be appreciated. Documentation for using Let's Encrypt Certificates is in progress.
When creating a CEF TLS Input, be sure to check the Accept encrypted connections checkbox.
Configure your Fortigates to send data to Graylog in CEF format by using the FortiOS Command Line Interface (CLI).
Replace the server address and port with the address and port of your input, of course.
To simplify and unify log management, it is important that every firewall be configured to use the GMT timezone, which for logging purposes is equivalent UTC.
config system global
set timezone 80
end
By default, logs sent to the syslog server are not filtered. To ensure that the Graylog Input gets all logs, ensure all log filter options are at their default settings.
config log syslogd filter
unset severity
unset forward-traffic
unset local-traffic
unset multicast-traffic
unset sniffer-traffic
unset anomaly
unset voip
end
Warning : UDP traffic is unencrypted.
config log syslogd setting
set status enable
set server "graylog.example.com"
set port 5555
set format cef
set mode udp
end
Warning: When using CEF TCP, the 'server' setting must be set the Graylog server's fully-qualified hostname, not the IP address.
config log syslogd setting
set status enable
set server "graylog.example.com"
set port 5555
set format cef
set mode reliable
end