Fortinet traffic logs record the traffic flowing through your FortiGate unit, between FortiGate interfaces, zones, and VLAN sub-interfaces. Coralogix provides seamless integration with Fortigate traffic logs
, with which you can easily collect all information about sessions processed by your FortiGate log analysis unit to Coralogix, analyze them, get automatic insights on top of them, and create meaningful alerts.
This document includes cluster-dependent URLs. Each URL has a variable part (in Italic). Please match this part with a row entry within the following table. Copy the table row entry located under the column that matches the top level domain of your Coralogix account (.com, .in etc.). Replace the variable part of the URL with this entry.
Elasticsearch-API | SSL Certificates | Cluster URL | |
---|---|---|---|
.com | https://coralogix-esapi.coralogix.com:9443 | https://coralogix-public.s3-eu-west-1.amazonaws.com/certificate/Coralogix-EU.crt | coralogix.com |
.us | https://esapi.coralogix.us:9443 | https://www.amazontrust.com/repository/AmazonRootCA1.pem | coralogix.us |
.in | https://es-api.app.coralogix.in:9443 | https://coralogix-public.s3-eu-west-1.amazonaws.com/certificate/Coralogix-IN.pem | app.coralogix.in |
.eu2. | https://es-api.eu2.coralogix.com:9443 | https://www.amazontrust.com/repository/AmazonRootCA1.pem | app.eu2.coralogix.com |
sg.com | https://es-api.coralogixsg.com:9443 | https://www.amazontrust.com/repository/AmazonRootCA1.pem | app.coralogixsg.com |
Private Key – A unique ID that represents your company. The private key can be found under ‘settings’->’ send your logs’. It is located in the upper left corner.
Company Id – A unique number that represents your company. You can get your company id from the settings tab in the Coralogix dashboard.
Application Name – The name of your main application, for example, a company named “SuperData” would probably insert the “SuperData” string parameter or if they want to debug their test environment they might insert the “SuperData– Test”.
SubSystem Name – Your application probably has multiple subsystems, for example, Backend servers, Middleware, Frontend servers, etc. in order to help you examine the data you need, inserting the subsystem parameter is vital.
If your Coralogix account top-level domain is different than ‘.com’ add these environment variables:
CORALOGIX_LOG_URL=https://api.Cluster URL/api/v1/logs
CORALOGIX_TIME_DELTA_URL=https://api.Cluster URL/sdk/v1/time
Open your Filebeat
configuration file and configure it to use Logstash
(Make sure you disable Elasticsearch
output). For more information about configuring Filebeat
to use Logstash
please refer to https://www.elastic.co/guide/en/beats/filebeat/current/config-filebeat-logstash.html
Point your Filebeat
to output to Coralogix Logstash server:
logstashserver.Cluster URL:5044
or if you want to use an encrypted connection (recommended):
logstashserver.Cluster URL:5015
Here is the Filebeat
configuration file filebeat.yml:
#============================== Filebeat Inputs ===============================
filebeat.inputs:
- type: udp
max_message_size: 10KiB
host: "localhost:514"
fields_under_root: true
fields:
PRIVATE_KEY: "YOUR_PRIVATE_KEY"
COMPANY_ID: YOUR_COMPANY_ID
APP_NAME: "APP_NAME"
SUB_SYSTEM: "SUB_NAME"
#----------------------------- Logstash output --------------------------------
output.logstash:
enabled: true
hosts: ["logstashserver.Cluster URL:5015"]
ssl.certificate_authorities: ["<path to folder with certificates>/ca.crt"]
After starting your Filebeat server you should expect to receive your Fortinet traffic logs into Coralogix. For more information on installing and configuring Filebeat visit here.
Logstash
installed, for more information on how to install: https://www.elastic.co/guide/en/logstash/current/installing-logstash.htmlPrivate Key – A unique ID that represents your company, this Id will be sent to your mail once you register to Coralogix.
Application Name – The name of your main application, for example, a company named “SuperData” would probably insert the “SuperData” string parameter or if they want to debug their test environment they might insert the “SuperData– Test”.
SubSystem Name – Your application probably has multiple subsystems, for example, Backend servers, Middleware, Frontend servers, etc. in order to help you examine the data you need, inserting the subsystem parameter is vital.
If your Coralogix account top-level domain is different than ‘.com’ add these environment variables:
CORALOGIX_LOG_URL=https://api.Cluster URL/api/v1/logs
CORALOGIX_TIME_DELTA_URL=https://api.Cluster URL/sdk/v1/time
Open your Logstash configuration file and add Coralogix output. You should configure the input plugin to be UDP input.
Here is the Logstash
pipeline configuration logstash.conf:
input {
udp {
port => 514
}
}
output {
coralogix {
config_params => {
"PRIVATE_KEY" => "${CORALOGIX_PRIVATE_KEY}"
"APP_NAME" => "${CORALOGIX_APP_NAME}"
"SUB_SYSTEM" => "${CORALOGIX_SUB_SYSTEM}"
}
is_json => true
}
}
After starting your Logstash server you should expect to receive your Fortinet traffic logs into Coralogix. For more information on installing and configuring Logstash visit here.