Title
Adding Fortinet support to SOF-ELK
Author
Flor Hemmeryckx
Date
03/05/2023
-
Download and install the SOF-ELK VM Documentation Download
-
Copy the ansible configuration files to the VM
scp .\SOFELK-Fortinet\* elk_user@{VM_IP}:/home/elk_user/ forensics
-
Run the ansible playbook
ssh elk_user@{VM_IP} forensics sudo ansible-playbook -i hosts.ini ansible-fortinet.yaml -b forensics
-
Add your fortinet logfiles to the logstash folder:
/logstash/fortinet/
-
Wait for logstash to process the new logfiles
http://{VM_IP}:5601/app/management/data/index_management/indices
-
A basic dashboard is already created an has its data loaded (if you waited long enough ;-))
Contains the logstash configuration file that:
-
Read log files from
/logstash/fortinet/
-
Depending on if its a .csv or .log uses another way to process the keyvalue's
-
Makes sure the epoch time format is alway 13 chars long
-
Binds the epoch time to
@timestamp
-
Converts:
-
rcvdbyte
=>integer
-
rcvdpkt
=>integer
-
sentbyte
=>integer
-
sentpkt
=>integer
-
-
Sends all this to an index
fortinet-logs-%{+YYYY.MM.dd}
Contains the ansible playbook configuration that:
-
Creates the logstash config: converts the logs to indices
-
Creates the fortinet directory at:
/logstash/fortinet/
-
Creates a sincedb file for the logstash indices at:
/var/log/logstash/sincedb
-
Creates the index-patern: makes it possible to load the logs in discover/dashboard)
-
Creates the index-template: converts strings to ip's
-
Restarts the logstash service after its done
Just a file to specify the hosts the ansible script has to run on (localhost)
Important: If for some reason you want to re-run the ansible playbook. Make sure that you remove the previously created index-template & data view. otherwise you will end up with duplicates (it will still work, but can be confusing)