diff --git a/filebeat/docs/modules/fortinet.asciidoc b/filebeat/docs/modules/fortinet.asciidoc index 13ce2650e5a..6f7a82e02e8 100644 --- a/filebeat/docs/modules/fortinet.asciidoc +++ b/filebeat/docs/modules/fortinet.asciidoc @@ -37,20 +37,26 @@ include::../include/config-option-intro.asciidoc[] ---- - module: fortinet firewall: + enabled: true + var.input: udp var.syslog_host: 0.0.0.0 var.syslog_port: 9004 ---- include::../include/var-paths.asciidoc[] +*`var.input`*:: + +The input to use, can be either the value `tcp`, `udp` or `file`. + *`var.syslog_host`*:: -The interface to listen to UDP based syslog traffic. Defaults to localhost. +The interface to listen to all syslog traffic. Defaults to localhost. Set to 0.0.0.0 to bind to all available interfaces. *`var.syslog_port`*:: -The UDP port to listen for syslog traffic. Defaults to 9004. +The port to listen for syslog traffic. Defaults to 9004. [float] ==== Fortinet ECS fields diff --git a/x-pack/filebeat/filebeat.reference.yml b/x-pack/filebeat/filebeat.reference.yml index a6d5d51116d..106309ff4e0 100644 --- a/x-pack/filebeat/filebeat.reference.yml +++ b/x-pack/filebeat/filebeat.reference.yml @@ -485,14 +485,14 @@ filebeat.modules: firewall: enabled: true - # Set which input to use between syslog (default) or file. - #var.input: syslog + # Set which input to use between tcp, udp (default) or file. + #var.input: udp - # The interface to listen to UDP based syslog traffic. Defaults to + # The interface to listen to syslog traffic. Defaults to # localhost. Set to 0.0.0.0 to bind to all available interfaces. #var.syslog_host: localhost - # The UDP port to listen for syslog traffic. Defaults to 9004. + # The port to listen for syslog traffic. Defaults to 9004. #var.syslog_port: 9004 #----------------------------- Google Cloud Module ----------------------------- diff --git a/x-pack/filebeat/module/fortinet/_meta/config.yml b/x-pack/filebeat/module/fortinet/_meta/config.yml index 525156e7590..969d618f808 100644 --- a/x-pack/filebeat/module/fortinet/_meta/config.yml +++ b/x-pack/filebeat/module/fortinet/_meta/config.yml @@ -2,12 +2,12 @@ firewall: enabled: true - # Set which input to use between syslog (default) or file. - #var.input: syslog + # Set which input to use between tcp, udp (default) or file. + #var.input: udp - # The interface to listen to UDP based syslog traffic. Defaults to + # The interface to listen to syslog traffic. Defaults to # localhost. Set to 0.0.0.0 to bind to all available interfaces. #var.syslog_host: localhost - # The UDP port to listen for syslog traffic. Defaults to 9004. + # The port to listen for syslog traffic. Defaults to 9004. #var.syslog_port: 9004 diff --git a/x-pack/filebeat/module/fortinet/_meta/docs.asciidoc b/x-pack/filebeat/module/fortinet/_meta/docs.asciidoc index 0c38c94aa47..bf017d15038 100644 --- a/x-pack/filebeat/module/fortinet/_meta/docs.asciidoc +++ b/x-pack/filebeat/module/fortinet/_meta/docs.asciidoc @@ -32,20 +32,26 @@ include::../include/config-option-intro.asciidoc[] ---- - module: fortinet firewall: + enabled: true + var.input: udp var.syslog_host: 0.0.0.0 var.syslog_port: 9004 ---- include::../include/var-paths.asciidoc[] +*`var.input`*:: + +The input to use, can be either the value `tcp`, `udp` or `file`. + *`var.syslog_host`*:: -The interface to listen to UDP based syslog traffic. Defaults to localhost. +The interface to listen to all syslog traffic. Defaults to localhost. Set to 0.0.0.0 to bind to all available interfaces. *`var.syslog_port`*:: -The UDP port to listen for syslog traffic. Defaults to 9004. +The port to listen for syslog traffic. Defaults to 9004. [float] ==== Fortinet ECS fields diff --git a/x-pack/filebeat/module/fortinet/firewall/config/firewall.yml b/x-pack/filebeat/module/fortinet/firewall/config/firewall.yml index 32e87abc838..3cf11a126a0 100644 --- a/x-pack/filebeat/module/fortinet/firewall/config/firewall.yml +++ b/x-pack/filebeat/module/fortinet/firewall/config/firewall.yml @@ -1,8 +1,12 @@ -{{ if eq .input "syslog" }} +{{ if eq .input "tcp" }} -type: syslog -protocol.udp: - host: "{{.syslog_host}}:{{.syslog_port}}" +type: tcp +host: "{{.syslog_host}}:{{.syslog_port}}" + +{{ else if eq .input "udp" }} + +type: udp +host: "{{.syslog_host}}:{{.syslog_port}}" {{ else if eq .input "file" }} @@ -11,6 +15,7 @@ paths: {{ range $i, $path := .paths }} - {{$path}} {{ end }} + exclude_files: [".gz$"] {{ end }} diff --git a/x-pack/filebeat/module/fortinet/firewall/ingest/pipeline.yml b/x-pack/filebeat/module/fortinet/firewall/ingest/pipeline.yml index c08c794af6c..46f3f5c86e3 100644 --- a/x-pack/filebeat/module/fortinet/firewall/ingest/pipeline.yml +++ b/x-pack/filebeat/module/fortinet/firewall/ingest/pipeline.yml @@ -127,6 +127,9 @@ processors: - remove: field: fortinet.firewall.transip if: "ctx.fortinet?.firewall?.transip == 'N/A'" +- remove: + field: fortinet.firewall.tunnelip + if: "ctx.fortinet?.firewall?.tunnelip == 'N/A'" - remove: field: - _temp diff --git a/x-pack/filebeat/module/fortinet/firewall/manifest.yml b/x-pack/filebeat/module/fortinet/firewall/manifest.yml index 9482a0369b4..84528d504b7 100644 --- a/x-pack/filebeat/module/fortinet/firewall/manifest.yml +++ b/x-pack/filebeat/module/fortinet/firewall/manifest.yml @@ -8,7 +8,7 @@ var: - name: syslog_port default: 9004 - name: input - default: syslog + default: udp ingest_pipeline: - ingest/pipeline.yml diff --git a/x-pack/filebeat/modules.d/fortinet.yml.disabled b/x-pack/filebeat/modules.d/fortinet.yml.disabled index 118f897515d..b892d7dd855 100644 --- a/x-pack/filebeat/modules.d/fortinet.yml.disabled +++ b/x-pack/filebeat/modules.d/fortinet.yml.disabled @@ -5,12 +5,12 @@ firewall: enabled: true - # Set which input to use between syslog (default) or file. - #var.input: syslog + # Set which input to use between tcp, udp (default) or file. + #var.input: udp - # The interface to listen to UDP based syslog traffic. Defaults to + # The interface to listen to syslog traffic. Defaults to # localhost. Set to 0.0.0.0 to bind to all available interfaces. #var.syslog_host: localhost - # The UDP port to listen for syslog traffic. Defaults to 9004. + # The port to listen for syslog traffic. Defaults to 9004. #var.syslog_port: 9004