topic Re: Splunk Fortigate application in Security

Splunk Fortigate application

jscott4t — Mon, 13 Aug 2012 21:34:44 GMT

Hello,

I am new to Splunk and saw the Splunk for Fortigate application and wanted to use it. I have installed Splunk and have configured a TCP port connection on a specified port. The readme says to use the sourcetype of fortigate. So I have added that in the GUI under Data inputs. Is there anything else I should be doing to get this working? Thanks

Re: Splunk Fortigate application

MHibbin — Mon, 13 Aug 2012 22:04:07 GMT

Are you not seeing the desired results then?

You should check that Splunk is receiving the raw data (events), you can do this by searching for the sourcetype in the "Search" App and then using the flashtimeline/search view... then type the following in the search bar (using the word "search" a lot, haha 🙂 😞

sourcetype=fortigate

You should see your raw data here (assuming you set-up the sourcetype when you set-up the TCP monitor). You should then confirm the results by navigating to the fortigate App.

If you are not receiving the events in Splunk, you can use some troubleshooting tools such as tcpdump on the receiveing NIC and the relevant port. It may be there is a network issue preventing the traffic flow.

Hope this helps, if you need more specific help... please update your question with more detail of the issue.

Regards,

MHibbin

Re: Splunk Fortigate application

Drainy — Tue, 14 Aug 2012 07:09:41 GMT

Have you configured your fortigate appliances to forward the logs to the Splunk server? By default this is via UDP syslog on port 514.

Re: Splunk Fortigate application

jscott4t — Tue, 14 Aug 2012 20:59:03 GMT

@ Drainy In my data inputs section I am using TCP port 1514 I did that because Splunk documentation suggests using TCP for a more reliable connection. I also have source type set to manual and source type set to fortigate. Should I change back to UDP?

@MHibbin will try that and report back.

Re: Splunk Fortigate application

jscott4t — Tue, 14 Aug 2012 21:02:06 GMT

No joy yet search returned empty.

I have not setup any indexing does that matter?

Re: Splunk Fortigate application

rbates20148 — Wed, 29 Aug 2012 19:54:00 GMT

jscott4t;

Here's how I got the app to work using a FortiGate 3040B:

On the FG: Aim your syslogs at the Splunk indexer on a high port - I used 5012
On the Indexer: Configure a UDP Data input with:
"Source name override" = fortigate
"Set sourcetype" = manual
"Source type" = fortigate

I per formed a splunk stop/clean eventdata/start and started immediately seeing FG traffic and the app started to be able to see it also. Our FG is just in a test lab so it's not too chatty, but I am at least seeing data.