topic Re: Fortigate logs are not in CIM data models in All Apps and Add-ons

Fortigate logs are not in CIM data models

test_qweqwe — Thu, 02 Nov 2017 13:35:18 GMT

So, logs from Fortinet successfully come to Splunk, but not to Data Model. When I checked Pivot of SIM, there are 0 events.
What should I do to fix it?

Re: Fortigate logs are not in CIM data models

jerryzhao — Thu, 02 Nov 2017 17:07:03 GMT

do you mean fortigate logs are not in CIM data models?

Re: Fortigate logs are not in CIM data models

test_qweqwe — Thu, 02 Nov 2017 17:37:34 GMT

Yes, you are right!
I fixed the title of the question so now people can understand what I mean, my bad english 🙂

Re: Fortigate logs are not in CIM data models

jerryzhao — Thu, 02 Nov 2017 17:43:12 GMT

what logs are fortigate reporting? any traffic logs? by the way, have you disabled the other fortigate TA that came with Enterprise Security package and then installed our add-on?

Re: Fortigate logs are not in CIM data models

test_qweqwe — Thu, 02 Nov 2017 18:06:28 GMT

Oh, I did not know that Enterprise Security already have fortigate TA. Okay, when I will be able to turn it off on the next working day. I will report there what I will got.

About logs - any traffic logs.

Re: Fortigate logs are not in CIM data models

test_qweqwe — Fri, 03 Nov 2017 11:56:46 GMT

Hmmm, maybe I'm blind or not understand something, but there is no default TA fortigate with EE.
http://prntscr.com/h5p7hu (screenshot)

Re: Fortigate logs are not in CIM data models

jerryzhao — Tue, 29 Sep 2020 16:37:43 GMT

that's fine. can you get anything with search sourcetype=fgt_traffic or sourcetype=fgt_event or sourcetype=fgt_utm?
i noticed you installed our app as well. does the app show any data on dashboards?

Re: Fortigate logs are not in CIM data models

test_qweqwe — Tue, 29 Sep 2020 16:34:06 GMT

Sourcetype=fgt_traffic and sourcetype=fgt_event worked in search. They even was in Data Summary in the tab "sourcetype". About sourcetype=fgt_utm: in Data Summary was not, in search not tried and right now I can't test it.
About dashboards, when i tried by this list:

Security Domain->Access->Access Center
Security Domain->Endpoint->Malware Center
Security Domain->Network->Traffic Center
Security Domain->Network->Intrusion Center
Security Domain->Network->Web Center
Security Domain->Network->Network Changes
Security Domain->Network->Port & Protocol Tracker
Security Domain->Identity->Session Center

There was data in few dashboards.

Re: Fortigate logs are not in CIM data models

jerryzhao — Tue, 29 Sep 2020 21:38:37 GMT

sorry i didn't check back. you might have found a solution or given up, but fwiw, please make sure fgt_traffic, fgt_event, or fgt_utm sourcetypes are populated by the add-on as indication that the add-on is actually working. You can do that by search sourcetype= any of the 3 sourcetype listed above. And we can investigate further from there if fortigate logs is still not going into CIM model.

Re: Fortigate logs are not in CIM data models

mikkorh — Fri, 04 Jan 2019 14:21:52 GMT

I have a bit related problem, with CIM 4.12.0, ES 5.2.1 and Splunk 7.2.3 the signature from IPS says "unknown" instead of real signature sent by device. Signatures are however visible in Fortigate App for Splunk in the same Splunk instance. I can't seem to pinpoint where this gets broken. 😕 Any advice?