topic Fortinet FortiGate Add-On for Splunk: How to use only the Fortigate Add-on to parse logs in All Apps and Add-ons

Fortinet FortiGate Add-On for Splunk: How to use only the Fortigate Add-on to parse logs

cesarfabre — Fri, 05 Jul 2019 20:05:56 GMT

Hello,
I have a FortiGate 300e with FortiOS 6.0.4, and would like to index only the security events in Splunk.
Also, I want to use only the Fortigate Add-on for the parse of the logs.
I do not want to use the Fortigate APP because I will build my own dashboard. Is this possible?

Does anyone have experience with this?

Tks

Re: Fortinet FortiGate Add-On for Splunk: How to use only the Fortigate Add-on to parse logs

burakcinar — Sat, 06 Jul 2019 11:25:31 GMT

hi ,

you can deploy related TA to your indexer and heavy forwarder only, you don't need to deploy APP to search head or any splunk role if you don't want their dashboard.

Re: Fortinet FortiGate Add-On for Splunk: How to use only the Fortigate Add-on to parse logs

cesarfabre — Wed, 30 Sep 2020 01:16:29 GMT

Hi Burak,

For the Palo Alto Firewall I was able to do the indexing of the logs via Palo Alto Add-on only. I've used 3 files in the local directory, such as:

Inputs.conf
[udp: // 5514]
sourcetype = pan: log
no_appending_timestamp = true
index = pancompany_logs

Props.conf
[pan: log]
TRANSFORMS-drop = discard-traffic

Transforms.conf
[discard-traffic]
REGEX =, TRAFFIC,
DEST_KEY = queue
FORMAT = nullQueue

Help!!!
How do I configure the inputs, props and transforms in FortiGate Add-on?

I would like to drop traffic logs (ex.: type="traffic") and index only security logs (ex.: type="utm") from FortiGate.

Can you help me?

Tks

Re: Fortinet FortiGate Add-On for Splunk: How to use only the Fortigate Add-on to parse logs

ldunzweiler — Thu, 03 Oct 2019 15:18:57 GMT

Did you get this working? I am working on this myself right now. Only want the utm logs but on top of this only specific fields within those logs.

UTM gets very sizable in our environment and we have a constraining license.