topic Create Splunk Alert for fortinet VPN tunnel status in Deployment Architecture

Create Splunk Alert for fortinet VPN tunnel status

mufthmu — Tue, 04 Aug 2020 03:14:13 GMT

Hi fellow Splunkers,

I want to create alert with these conditions:

alert triggered when any of the VPNs go down.
alert triggered when someone brings down the tunnel.

Thanks in advance

Re: Create Splunk Alert for fortinet VPN tunnel status

richgalloway — Tue, 04 Aug 2020 12:51:14 GMT

Do you have VPN and tunnel states logged in Splunk? If not, there is nothing you can do until that data is available. If you have the data, search the appropriate index(es) for events showing a down VPN or tunnel. Then save the search as an alert.
I'd like to be more specific, but vague questions beget vague answers.

Re: Create Splunk Alert for fortinet VPN tunnel status

mufthmu — Tue, 04 Aug 2020 15:42:42 GMT

@richgalloway yes I do, we have events coming in (assume index=fortinet).

However, I do not know how to write specific search query that can capture an event when the VPN is down. Also if I simply search "index = fortinet", how do you narrow the search to find events that shows a down VPN or tunnel? I could not find those events.

Re: Create Splunk Alert for fortinet VPN tunnel status

richgalloway — Tue, 04 Aug 2020 16:40:04 GMT

This is when it helps to understand your data. If you're not familiar with the Fortinet logs I suggest you reach out to someone in your company who is familiar with them so he or she can tell you what to look for.

Some basic searches to get started include looking for the word "down"

index=fortinet "down"

or the name of a VPN or tunnel

index=fortinet "<VPN or tunnel name>"