topic Re: Trouble getting data into Fortigate app in Getting Data In

Trouble getting data into Fortigate app

rogerv — Mon, 28 Sep 2020 12:33:50 GMT

Running Fortigate 80c with v4.0 MR3. I've downloaded and installed the fortigate splunk app but i'm having trouble getting data into it. I can see data coming into splunk from the fortigate via manager>Apps>search. I seem to have 1 source called fortigate with data labelled in this as
host=machinename, sourcetype=fortigate,source=fortigate etc . This input increases so information is getting in but just doesn't seem to be indexed properly for the splunk fortigate app.

The inputs.conf is as follows:

[udp://514]
connection_host=int ip of fortigate
sourcetype=fortigate
no_appending_timestamp=true

I'm fairly new to splunk so i've probably got something not or misconfigured, can somebody help ?

Re: Trouble getting data into Fortigate app

dart — Mon, 08 Oct 2012 16:24:04 GMT

Hi, do you have an example of what's not working? If you just run a search for sourcetype=fortigate, what fields are displayed on the left hand side?

Re: Trouble getting data into Fortigate app

wesleyveloso — Mon, 07 Jan 2013 14:42:44 GMT

On the fortigate uncheck the box "Enable CSV Format"

Re: Trouble getting data into Fortigate app

maikfischer — Thu, 08 Aug 2013 09:25:34 GMT

Hi,

it seems, that i am having the same trouble than rogerv (by the way: is it solved? how?).

logging from i.e. a fortigate 60c, v4.3, to splunk (i had to work with props.conf and transforms.conf, as there are multiple devices sending log to udp/514).

"search sourcetype=fortigate*" shows events, but only sourcetype=fortigate, no sourcetypes like fortigate_traffic, or something.

on the fortigates, "Enable CSV Format" is unchecked...

any ideas?

regards,

Maik

Re: Trouble getting data into Fortigate app

hojinpk — Thu, 06 Feb 2014 19:14:06 GMT

Hi Maik, Did you solve the problem? I am suffering the same problem. help me, don't let me leave alone. Thank you in advance.

Re: Trouble getting data into Fortigate app

saurabh_tek — Tue, 29 Sep 2020 08:09:35 GMT

Hello Splunkers,

I am facing the same issue. I have the fortinet logs indexed into the single instance of Splunk and can see the events in the search as index=fortinet_data_index, but the fortinet app is not showing the dashboard. sometime it says 'waiting for data...' and on other instance it is showing "fgt_logs" in the dashboard.

I am using 'Fortinet FortiGate Add-On for Splunk' and 'Fortinet FortiGate App for Splunk' on both the machines.

Please suggest me why the logs are not detected in the dashboards of fortinet app when they are visible in search with source=fortinet.

any lead in this direction will be appreciable.

Saurabh

Re: Trouble getting data into Fortigate app

sirajnp — Mon, 20 Mar 2017 14:22:29 GMT

Splunkers,

I faced the same issue, however managed to resolve the issue.