All Apps and Add-ons

Can I use Splunk for Fortigate app to analyze file .log?

pierra56
Explorer

Hi,

I have a file. log just a fortigate firewall. Can I use it in the "splunk for fortigate" application. if yes, how?
thank you

Tags (1)
0 Karma

sbrant_splunk
Splunk Employee
Splunk Employee

At what point are you seeing the error: "Your entry was not saved. The following error was reported: SyntaxError: JSON.parse: unexpected character at line 1 column 1 of the JSON data."?

0 Karma

sbrant_splunk
Splunk Employee
Splunk Employee

The Fortigate app is rather old and doesn't appear to have been tested with the 6.x version of Splunk. You may want to email the author about that and see if it is still under active development. That being said, I don't see anything in the app that would prevent it from working in Splunk 6.x.

What version of FortiOS are you using? The readme file in the app says that version 4.0MR3 is supported

Try putting a file called inputs.conf in $SPLUNK_HOME/etc/apps/Splunk_Fortigate/local/ with the following contents:

[monitor://<full path to your log file>]
sourcetype = fortigate

After that file is in there, restart Splunk and your log file should be read in and processed.

0 Karma

pierra56
Explorer

I have fortiOS 4.0MR3.
i create a inputs.conf file but that doesn't change.

0 Karma

sbrant_splunk
Splunk Employee
Splunk Employee

Can you post the inputs.conf file here and the path where it's located? Also, in your original post, you mentioned something about a JSON.parse error, at what point were you getting that?

0 Karma

pierra56
Explorer

ok.

Example:
date=2014-04-16 time=00:01:38 devname=### id=### log_id=0021000002 type=traffic subtype=allowed pri=notice vd=CECA1022_01 src=10.40.13.111 src_port=33214 src_int=\"IN_CECA1022_01\" dst=74.125.132.105 dst_port=80 dst_int=\"OUT_CECA1022_01\" SN=50254608 status=accept policyid=20901 dst_country=\"United States\" src_country=\"Reserved\" dir_disp=org tran_disp=snat tran_sip=109.1.143.84 tran_sport=49458 service=HTTP proto=6 duration=10 sent=2344 rcvd=55568 sent_pkt=42 rcvd_pkt=40
date=2014-04-16 time=00:01:39 devname=### id=### log_id=0021000002 type=traffic subtype=allowed pri=notice vd=CECA1022_01 src=10.240.10.180 src_port=4463 src_int=\"IN_CECA1022_01\" dst=173.194.40.157 dst_port=443 dst_int=\"OUT_CECA1022_01\" SN=50252208 status=accept policyid=20901 dst_country=\"United States\" src_country=\"Reserved\" dir_disp=org tran_disp=snat tran_sip=109.1.143.84 tran_sport=53731 service=HTTPS proto=6 duration=241 sent=3501 rcvd=1580 sent_pkt=19 rcvd_pkt=20
date=2014-04-16 time=00:01:40 devname=### id=### log_id=0021000002 type=traffic subtype=allowed pri=notice vd=CECA1022_01 src=10.40.1.33 src_port=3113 src_int=\"IN_CECA1022_01\" dst=217.27.250.189 dst_port=80 dst_int=\"OUT_CECA1022_01\" SN=50254468 status=accept policyid=20901 dst_country=\"United Kingdom\" src_country=\"Reserved\" dir_disp=org tran_disp=snat tran_sip=109.1.143.84 tran_sport=36005 service=HTTP proto=6 duration=30 sent=902 rcvd=964 sent_pkt=6 rcvd_pkt=5
date=2014-04-16 time=00:01:40 devname=### id=### log_id=0021000002 type=traffic subtype=allowed pri=notice vd=CECA1022_01 src=10.40.13.111 src_port=33220 src_int=\"IN_CECA1022_01\" dst=74.125.132.105 dst_port=80 dst_int=\"OUT_CECA1022_01\" SN=50254615 status=accept policyid=20901 dst_country=\"United States\" src_country=\"Reserved\" dir_disp=org tran_disp=snat tran_sip=109.1.143.84 tran_sport=41288 service=HTTP proto=6 duration=10 sent=2344 rcvd=55568 sent_pkt=42 rcvd_pkt=40

It gives me a log file on a fortiget firewal recover and I have to analyze.
I use the latest version 6.1.
And i'm new to splunk.

0 Karma

sbrant_splunk
Splunk Employee
Splunk Employee

You will find a LOT of people willing to help you on this forum. You should add a little more detail and context to your question, to get better responses.

  • Posting sanitized samples of the plaintext log can help.
  • Noting your current Splunk configuration can help (version, stand-alone or distributed, OS, etc).
  • How are you collecting the logs? (syslog, Splunk forwarder, API, etc)
  • What is your level of familiarity with Splunk?

pierra56
Explorer

Ok thx. But I have an error:

"Your entry was not saved. The following error was reported: SyntaxError: JSON.parse: unexpected character at line 1 column 1 of the JSON data."
Do you know it?

0 Karma

strive
Influencer

May be you will find something from the links

http://answers.splunk.com/apps/51391/related_questions/

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...