I have a bit related problem, with CIM 4.12.0, ES 5.2.1 and Splunk 7.2.3 the signature from IPS says "unknown" instead of real signature sent by device. Signatures are however visible in Fortigate App for Splunk in the same Splunk instance. I can't seem to pinpoint where this gets broken. 😕 Any advice?
sorry i didn't check back. you might have found a solution or given up, but fwiw, please make sure fgt_traffic, fgt_event, or fgt_utm sourcetypes are populated by the add-on as indication that the add-on is actually working. You can do that by search sourcetype= any of the 3 sourcetype listed above. And we can investigate further from there if fortigate logs is still not going into CIM model.
Oh, I did not know that Enterprise Security already have fortigate TA. Okay, when I will be able to turn it off on the next working day. I will report there what I will got.
About logs - any traffic logs.
that's fine. can you get anything with search sourcetype=fgt_traffic or sourcetype=fgt_event or sourcetype=fgt_utm?
i noticed you installed our app as well. does the app show any data on dashboards?
Sourcetype=fgt_traffic and sourcetype=fgt_event worked in search. They even was in Data Summary in the tab "sourcetype". About sourcetype=fgt_utm: in Data Summary was not, in search not tried and right now I can't test it.
About dashboards, when i tried by this list:
Security Domain->Access->Access Center
Security Domain->Endpoint->Malware Center
Security Domain->Network->Traffic Center
Security Domain->Network->Intrusion Center
Security Domain->Network->Web Center
Security Domain->Network->Network Changes
Security Domain->Network->Port & Protocol Tracker
Security Domain->Identity->Session Center
There was data in few dashboards.