what logs are fortigate reporting? any traffic logs? by the way, have you disabled the other fortigate TA that came with Enterprise Security package and then installed our add-on?
Oh, I did not know that Enterprise Security already have fortigate TA. Okay, when I will be able to turn it off on the next working day. I will report there what I will got.
About logs - any traffic logs.
that's fine. can you get anything with search sourcetype=fgttraffic or sourcetype=fgtevent or sourcetype=fgt_utm?
i noticed you installed our app as well. does the app show any data on dashboards?
Sourcetype=fgttraffic and sourcetype=fgtevent worked in search. They even was in Data Summary in the tab "sourcetype". About sourcetype=fgt_utm: in Data Summary was not, in search not tried and right now I can't test it.
About dashboards, when i tried by this list:
Security Domain->Access->Access Center
Security Domain->Endpoint->Malware Center
Security Domain->Network->Traffic Center
Security Domain->Network->Intrusion Center
Security Domain->Network->Web Center
Security Domain->Network->Network Changes
Security Domain->Network->Port & Protocol Tracker
Security Domain->Identity->Session Center
There was data in few dashboards.
sorry i didn't check back. you might have found a solution or given up, but fwiw, please make sure fgttraffic, fgtevent, or fgt_utm sourcetypes are populated by the add-on as indication that the add-on is actually working. You can do that by search sourcetype= any of the 3 sourcetype listed above. And we can investigate further from there if fortigate logs is still not going into CIM model.
I have a bit related problem, with CIM 4.12.0, ES 5.2.1 and Splunk 7.2.3 the signature from IPS says "unknown" instead of real signature sent by device. Signatures are however visible in Fortigate App for Splunk in the same Splunk instance. I can't seem to pinpoint where this gets broken. 😕 Any advice?