All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Fortigate logs are not in CIM data models

test_qweqwe
Builder
‎11-02-2017 06:35 AM

So, logs from Fortinet successfully come to Splunk, but not to Data Model. When I checked Pivot of SIM, there are 0 events.
What should I do to fix it?

0 Karma
Reply

mikkorh
Explorer
‎01-04-2019 06:21 AM

I have a bit related problem, with CIM 4.12.0, ES 5.2.1 and Splunk 7.2.3 the signature from IPS says "unknown" instead of real signature sent by device. Signatures are however visible in Fortigate App for Splunk in the same Splunk instance. I can't seem to pinpoint where this gets broken. 😕 Any advice?

0 Karma
Reply

jerryzhao
Contributor
‎10-17-2018 11:18 AM

sorry i didn't check back. you might have found a solution or given up, but fwiw, please make sure fgt_traffic, fgt_event, or fgt_utm sourcetypes are populated by the add-on as indication that the add-on is actually working. You can do that by search sourcetype= any of the 3 sourcetype listed above. And we can investigate further from there if fortigate logs is still not going into CIM model.

0 Karma
Reply

jerryzhao
Contributor
‎11-02-2017 10:07 AM

do you mean fortigate logs are not in CIM data models?

0 Karma
Reply

test_qweqwe
Builder
‎11-02-2017 10:37 AM

Yes, you are right!
I fixed the title of the question so now people can understand what I mean, my bad english 🙂

0 Karma
Reply

jerryzhao
Contributor
‎11-02-2017 10:43 AM

what logs are fortigate reporting? any traffic logs? by the way, have you disabled the other fortigate TA that came with Enterprise Security package and then installed our add-on?

0 Karma
Reply

test_qweqwe
Builder
‎11-02-2017 11:06 AM

Oh, I did not know that Enterprise Security already have fortigate TA. Okay, when I will be able to turn it off on the next working day. I will report there what I will got.

About logs - any traffic logs.

0 Karma
Reply

test_qweqwe
Builder
‎11-03-2017 04:56 AM

Hmmm, maybe I'm blind or not understand something, but there is no default TA fortigate with EE.
http://prntscr.com/h5p7hu (screenshot)

0 Karma
Reply

jerryzhao
Contributor
‎11-03-2017 10:18 AM

that's fine. can you get anything with search sourcetype=fgt_traffic or sourcetype=fgt_event or sourcetype=fgt_utm?
i noticed you installed our app as well. does the app show any data on dashboards?

0 Karma
Reply

test_qweqwe
Builder
‎11-03-2017 03:04 PM

Sourcetype=fgt_traffic and sourcetype=fgt_event worked in search. They even was in Data Summary in the tab "sourcetype". About sourcetype=fgt_utm: in Data Summary was not, in search not tried and right now I can't test it.
About dashboards, when i tried by this list:

Security Domain->Access->Access Center
Security Domain->Endpoint->Malware Center
Security Domain->Network->Traffic Center
Security Domain->Network->Intrusion Center
Security Domain->Network->Web Center
Security Domain->Network->Network Changes
Security Domain->Network->Port & Protocol Tracker
Security Domain->Identity->Session Center

There was data in few dashboards.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...