All Apps and Add-ons
Highlighted

Fortigate logs are not in CIM data models

Builder

So, logs from Fortinet successfully come to Splunk, but not to Data Model. When I checked Pivot of SIM, there are 0 events.
What should I do to fix it?

0 Karma
Highlighted

Re: Fortigate logs are not in CIM data models

Contributor

do you mean fortigate logs are not in CIM data models?

0 Karma
Highlighted

Re: Fortigate logs are not in CIM data models

Builder

Yes, you are right!
I fixed the title of the question so now people can understand what I mean, my bad english 🙂

0 Karma
Highlighted

Re: Fortigate logs are not in CIM data models

Contributor

what logs are fortigate reporting? any traffic logs? by the way, have you disabled the other fortigate TA that came with Enterprise Security package and then installed our add-on?

0 Karma
Highlighted

Re: Fortigate logs are not in CIM data models

Builder

Oh, I did not know that Enterprise Security already have fortigate TA. Okay, when I will be able to turn it off on the next working day. I will report there what I will got.

About logs - any traffic logs.

0 Karma
Highlighted

Re: Fortigate logs are not in CIM data models

Builder

Hmmm, maybe I'm blind or not understand something, but there is no default TA fortigate with EE.
http://prntscr.com/h5p7hu (screenshot)

0 Karma
Highlighted

Re: Fortigate logs are not in CIM data models

Contributor

that's fine. can you get anything with search sourcetype=fgttraffic or sourcetype=fgtevent or sourcetype=fgt_utm?
i noticed you installed our app as well. does the app show any data on dashboards?

0 Karma
Highlighted

Re: Fortigate logs are not in CIM data models

Builder

Sourcetype=fgttraffic and sourcetype=fgtevent worked in search. They even was in Data Summary in the tab "sourcetype". About sourcetype=fgt_utm: in Data Summary was not, in search not tried and right now I can't test it.
About dashboards, when i tried by this list:

Security Domain->Access->Access Center
Security Domain->Endpoint->Malware Center
Security Domain->Network->Traffic Center
Security Domain->Network->Intrusion Center
Security Domain->Network->Web Center
Security Domain->Network->Network Changes
Security Domain->Network->Port & Protocol Tracker
Security Domain->Identity->Session Center

There was data in few dashboards.

0 Karma
Highlighted

Re: Fortigate logs are not in CIM data models

Contributor

sorry i didn't check back. you might have found a solution or given up, but fwiw, please make sure fgttraffic, fgtevent, or fgt_utm sourcetypes are populated by the add-on as indication that the add-on is actually working. You can do that by search sourcetype= any of the 3 sourcetype listed above. And we can investigate further from there if fortigate logs is still not going into CIM model.

0 Karma
Highlighted

Re: Fortigate logs are not in CIM data models

Explorer

I have a bit related problem, with CIM 4.12.0, ES 5.2.1 and Splunk 7.2.3 the signature from IPS says "unknown" instead of real signature sent by device. Signatures are however visible in Fortigate App for Splunk in the same Splunk instance. I can't seem to pinpoint where this gets broken. 😕 Any advice?

0 Karma