All Apps and Add-ons

Fortinet Fortigate App for Splunk Empty Dashboards

spiced
New Member

I installed the Fortinet FortiGate App 1.5.1 for Splunk as well as the Fortinet FortiGate Add-On 1.6.2 for Splunk and configured the sourcetype in the props.conf file.

After that I restarted the Splunk service. When I open the Fortinet FortiGate App and go to the Fortinet Network Security Overview I have nice dashboards with data.

However the dashboards such as Traffic and VPN are all emtpy, even though when I open the according Searches and Reports I have data. Do I need to do something else to get the other dashboards working? I use Splunk 7.3.0.

0 Karma
1 Solution

jerryzhao
Contributor

Did you enable data model acceleration?
5. Enable Data Model Acceleration:
Since version 1.5.0 of the app, data model acceleration is no longer enabled in default/datamodels.conf. User has to either enable data acceleration on Splunk GUI Settings->Data Models->Fortinet FoS Log.
Or on Splunk search head, where the app is installed, create "local" folder under $SPLUNK_HOME/etc/apps/SplunkAppForFortinet/ and create a file in this "local" folder named datamodels.conf with the following content:

[ftnt_fos]
acceleration = 1
acceleration.earliest_time = -1mon

https://splunkbase.splunk.com/app/2800/#/details

View solution in original post

islam
Explorer

i faces same issue, and i just added the search of each dashboard on the app with index=xxx at the beginning of the search, then all dashboards worked fine

0 Karma

Suirand1
Explorer

I installed Add-on installed FortigateAPP for splunk. Enabled data model acceleration. "Traffic dashboard" is showing results, however Overview dashboard is empty. Most of the macros searches is not returning any results. I am ingesting fortigate logs via SC4S, by default they goes to "netfw" - index, SC4S-source, fgt_traffic -sourcetype. 

I also added local/props.conf for Add-on :

[fortinet]
TRANSFORMS-force_sourcetype_fgt = force_sourcetype_fgt_traffic,force_sourcetype_fgt_utm,force_sourcetype_fgt_event
SHOULD_LINEMERGE = false

Any ideas why macros are failing? 

0 Karma

BrendanCO
Path Finder

Hello all! I also am having this issue. My FoS data model is accelerated. When I go to the traffic dashboard, it's all there. When I go to the Overview dashboard, it is blank. Actually most of the fields are stuck on "waiting for data".

Thoughts?

0 Karma

jerryzhao
Contributor

overview dashboard is different from other dashboards. because overview page is for real time logs. Can you check in search&reporting if the logs are coming in in real time? are all your servers' time in sync?

0 Karma

BrendanCO
Path Finder

They are indeed coming in in real time. Yes to time sync. It's weird. All of the other dashboards are working.

0 Karma

jerryzhao
Contributor

can you try running fgt_logs query for last 10 minutes in real time streaming in search and reporting app?
the overall dashboard runs the same query.

0 Karma

BrendanCO
Path Finder

So do you mean just put 'fgt_logs' in the search field? i don't see anything, either real time or all time for that

0 Karma

jerryzhao
Contributor

please copy exact the string `fgt_logs` and paste in search. it is not single quote.

if there is still no result, can you check whether you use cutomized index name? can you check following:
If a customized index is used for the input, it also needs to be added in admin user's default authorized list of indexes to search.
In $SPLUNK_HOME/etc/system/local/authorize.conf

[role_admin]
srchIndexesDefault = fgt;main
srchMaxTime = 8640000
In this example, fgt is the index for my fortigate log input.

0 Karma

BrendanCO
Path Finder

Sorry for the delay in response. Was laid off for a bit. So when i put in 'fgt_logs' in the search field, I don't get anything. My index is simply called "fortigate".  I updated authorize.conf to the following:

[role_admin]
grantableRoles = admin
srchIndexesAllowed = *;_*;fortinet;main;paloalto;fgt
srchIndexesDefault = main
srchMaxTime = 8640000

Do I need to create a new index called fgt_logs? 

0 Karma

jerryzhao
Contributor

fgt_logs macro needs to be put in query field: `fgt_logs`

0 Karma

jerryzhao
Contributor

Did you enable data model acceleration?
5. Enable Data Model Acceleration:
Since version 1.5.0 of the app, data model acceleration is no longer enabled in default/datamodels.conf. User has to either enable data acceleration on Splunk GUI Settings->Data Models->Fortinet FoS Log.
Or on Splunk search head, where the app is installed, create "local" folder under $SPLUNK_HOME/etc/apps/SplunkAppForFortinet/ and create a file in this "local" folder named datamodels.conf with the following content:

[ftnt_fos]
acceleration = 1
acceleration.earliest_time = -1mon

https://splunkbase.splunk.com/app/2800/#/details

spiced
New Member

Thank you @jerryzhao after I enabled the Data Model Acceleration, the dashboards contained the data.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...