Hello World,
I am attempting to create a search in Splunk that will provide me with any and all changes an admin made to our firewalls. This is part of a "governance" task and we have logs coming from the FWs. Any pointers will be appreciated.
Best,
AD
Been a while. Learning a lot about Splunk. I found the index and specific event code needed to make this search happen.
index=fgt eventtype=ftnt_fortigate_config_change
What do the events that you have coming in look like? For example, fields you have extracted from the events, or do you need help extracting the fields?
@ITWhisperer I'm sitting down with the people that configured Splunk for this network. I cant even get basic logs to pull-up via a simple search. Might be a configuration issue. I will get back to you once I have some logs to work with.