I am configuring Splunk_TA_fortinet_fortigate and no data is indexed
what might be the issue ?
the Splunk_TA_fortinet_fortigate is installed on Heavy Forwarder
input is defined
[splunk@ilissplfwd09 local]$ cat inputs.conf
[udp://GS-J7-FAZ3K-01-10g.corp.amdocs.com:55555]
connection_host = none
index = test
sourcetype = fortigate_log
[splunk@ilissplfwd09 local]$
from default/props.conf
[fgt_log]
TRANSFORMS-force_sourcetype_fgt = force_sourcetype_fortigate
SHOULD_LINEMERGE = false
EVENT_BREAKER_ENABLE = true
from logs
no data is indexed and no error message are generated in internal indexes
we found the issue
there was firewall enabled on the Linux (HF) server
Hi @rayar,
this TA uses syslogs received by UDP, did you enabled this on your Fortinet?
Did you checked that the route between your Fortinets and HF are open?
Ciao.
Giuseppe
I see the buckets on me HF
13:06:29.522625 IP xxx.56255 > yyy.55555: UDP, length 667
13:06:29.522630 IP xxx.56255 > yyy.55555: UDP, length 684
13:06:29.522634 IP xxx.56255 > yyy.55555: UDP, length 666
13:06:29.522638 IP xxx.56255 > yyy.55555: UDP, length 666
13:06:29.522643 IP xxx.56255 > yyy.55555: UDP, length 684
13:06:29.522647 IP xxx.56255 > yyy.55555: UDP, length 682
13:06:29.523103 IP xxx.56255 > yyy.55555: UDP, length 679
13:06:29.523130 IP xxx.56255 > yyy.55555: UDP, length 648
13:06:29.523137 IP xxx.56255 > yyy.55555: UDP, length 683
13:06:29.523141 IP xxx.56255 > yyy.55555: UDP, length 666
13:06:29.523146 IP xxx.56255 > yyy.55555: UDP, length 665
13:06:29.523152 IP xxx.56255 > yyy.55555: UDP, length 684
13:06:29.523157 IP xxx.56255 > yyy.55555: UDP, length 65312802 packet
Hi @rayar,
where did you installed the TA?
It should be on the Splunk instanes as described at https://splunkbase.splunk.com/app/2846/#/details especially on HF
Ciao.
Giuseppe
I have installed and configured on the heavy forwarder
Hi @rayar,
did you inserted "sourcetype = fortigate_log" in inputs.conf or it's by default in the TA?
Ciao.
Giuseppe
it was defined as a sourcetype in the TA , I configured my input
looks like the same
I see in metrics all values are 0.000
_udp_bps=0.000, _udp_kbps=0.000, _udp_avg_thruput=0.000, _udp_kprocessed=0.000, _udp_eps=0.000
does it mean it gets an empty values ?
there is no data under the index
I also tested a manual csv file upload from the HF to this index and it was successfully indexed
we found the issue
there was firewall enabled on the Linux (HF) server
Hi @rayar,
good for you, see next time!
Please accept one answer for the other people of Community
Ciao and happy splunking
Giuseppe
P.S.: Karma Points are appreciated 😉