All Apps and Add-ons

How to use Splunk_TA_fortinet_fortigate for data indexed?

rayar
Contributor

I am configuring Splunk_TA_fortinet_fortigate and no data is indexed 

what might be the issue  ?

 

the Splunk_TA_fortinet_fortigate is installed on Heavy Forwarder 

input is defined 

[splunk@ilissplfwd09 local]$ cat inputs.conf
[udp://GS-J7-FAZ3K-01-10g.corp.amdocs.com:55555]
connection_host = none
index = test
sourcetype = fortigate_log
[splunk@ilissplfwd09 local]$

from default/props.conf

[fgt_log]
TRANSFORMS-force_sourcetype_fgt = force_sourcetype_fortigate
SHOULD_LINEMERGE = false
EVENT_BREAKER_ENABLE = true

 

from logs

 

06-13-2022 12:44:04.870 +0300 INFO Metrics - group=udpin_connections, xxxxxxxxxx:55555, sourcePort=55555.000, _udp_bps=0.000, _udp_kbps=0.000, _udp_avg_thruput=0.000, _udp_kprocessed=0.000, _udp_eps=0.000

 

no data is indexed and no error message are generated in internal indexes 

Labels (1)
Tags (4)
0 Karma
1 Solution

rayar
Contributor

we found the issue 

there was firewall enabled on the Linux (HF) server 

View solution in original post

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @rayar,

this TA uses syslogs received by UDP, did you enabled this on your Fortinet?

Did you checked that the route between your Fortinets and HF are open?

Ciao.

Giuseppe

0 Karma

rayar
Contributor

I see the buckets on me HF 

 

13:06:29.522625 IP xxx.56255 > yyy.55555: UDP, length 667
13:06:29.522630 IP xxx.56255 > yyy.55555: UDP, length 684
13:06:29.522634 IP xxx.56255 > yyy.55555: UDP, length 666
13:06:29.522638 IP xxx.56255 > yyy.55555: UDP, length 666
13:06:29.522643 IP xxx.56255 > yyy.55555: UDP, length 684
13:06:29.522647 IP xxx.56255 > yyy.55555: UDP, length 682
13:06:29.523103 IP xxx.56255 > yyy.55555: UDP, length 679
13:06:29.523130 IP xxx.56255 > yyy.55555: UDP, length 648
13:06:29.523137 IP xxx.56255 > yyy.55555: UDP, length 683
13:06:29.523141 IP xxx.56255 > yyy.55555: UDP, length 666
13:06:29.523146 IP xxx.56255 > yyy.55555: UDP, length 665
13:06:29.523152 IP xxx.56255 > yyy.55555: UDP, length 684
13:06:29.523157 IP xxx.56255 > yyy.55555: UDP, length 65312802 packet

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @rayar,

where did you installed the TA?

It should be on the Splunk instanes as described at https://splunkbase.splunk.com/app/2846/#/details especially on HF

Ciao.

Giuseppe

0 Karma

rayar
Contributor

I have installed and configured on the heavy forwarder 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @rayar,

did you inserted "sourcetype = fortigate_log" in inputs.conf or it's by default in the TA?

Ciao.

Giuseppe

0 Karma

rayar
Contributor

it was defined as a sourcetype in the TA , I configured my input

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @rayar,

try to use in the input

sourcetype = fgt_log

Ciao.

Giuseppe

0 Karma

rayar
Contributor

looks like the same 

I see in metrics all values are 0.000

_udp_bps=0.000, _udp_kbps=0.000, _udp_avg_thruput=0.000, _udp_kprocessed=0.000, _udp_eps=0.000

does it mean it gets an empty values ?

 

06-13-2022 13:53:43.168 +0300 INFO Metrics - group=udpin_connections, *:55555, sourcePort=55555.000, _udp_bps=0.000, _udp_kbps=0.000, _udp_avg_thruput=0.000, _udp_kprocessed=0.000, _udp_eps=0.000
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @rayar,

did you checked if you have fortiner logs in the choosen index?

Ciao.

Giuseppe

0 Karma

rayar
Contributor

there is no data under the index 

I also tested a manual csv file  upload from the HF to this index and it was successfully indexed  

0 Karma

rayar
Contributor

we found the issue 

there was firewall enabled on the Linux (HF) server 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @rayar,

good for you, see next time!

Please accept one answer for the other people of Community

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

Get Updates on the Splunk Community!

Exporting Splunk Apps

Join us on Monday, October 21 at 11 am PT | 2 pm ET!With the app export functionality, app developers and ...

[Coming Soon] Splunk Observability Cloud - Enhanced navigation with a modern look and ...

We are excited to introduce our enhanced UI that brings together AppDynamics and Splunk Observability. This is ...

Splunk Smartness with Patrick Tatro | Episode 4

Welcome to another episode of "Splunk Smartness," where we explore how Splunk Education can revolutionize your ...