All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to use Splunk_TA_fortinet_fortigate for data indexed?

rayar
Contributor
‎06-13-2022 02:54 AM

I am configuring Splunk_TA_fortinet_fortigate and no data is indexed 

what might be the issue  ?

 

the Splunk_TA_fortinet_fortigate is installed on Heavy Forwarder 

input is defined 

[splunk@ilissplfwd09 local]$ cat inputs.conf
[udp://GS-J7-FAZ3K-01-10g.corp.amdocs.com:55555]
connection_host = none
index = test
sourcetype = fortigate_log
[splunk@ilissplfwd09 local]$

from default/props.conf

[fgt_log]
TRANSFORMS-force_sourcetype_fgt = force_sourcetype_fortigate
SHOULD_LINEMERGE = false
EVENT_BREAKER_ENABLE = true

 

from logs

 

06-13-2022 12:44:04.870 +0300 INFO Metrics - group=udpin_connections, xxxxxxxxxx:55555, sourcePort=55555.000, _udp_bps=0.000, _udp_kbps=0.000, _udp_avg_thruput=0.000, _udp_kprocessed=0.000, _udp_eps=0.000

 

no data is indexed and no error message are generated in internal indexes 

Labels (1)
Labels
Tags (4)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

rayar
Contributor
‎06-15-2022 06:50 AM

we found the issue 

there was firewall enabled on the Linux (HF) server 

View solution in original post

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎06-13-2022 02:58 AM

Hi @rayar,

this TA uses syslogs received by UDP, did you enabled this on your Fortinet?

Did you checked that the route between your Fortinets and HF are open?

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

rayar
Contributor
‎06-13-2022 03:09 AM

I see the buckets on me HF 

 

13:06:29.522625 IP xxx.56255 > yyy.55555: UDP, length 667
13:06:29.522630 IP xxx.56255 > yyy.55555: UDP, length 684
13:06:29.522634 IP xxx.56255 > yyy.55555: UDP, length 666
13:06:29.522638 IP xxx.56255 > yyy.55555: UDP, length 666
13:06:29.522643 IP xxx.56255 > yyy.55555: UDP, length 684
13:06:29.522647 IP xxx.56255 > yyy.55555: UDP, length 682
13:06:29.523103 IP xxx.56255 > yyy.55555: UDP, length 679
13:06:29.523130 IP xxx.56255 > yyy.55555: UDP, length 648
13:06:29.523137 IP xxx.56255 > yyy.55555: UDP, length 683
13:06:29.523141 IP xxx.56255 > yyy.55555: UDP, length 666
13:06:29.523146 IP xxx.56255 > yyy.55555: UDP, length 665
13:06:29.523152 IP xxx.56255 > yyy.55555: UDP, length 684
13:06:29.523157 IP xxx.56255 > yyy.55555: UDP, length 65312802 packet

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎06-13-2022 03:20 AM

Hi @rayar,

where did you installed the TA?

It should be on the Splunk instanes as described at https://splunkbase.splunk.com/app/2846/#/details especially on HF

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

rayar
Contributor
‎06-13-2022 03:25 AM

I have installed and configured on the heavy forwarder 

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎06-13-2022 03:32 AM

Hi @rayar,

did you inserted "sourcetype = fortigate_log" in inputs.conf or it's by default in the TA?

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

rayar
Contributor
‎06-13-2022 03:35 AM

it was defined as a sourcetype in the TA , I configured my input

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎06-13-2022 03:36 AM

Hi @rayar,

try to use in the input

sourcetype = fgt_log

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

rayar
Contributor
‎06-13-2022 03:57 AM

looks like the same 

I see in metrics all values are 0.000

_udp_bps=0.000, _udp_kbps=0.000, _udp_avg_thruput=0.000, _udp_kprocessed=0.000, _udp_eps=0.000

does it mean it gets an empty values ?

 

06-13-2022 13:53:43.168 +0300 INFO Metrics - group=udpin_connections, *:55555, sourcePort=55555.000, _udp_bps=0.000, _udp_kbps=0.000, _udp_avg_thruput=0.000, _udp_kprocessed=0.000, _udp_eps=0.000
0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎06-13-2022 04:03 AM

Hi @rayar,

did you checked if you have fortiner logs in the choosen index?

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

rayar
Contributor
‎06-13-2022 04:15 AM

there is no data under the index 

I also tested a manual csv file  upload from the HF to this index and it was successfully indexed  

0 Karma
Reply
Solved! Jump to solution
Solution

rayar
Contributor
‎06-15-2022 06:50 AM

we found the issue 

there was firewall enabled on the Linux (HF) server 

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎06-15-2022 06:58 AM

Hi @rayar,

good for you, see next time!

Please accept one answer for the other people of Community

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...