All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to use Splunk_TA_fortinet_fortigate for data indexed?

rayar
Contributor
‎06-13-2022 02:54 AM

I am configuring Splunk_TA_fortinet_fortigate and no data is indexed 

what might be the issue  ?

 

the Splunk_TA_fortinet_fortigate is installed on Heavy Forwarder 

input is defined 

[splunk@ilissplfwd09 local]$ cat inputs.conf
[udp://GS-J7-FAZ3K-01-10g.corp.amdocs.com:55555]
connection_host = none
index = test
sourcetype = fortigate_log
[splunk@ilissplfwd09 local]$

from default/props.conf

[fgt_log]
TRANSFORMS-force_sourcetype_fgt = force_sourcetype_fortigate
SHOULD_LINEMERGE = false
EVENT_BREAKER_ENABLE = true

 

from logs

 

06-13-2022 12:44:04.870 +0300 INFO Metrics - group=udpin_connections, xxxxxxxxxx:55555, sourcePort=55555.000, _udp_bps=0.000, _udp_kbps=0.000, _udp_avg_thruput=0.000, _udp_kprocessed=0.000, _udp_eps=0.000

 

no data is indexed and no error message are generated in internal indexes 

Labels (1)
Labels
Tags (4)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

rayar
Contributor
‎06-15-2022 06:50 AM

we found the issue 

there was firewall enabled on the Linux (HF) server 

View solution in original post

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎06-13-2022 02:58 AM

Hi @rayar,

this TA uses syslogs received by UDP, did you enabled this on your Fortinet?

Did you checked that the route between your Fortinets and HF are open?

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

rayar
Contributor
‎06-13-2022 03:09 AM

I see the buckets on me HF 

 

13:06:29.522625 IP xxx.56255 > yyy.55555: UDP, length 667
13:06:29.522630 IP xxx.56255 > yyy.55555: UDP, length 684
13:06:29.522634 IP xxx.56255 > yyy.55555: UDP, length 666
13:06:29.522638 IP xxx.56255 > yyy.55555: UDP, length 666
13:06:29.522643 IP xxx.56255 > yyy.55555: UDP, length 684
13:06:29.522647 IP xxx.56255 > yyy.55555: UDP, length 682
13:06:29.523103 IP xxx.56255 > yyy.55555: UDP, length 679
13:06:29.523130 IP xxx.56255 > yyy.55555: UDP, length 648
13:06:29.523137 IP xxx.56255 > yyy.55555: UDP, length 683
13:06:29.523141 IP xxx.56255 > yyy.55555: UDP, length 666
13:06:29.523146 IP xxx.56255 > yyy.55555: UDP, length 665
13:06:29.523152 IP xxx.56255 > yyy.55555: UDP, length 684
13:06:29.523157 IP xxx.56255 > yyy.55555: UDP, length 65312802 packet

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎06-13-2022 03:20 AM

Hi @rayar,

where did you installed the TA?

It should be on the Splunk instanes as described at https://splunkbase.splunk.com/app/2846/#/details especially on HF

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

rayar
Contributor
‎06-13-2022 03:25 AM

I have installed and configured on the heavy forwarder 

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎06-13-2022 03:32 AM

Hi @rayar,

did you inserted "sourcetype = fortigate_log" in inputs.conf or it's by default in the TA?

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

rayar
Contributor
‎06-13-2022 03:35 AM

it was defined as a sourcetype in the TA , I configured my input

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎06-13-2022 03:36 AM

Hi @rayar,

try to use in the input

sourcetype = fgt_log

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

rayar
Contributor
‎06-13-2022 03:57 AM

looks like the same 

I see in metrics all values are 0.000

_udp_bps=0.000, _udp_kbps=0.000, _udp_avg_thruput=0.000, _udp_kprocessed=0.000, _udp_eps=0.000

does it mean it gets an empty values ?

 

06-13-2022 13:53:43.168 +0300 INFO Metrics - group=udpin_connections, *:55555, sourcePort=55555.000, _udp_bps=0.000, _udp_kbps=0.000, _udp_avg_thruput=0.000, _udp_kprocessed=0.000, _udp_eps=0.000
0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎06-13-2022 04:03 AM

Hi @rayar,

did you checked if you have fortiner logs in the choosen index?

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

rayar
Contributor
‎06-13-2022 04:15 AM

there is no data under the index 

I also tested a manual csv file  upload from the HF to this index and it was successfully indexed  

0 Karma
Reply
Solved! Jump to solution
Solution

rayar
Contributor
‎06-15-2022 06:50 AM

we found the issue 

there was firewall enabled on the Linux (HF) server 

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎06-15-2022 06:58 AM

Hi @rayar,

good for you, see next time!

Please accept one answer for the other people of Community

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...