All Apps and Add-ons

I am able to search syslog data from Fortigate, but why do I get no results in the Fortinet FortiGate App for Splunk?

New Member

Hi,

I have installed the Fortinet Fortigate App and Add-on for Splunk.
I have a rsyslog configuration to dump the syslog from Fortigate into a folder.
I configured Splunk data input to monitor the above folder with sourcetype="fortigate"
I am able to search the data after they are indexed.
However, I am not able to get after results in the App for Fortigate.
What other configurations do I need to do please?

Thank you

0 Karma

New Member

Try changing the permissions (under App management, search & reporting) to Global. Mine was set to App. Once I changed it I started seeing data.

0 Karma

Contributor

could you try adding a sourcetype stanza header in props.conf of fortigate add-on or TA
the directory is /opt/splunk/etc/apps/Splunk_TA_fortinet_fortigate/default/props.conf

[source::*]
[fortigate]
TRANSFORMS-force_sourcetype_fgt = force_sourcetype_fgt_traffic,force_sourcetype_fgt_utm,force_sourcetype_fgt_event
SHOULD_LINEMERGE = false
0 Karma

New Member

Hi Jerry, thank you for your suggestion.

This is the orginal stanza in my
/opt/splunk/etc/apps/Splunk_TA_fortinet_fortigate/default/props.conf:

[source::*]

[source::udp:514]

TRANSFORMS-force_sourcetype_fgt = force_sourcetype_fgt_traffic,force_sourcetype_fgt_utm,force_sourcetype_fgt_event
SHOULD_LINEMERGE = false

I have added [fortigate] as suggested by you, as follows, but it doesnt seem to work. After I edited the file, i restarted splunk and run the app but there is still 0 device and nothing detected on the charts/dashboards.

Mine is a fortigate-60 running fortiOS 5.2, is this (Fortinet app for fortigate) the correct app to use or should i use app for fortiOS5? I have tried both but they have same issue...

[source::*]
[fortigate]

[source::udp:514]

TRANSFORMS-force_sourcetype_fgt = force_sourcetype_fgt_traffic,force_sourcetype_fgt_utm,force_sourcetype_fgt_event
SHOULD_LINEMERGE = false

0 Karma

Contributor

we don't support fortios5 app.

the first dashboard is overall dashboard for real time data, with a look back window of 15 mins, so if there is no data in the past 15 min, you will see nothing.
the rest dashboards are for historical data.

after the modification, could you try searching for fgt_system in search and reporting? if nothing, try searching fortigate and post the screen captured result for me to investigate. just by word description it is hard for me.

0 Karma

Communicator

Could you please check and confirm - If the data is coming from older version of fortiOS than FrotiOS 5.0 then keywords - "fgt_system" & 'fortigate' will not be there in the logs ??

Will appreciate your prompt response.

0 Karma

Contributor

we don't support logs from lower than 5.0. they are not verified.
fgt_system is a source type renamed from your input sourcetype if a regex for system logs matches your input log. fortigate is your source input source type.

0 Karma

Communicator

We are using the logs from fortiOS version 5 built 310 patch 11.

As per Splunkbase the 'Fortinet FortiGate App for Splunk' supports logs from FortiOS 5.0/5.2/5.4, so i hope you can help me in my case. The data is visible in the S&R but the dashboards are not populating.

0 Karma

Communicator

what is the default sourcetype to keep in splunk if we are uploading the fortigate data ?

0 Karma

Contributor

it is all defined by yourself. in the original question it was 'fortigate', but you can define yours and our add-on can transform it to those sourcetypes(fgt_traffic, fgt_event...), which the app can process later.
just add the sourcetype whatever you defined to props.conf to let the add-on know that the original source type for fortigate logs, as i suggested in my answer to the OP.

0 Karma

New Member

I have done 2 screenshots how do i upload here? I m not putting them on-line so i dont have a url.

0 Karma

New Member

One screen shot is the traffic dashboard which I select last 30 days and there is not data at all. No device.
Second screen shot is i search for sourcetype=fortigate for last 7 days with results listed.

0 Karma

New Member

The event entry I see in search result is as what I have posted earlier (info masked):
2015-12-16T09:09:53.109439+08:00 zzz.zzz.zzz.zzz date=2015-12-16 time=09:09:53 devname=Fortigate-60 device_id=FGT-xxxxx log_id=xxxxx type=event subtype=dhcp pri=information vd=root dhcp_msg="Ack" dir=Sent mac=xx:xx:xx:xx ip=xxx.xxx.xxx.xxx lease=1800 hostname="aaaa" msg="Assigns IP address/configuration parameters to the client"

0 Karma

Contributor

do you have fortigate constantly reporting log to splunk or historic log?
since the record you posted is way back in history, could you change the acceleration period from default 1 day to longer days that cover the log's date?

0 Karma

Communicator

I tried this on my Splunk server as well, didn't work for me either.

0 Karma

Communicator

Hey @starbursthub,

I am also facing the same issue and i have tried asking here on Splunk answers but unfortunately no one from dev team is there for support it seems. Our splunk peers are the only help it seems.

@ppablo[Splunk] please see if you can do some help in this regards. Thats will be really helpful.

also see - https://answers.splunk.com/answers/327036/fortinet-fortigate-app-for-splunk-when-i-run-a-sea.html

0 Karma

Community Manager
Community Manager

Hi @saurabh_tek

I edited this post with the the official tags (blue) for the app and add-on so the developers of the app should be notified that this question was posted. Since this isn't a Splunk developed app, Splunk support wouldn't be able to provide help on this unfortunately. If you're not getting any help here on Answers from the developers of this app (in this case, Fortinet Inc), I suggest contacting them directly. You can click "Contact Developer" on the app's page on Splunkbase: https://splunkbase.splunk.com/app/2800/

0 Karma

New Member

By the way I have also tried using Splunk App for FortiOS5 + its Add-On. I re-index my fortigate data with sourcetype="fortios5".
I still don't get any display on the dashboard.
Here's a masked sample of my syslog message
2015-12-16T09:09:53.109439+08:00 zzz.zzz.zzz.zzz date=2015-12-16 time=09:09:53 devname=Fortigate-60 device_id=FGT-xxxxx log_id=xxxxx type=event subtype=dhcp pri=information vd=root dhcp_msg="Ack" dir=Sent mac=xx:xx:xx:xx ip=xxx.xxx.xxx.xxx lease=1800 hostname="aaaa" msg="Assigns IP address/configuration parameters to the client"

0 Karma

New Member

does the index matter? I'm using the default index i.e "main".

0 Karma

Communicator

it should not be a matter of concern as the 'Fortinet FortiGate Add-on for Splunk' is responsible for collecting fortinet logs automatically from indexer/single instance server unless you are mentioning a specific index in the search bar.

I also tried using the 3rd party app for fortigate but no luck.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!