All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Problem on collect of Firewalls failed authentication events

yanisA
Explorer
‎08-18-2021 02:12 AM

Hi,

For security monitoring matters, we are trying to collect authentication logs from Fortigate and Palo Alto devices but we only receive success events. We also need to get failed events.

We don't think the problem is due to devices configuration because other SIEM can read failed authentication events with the same Log forward filters applied.

Same for

index=firewall_fortigate

index=firewall_paloalto

 

Thanks by advance for your feedback

Labels (3)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎08-18-2021 03:56 AM

Hi @yanisA,

Let me understand:

  • you're receiving Fortigate and Palo Alto logs,
  • the same systems (with the same configuration) are sending all logs (success and failed authentications) to another SIEM,
  • Splunk is receiving only success logs;

is it correct?

one question: are you receiving only success events or can you identificate only success events?

If you receive only success events there are two choices:

  • the source systems are configurated to send only success events and don't trace failed events;
  • all the events arrive in Splunk but all the events except success, are discarded.

In the first case you can work only on the source systems.

In the second case, you have to check the configuration files (on Indexers and Heavy Forwarders) related to the sourcetypes of Fortigate and Palo Alto and verify if there's a filter that discards a part of events.

If instead you aren't able to identify events, you have to analyze the documentation of Fortinet and Palo Alto to find the related messages.

Installing the Technical Add-Ons (TA) of Fortigate and Palo Alto, will help you in this job.

Ciao.

Giuseppe

Reply

yanisA
Explorer
‎08-18-2021 04:30 AM

Hi @gcusello

Thanks for your response 🙂

Exactly, your understanding is good. We are going to check the configuration files related to the sourcetypes, both TA are already installed.

I will come back to you soon

Yanis

0 Karma
Reply
Get Updates on the Splunk Community!

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...