All Apps and Add-ons

Problem on collect of Firewalls failed authentication events

yanisA
Explorer

Hi,

For security monitoring matters, we are trying to collect authentication logs from Fortigate and Palo Alto devices but we only receive success events. We also need to get failed events.

We don't think the problem is due to devices configuration because other SIEM can read failed authentication events with the same Log forward filters applied.

Same for

index=firewall_fortigate

index=firewall_paloalto

 

Thanks by advance for your feedback

Labels (3)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @yanisA,

Let me understand:

  • you're receiving Fortigate and Palo Alto logs,
  • the same systems (with the same configuration) are sending all logs (success and failed authentications) to another SIEM,
  • Splunk is receiving only success logs;

is it correct?

one question: are you receiving only success events or can you identificate only success events?

If you receive only success events there are two choices:

  • the source systems are configurated to send only success events and don't trace failed events;
  • all the events arrive in Splunk but all the events except success, are discarded.

In the first case you can work only on the source systems.

In the second case, you have to check the configuration files (on Indexers and Heavy Forwarders) related to the sourcetypes of Fortigate and Palo Alto and verify if there's a filter that discards a part of events.

If instead you aren't able to identify events, you have to analyze the documentation of Fortinet and Palo Alto to find the related messages.

Installing the Technical Add-Ons (TA) of Fortigate and Palo Alto, will help you in this job.

Ciao.

Giuseppe

yanisA
Explorer

Hi @gcusello

Thanks for your response 🙂

Exactly, your understanding is good. We are going to check the configuration files related to the sourcetypes, both TA are already installed.

I will come back to you soon

Yanis

0 Karma
Get Updates on the Splunk Community!

2024 Splunk Career Impact Survey | Earn a $20 gift card for participating!

Hear ye, hear ye! The time has come again for Splunk's annual Career Impact Survey!  We need your help by ...

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...