All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk for Fortigate Config

Andrew_Banman
Explorer
‎07-06-2012 02:19 PM

I am trying to get the Splunk Fortigate application running as it would be very useful. When I go into it and give it a device and vdom it just reports no data is found. I have setup the UDP:512 port on Splunk and the sourcetype/IP config per the README file but I still seem to be unable to get the app to display the data. I am not sure what I have done wrong and I'm not sure even where to begin looking at this point. Can anyone offer some troubleshooting suggestions?

You can see I have log data per my splunk data:

date=2012-07-06,time=13:48:53,devname=FW-NAME,device_id=FG###########,log_id=0022000003,type=traffic,subtype=violation,pri=warning,status=deny,vd="root",src=###.###.###.###,srcname=###.###.###.###,src_port=50962,dst=###.###.###.###,dstname=###.###.###.###,dst_port=53,service=53/udp,proto=17,app_type=N/A,duration=0,rule=0,policyid=0,identidx=0,sent=0,rcvd=0,shaper_drop_sent=0,shaper_drop_rcvd=0,perip_drop=0,shaper_sent_name="N/A",shaper_rcvd_name="N/A",perip_name="N/A",vpn="N/A",src_int="V645_ITG_MGMTS",dst_int="V998_MGMTN",SN=582346120,app="N/A",app_cat="N/A",user="N/A",group="N/A",carrier_ep="N/A"
date=2012-07-06,time=13:48:53,devname=FW-NAME,device_id=FG###########,log_id=0022000003,type=traffic,subtype=violation,pri=warning,status=deny,vd="root",src=###.###.###.###,srcname=###.###.###.###,src_port=162,dst=###.###.###.###,dstname=###.###.###.###,dst_port=162,service=162/udp,proto=17,app_type=N/A,duration=0,rule=0,policyid=0,identidx=0,sent=0,rcvd=0,shaper_drop_sent=0,shaper_drop_rcvd=0,perip_drop=0,shaper_sent_name="N/A",shaper_rcvd_name="N/A",perip_name="N/A",vpn="N/A",src_int="V998_MGMTN",dst_int="V999_MGMTS",SN=582346112,app="N/A",app_cat="N/A",user="N/A",group="N/A",carrier_ep="N/A"
date=2012-07-06,time=13:48:53,devname=FW-NAME,device_id=FG###########,log_id=0022000003,type=traffic,subtype=violation,pri=warning,status=deny,vd="root",src=###.###.###.###,srcname=###.###.###.###,src_port=162,dst=###.###.###.###,dstname=###.###.###.###,dst_port=162,service=162/udp,proto=17,app_type=N/A,duration=0,rule=0,policyid=0,identidx=0,sent=0,rcvd=0,shaper_drop_sent=0,shaper_drop_rcvd=0,perip_drop=0,shaper_sent_name="N/A",shaper_rcvd_name="N/A",perip_name="N/A",vpn="N/A",src_int="V998_MGMTN",dst_int="V999_MGMTS",SN=582346110,app="N/A",app_cat="N/A",user="N/A",group="N/A",carrier_ep="N/A"
date=2012-07-06,time=13:48:52,devname=FW-NAME,device_id=FG###########,log_id=0022000003,type=traffic,subtype=violation,pri=warning,status=deny,vd="root",src=###.###.###.###,srcname=###.###.###.###,src_port=58072,dst=###.###.###.###,dstname=###.###.###.###,dst_port=53,service=53/udp,proto=17,app_type=N/A,duration=0,rule=0,policyid=0,identidx=0,sent=0,rcvd=0,shaper_drop_sent=0,shaper_drop_rcvd=0,perip_drop=0,shaper_sent_name="N/A",shaper_rcvd_name="N/A",perip_name="N/A",vpn="N/A",src_int="V645_ITG_MGMTS",dst_int="V998_MGMTN",SN=582346087,app="N/A",app_cat="N/A",user="N/A",group="N/A",carrier_ep="N/A"
date=2012-07-06,time=13:48:52,devname=FW-NAME,device_id=FG###########,log_id=0022000003,type=traffic,subtype=violation,pri=warning,status=deny,vd="root",src=###.###.###.###,srcname=###.###.###.###,src_port=48295,dst=###.###.###.###,dstname=###.###.###.###,dst_port=514,service=514/udp,proto=17,app_type=N/A,duration=0,rule=0,policyid=0,identidx=0,sent=0,rcvd=0,shaper_drop_sent=0,shaper_drop_rcvd=0,perip_drop=0,shaper_sent_name="N/A",shaper_rcvd_name="N/A",perip_name="N/A",vpn="N/A",src_int="V998_MGMTN",dst_int="V999_MGMTS",SN=582346085,app="N/A",app_cat="N/A",user="N/A",group="N/A",carrier_ep="N/A"
date=2012-07-06,time=13:48:52,devname=FW-NAME,device_id=FG###########,log_id=0022000003,type=traffic,subtype=violation,pri=warning,status=deny,vd="root",src=###.###.###.###,srcname=###.###.###.###,src_port=48295,dst=###.###.###.###,dstname=###.###.###.###,dst_port=514,service=514/udp,proto=17,app_type=N/A,duration=0,rule=0,policyid=0,identidx=0,sent=0,rcvd=0,shaper_drop_sent=0,shaper_drop_rcvd=0,perip_drop=0,shaper_sent_name="N/A",shaper_rcvd_name="N/A",perip_name="N/A",vpn="N/A",src_int="V998_MGMTN",dst_int="V999_MGMTS",SN=582346084,app="N/A",app_cat="N/A",user="N/A",group="N/A",carrier_ep="N/A"
date=2012-07-06,time=13:48:52,devname=FW-NAME,device_id=FG###########,log_id=0022000003,type=traffic,subtype=violation,pri=warning,status=deny,vd="root",src=###.###.###.###,srcname=###.###.###.###,src_port=48295,dst=###.###.###.###,dstname=###.###.###.###,dst_port=514,service=514/udp,proto=17,app_type=N/A,duration=0,rule=0,policyid=0,identidx=0,sent=0,rcvd=0,shaper_drop_sent=0,shaper_drop_rcvd=0,perip_drop=0,shaper_sent_name="N/A",shaper_rcvd_name="N/A",perip_name="N/A",vpn="N/A",src_int="V998_MGMTN",dst_int="V999_MGMTS",SN=582346073,app="N/A",app_cat="N/A",user="N/A",group="N/A",carrier_ep="N/A"
date=2012-07-06,time=13:48:52,devname=FW-NAME,device_id=FG###########,log_id=0022000003,type=traffic,subtype=violation,pri=warning,status=deny,vd="root",src=###.###.###.###,srcname=###.###.###.###,src_port=48295,dst=###.###.###.###,dstname=###.###.###.###,dst_port=514,service=514/udp,proto=17,app_type=N/A,duration=0,rule=0,policyid=0,identidx=0,sent=0,rcvd=0,shaper_drop_sent=0,shaper_drop_rcvd=0,perip_drop=0,shaper_sent_name="N/A",shaper_rcvd_name="N/A",perip_name="N/A",vpn="N/A",src_int="V998_MGMTN",dst_int="V999_MGMTS",SN=582346072,app="N/A",app_cat="N/A",user="N/A",group="N/A",carrier_ep="N/A"
date=2012-07-06,time=13:48:52,devname=FW-NAME,device_id=FG###########,log_id=0022000003,type=traffic,subtype=violation,pri=warning,status=deny,vd="root",src=###.###.###.###,srcname=###.###.###.###,src_port=48295,dst=###.###.###.###,dstname=###.###.###.###,dst_port=514,service=514/udp,proto=17,app_type=N/A,duration=0,rule=0,policyid=0,identidx=0,sent=0,rcvd=0,shaper_drop_sent=0,shaper_drop_rcvd=0,perip_drop=0,shaper_sent_name="N/A",shaper_rcvd_name="N/A",perip_name="N/A",vpn="N/A",src_int="V998_MGMTN",dst_int="V999_MGMTS",SN=582346071,app="N/A",app_cat="N/A",user="N/A",group="N/A",carrier_ep="N/A"

0 Karma
Reply

Andrew_Banman
Explorer
‎07-09-2012 11:45 AM

Thanks for your responce and help. I don't see these deny's in the denied screens but ....

We will have to wait to use your excellent tool until we update I guess. We are fairly conservitive and almost NEVER run the latest release of anything.

0 Karma
Reply

femedina
New Member
‎10-23-2013 09:31 AM

abelcdo first great work on the app for MR3 patches this app seems to work fine but there were some bugs that were fixed in version 5.0 of the firmware that were needed and the app seems to not work with this version. Is there any plans at the time to develop the app for Version 5.0 of the firmware? I have a specific use case and would like to work with you to help develop this further.

0 Karma
Reply

abelcdo
New Member
‎07-06-2012 03:48 PM

Your logs are denied traffic. Nothing appear in the denied reports even if you doesn't create a filter.
I suugest to upgrade cause this App was created around the 4.0MR3.
I've done some test with MR2 and traffic reports have worked but i cannot confirm it with all MR2 patches.

0 Karma
Reply

abelcdo
New Member
‎07-06-2012 03:43 PM

About the index, nothing is described about the index because it isn't specific for this application but global to Splunk.

0 Karma
Reply

Andrew_Banman
Explorer
‎07-06-2012 03:08 PM

Not sure about the index issue. I didn't do anything intentional with indexes and I didn't see instructions for this in the README.

0 Karma
Reply

Andrew_Banman
Explorer
‎07-06-2012 03:06 PM

Hi Abel,

Thanks for the speedy responce. Here is a vesion from the status dashboard on the Fortigate:

v4.0,build0328,110718 (MR2 Patch 😎

Cheers,
Andrew

0 Karma
Reply

abelcdo
New Member
‎07-06-2012 03:04 PM

Hello,

What is the version of your Fortigate firmware ?
The App only supports 4.0MR3 and few logs from the 4.0MR2.

If the version of the firmware is OK, have you created a new index where the Fortigate logs are collected ?
If yes, have you give the hability of your account to access in this index by default ?

Regards,
Abel

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...