All Apps and Add-ons

Splunk for Fortigate: How do I configure the app to get VDOM logging correctly?

ppater82
New Member

Hi All,

Could anyone help me?
I've successfully installed and configured the Fortigate App.

I see the Fortigate logging in the syslog "Search & Reporting"
I also see some information in the Fortigate app, but I see only logging related to VDOM root.
Can anyone tell me how do I get the VDOM logging correct in the APP? I see the VDOM information in syslog correctly.

Many thanks,

Best Regards
Patrick

Here some information on syslog output;

Splunk Version
6.3.1
Splunk Build
f3e41e4b37b2

Fortigate Firmware Version  
v5.2.5,build701 (GA)

inputs.conf
[udp://xx.xx.xxx.xxx:514]
sourcetype = fortios5
no_appending_timestamp = true

[udp://514]
sourcetype = networking
no_appending_timestamp = true

props.conf
[source::udp:514]
[fortios5]
TRANSFORMS-sourcetype_fortios5 = fortios5_virus, fortios5_ips, fortios5_app-ctrl, fortios5_webfilter, fortios5_traffic, fortios5_sslvpn, fortios5_event_wireless, f$
SHOULD_LINEMERGE = false

Fortigate config
ssc-fwfg-ph-1 # config global 
ssc-fwfg-ph-1 (global) # config log syslogd setting 
ssc-fwfg-ph-1 (setting) # show
config log syslogd setting
    set status enable
    set server "xx.xx.xxx.xx"
end

1/7/16
8:38:47.000 PM  
date=2016-01-07 time=20:38:47 devname=ssc-fwfg-ph-1 devid=FG1K2D3I15800495 logid=0000000013 type=traffic subtype=forward level=notice vd=pov-prod srcip=xx.xx.xxx.xx srcport=62851 srcintf="VLAN3193" dstip=xx.xx.x.xx dstport=161 dstintf="VLAN3192" poluuid=560e4f6a-b3f1-51e5-e898-8f134de431ef sessionid=38302588 proto=17 action=accept policyid=6 dstcountry="Reserved" srccountry="Reserved" trandisp=noop service="udp/161" duration=180 sentbyte=71 rcvdbyte=75 sentpkt=1 rcvdpkt=1 appcat="unscanned"
host = xx.xx.xxx.xxx source = udp:514 sourcetype = fortios5_traffic
1/7/16
8:38:47.000 PM  
date=2016-01-07 time=20:38:47 devname=ssc-fwfg-ph-1 devid=FG1K2D3I15800495 logid=0000000013 type=traffic subtype=forward level=notice vd=zwo-prod srcip=xx.xxx.x.x srcport=60759 srcintf="VLAN3168" dstip=xx.xxx.xxx.xx dstport=6343 dstintf="VLAN3169" poluuid=b8f3cf02-ae0a-51e5-4868-7cc8fa2c558a sessionid=38302591 proto=17 action=accept policyid=5 dstcountry="Reserved" srccountry="Reserved" trandisp=noop service="udp/6343" duration=180 sentbyte=316 rcvdbyte=0 sentpkt=1 rcvdpkt=0 appcat="unscanned"
host = xx.xx.xxx.xxx source = udp:514 sourcetype = fortios5_traffic
1/7/16
8:38:47.000 PM  
date=2016-01-07 time=20:38:47 devname=ssc-fwfg-ph-1 devid=FG1K2D3I15800495 logid=0000000013 type=traffic subtype=forward level=notice vd=pov-prod srcip=xx.xx.xxx.xx srcport=62851 srcintf="VLAN3193" dstip=xx.xx.x.xx dstport=161 dstintf="VLAN3192" poluuid=560e4f6a-b3f1-51e5-e898-8f134de431ef sessionid=38302590 proto=17 action=accept policyid=6 dstcountry="Reserved" srccountry="Reserved" trandisp=noop service="udp/161" duration=180 sentbyte=71 rcvdbyte=75 sentpkt=1 rcvdpkt=1 appcat="unscanned"
host = xx.xx.xxx.xxx source = udp:514 sourcetype = fortios5_traffic
1/7/16
8:38:47.000 PM  
date=2016-01-07 time=20:38:47 devname=ssc-fwfg-ph-1 devid=FG1K2D3I15800495 logid=0000000013 type=traffic subtype=forward level=notice vd=zwo-prod srcip=xx.xxx.xxx.xxx srcport=53396 srcintf="VLAN3168" dstip=xx.xxx.x.xxx dstport=443 dstintf="VLAN3169" poluuid=b8f3cf02-ae0a-51e5-4868-7cc8fa2c558a sessionid=38305573 proto=6 action=close policyid=5 dstcountry="Reserved" srccountry="Reserved" trandisp=noop service="HTTPS" duration=1 sentbyte=132 rcvdbyte=92 sentpkt=3 rcvdpkt=2 appcat="unscanned"
host = xx.xx.xxx.xxx source = udp:514 sourcetype = fortios5_traffic
1/7/16
8:38:47.000 PM  
date=2016-01-07 time=20:38:47 devname=ssc-fwfg-ph-1 devid=FG1K2D3I15800495 logid=0000000013 type=traffic subtype=forward level=notice vd=pov-prod srcip=xx.xx.xxx.xx srcport=62851 srcintf="VLAN3193" dstip=xx.xx.x.xx dstport=161 dstintf="VLAN3192" poluuid=560e4f6a-b3f1-51e5-e898-8f134de431ef sessionid=38302589 proto=17 action=accept policyid=6 dstcountry="Reserved" srccountry="Reserved" trandisp=noop service="udp/161" duration=180 sentbyte=71 rcvdbyte=76 sentpkt=1 rcvdpkt=1 appcat="unscanned"
host = xx.xx.xxx.xxx source = udp:514 sourcetype = fortios5_traffic
1/7/16
8:38:47.000 PM  
date=2016-01-07 time=20:38:47 devname=ssc-fwfg-ph-1 devid=FG1K2D3I15800495 logid=0000000013 type=traffic subtype=forward level=notice vd=zwo-prod srcip=xx.xxx.x.xxx srcport=54894 srcintf="VLAN3169" dstip=xx.xxx.xx.xxx dstport=9100 dstintf="VLAN3168" poluuid=b8f5eb20-ae0a-51e5-5f17-ffeefe4d276b sessionid=38305223 proto=6 action=timeout policyid=6 dstcountry="Reserved" srccountry="Reserved" trandisp=noop service="tcp/9100" duration=19 sentbyte=152 rcvdbyte=0 sentpkt=3 rcvdpkt=0 appcat="unscanned" crscore=5 craction=262144 crlevel=low
host = xx.xx.xxx.xxx source = udp:514 sourcetype = fortios5_traffic
1/7/16
8:38:47.000 PM  
date=2016-01-07 time=20:38:47 devname=ssc-fwfg-ph-1 devid=FG1K2D3I15800495 logid=0000000013 type=traffic subtype=forward level=notice vd=zwo-prod srcip=xx.xxx.xxx.xxx srcport=49980 srcintf="VLAN3168" dstip=xx.xxx.x.xxx dstport=443 dstintf="VLAN3169" poluuid=b8f3cf02-ae0a-51e5-4868-7cc8fa2c558a sessionid=38305527 proto=6 action=close policyid=5 dstcountry="Reserved" srccountry="Reserved" trandisp=noop service="HTTPS" duration=5 sentbyte=132 rcvdbyte=92 sentpkt=3 rcvdpkt=2 appcat="unscanned"
host = xx.xx.xxx.xxx source = udp:514 sourcetype = fortios5_traffic
0 Karma

jerryzhao
Contributor

from the information you provided, props.conf specifically, i suspect you are not using fortinet's official app+add-on.
https://splunkbase.splunk.com/app/2800/

props.conf
[source::udp:514]
[fortios5]
TRANSFORMS-sourcetype_fortios5 = fortios5_virus, fortios5_ips, fortios5_app-ctrl, fortios5_webfilter, fortios5_traffic, fortios5_sslvpn, fortios5_event_wireless, f$
SHOULD_LINEMERGE = false

or did you modified those lines yourself?

0 Karma

ppater82
New Member

Hello,

I've changed the inputs.conf without succes 😞

inputs.conf
[udp://514]
sourcetype = fortios5
no_appending_timestamp = true

0 Karma
Get Updates on the Splunk Community!

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...

Edge Processor Scaling, Energy & Manufacturing Use Cases, and More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...