All Apps and Add-ons

Why is Fortinet FortiGate CEF format not matching?

gokayakin
Engager

Hi All,

We collected Fortinet fortigate logs to splunk. However, the incoming logs are in CEF format but do not match with the add-on, and there is a prefix "FTNTFGT" at the beginning of the fields.

I am sharing a sample log below with you, do you need to make a config on the fortigate?


<189>Aug 12 13:35:50 xxxx CEF:0|Fortinet|Fortigate|vxxx|00xxx|traffic:forward accept|3|deviceExternalId=xxxIxxxx FTNTFGTeventtime=1660300550574125940 FTNTFGTtz=+0300 FTNTFGTlogid=xxx cat=traffic:forward FTNTFGTsubtype=forward FTNTFGTlevel=notice FTNTFGTvd=xxx src=xxx spt=57425 deviceInboundInterface=xxx FTNTFGTsrcintfrole=lan dst=xxx dpt=18 deviceOutboundInterface=xxx FTNTFGTdstintfrole=wan FTNTFGTsrccountry=xxx FTNTFGTdstcountry=xxx externalId=xxx proto=6 act=accept FTNTFGTpolicyid=xxx FTNTFGTpolicytype=policy FTNTFGTpoluuid=xxxxxxx FTNTFGTpolicyname=xxxx duser=xxxxx FTNTFGTgroup=xxxx FTNTFGTauthserver=xxx app=HTTPS FTNTFGTtrandisp=xxx sourceTranslatedAddress=xxx sourceTranslatedPort=xxxx FTNTFGTappid=xxx FTNTFGTapp=xxxx FTNTFGTappcat=xxxx FTNTFGTapprisk=elevated FTNTFGTapplist=xxx FTNTFGTduration=xxx out=4348 in=2983 FTNTFGTsentpkt=38 FTNTFGTrcvdpkt=xx FTNTFGTsentdelta=123 FTNTFGTrcvddelta=104 FTNTFGTdevtype=Router FTNTFGTmastersrcmac=xxxxx FTNTFGTsrcmac=xxxxFTNTFGTsrcserver=0

@jerryzhao

Labels (2)
0 Karma
1 Solution

jerryzhao
Contributor

login to fortigate cli.

config global

config log syslogd setting

set format default

end

 

 

However if cef format is configured on fortianalyzer and then forwarded to splunk, you need to change the format on fortianlayzer to syslog.

View solution in original post

gokayakin
Engager

@jerryzhao thanks for helping, add-on is working 🙂

0 Karma

jerryzhao
Contributor

login to fortigate cli.

config global

config log syslogd setting

set format default

end

 

 

However if cef format is configured on fortianalyzer and then forwarded to splunk, you need to change the format on fortianlayzer to syslog.

Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...