All Apps and Add-ons

Why is Fortinet FortiGate CEF format not matching?

gokayakin
Engager

Hi All,

We collected Fortinet fortigate logs to splunk. However, the incoming logs are in CEF format but do not match with the add-on, and there is a prefix "FTNTFGT" at the beginning of the fields.

I am sharing a sample log below with you, do you need to make a config on the fortigate?


<189>Aug 12 13:35:50 xxxx CEF:0|Fortinet|Fortigate|vxxx|00xxx|traffic:forward accept|3|deviceExternalId=xxxIxxxx FTNTFGTeventtime=1660300550574125940 FTNTFGTtz=+0300 FTNTFGTlogid=xxx cat=traffic:forward FTNTFGTsubtype=forward FTNTFGTlevel=notice FTNTFGTvd=xxx src=xxx spt=57425 deviceInboundInterface=xxx FTNTFGTsrcintfrole=lan dst=xxx dpt=18 deviceOutboundInterface=xxx FTNTFGTdstintfrole=wan FTNTFGTsrccountry=xxx FTNTFGTdstcountry=xxx externalId=xxx proto=6 act=accept FTNTFGTpolicyid=xxx FTNTFGTpolicytype=policy FTNTFGTpoluuid=xxxxxxx FTNTFGTpolicyname=xxxx duser=xxxxx FTNTFGTgroup=xxxx FTNTFGTauthserver=xxx app=HTTPS FTNTFGTtrandisp=xxx sourceTranslatedAddress=xxx sourceTranslatedPort=xxxx FTNTFGTappid=xxx FTNTFGTapp=xxxx FTNTFGTappcat=xxxx FTNTFGTapprisk=elevated FTNTFGTapplist=xxx FTNTFGTduration=xxx out=4348 in=2983 FTNTFGTsentpkt=38 FTNTFGTrcvdpkt=xx FTNTFGTsentdelta=123 FTNTFGTrcvddelta=104 FTNTFGTdevtype=Router FTNTFGTmastersrcmac=xxxxx FTNTFGTsrcmac=xxxxFTNTFGTsrcserver=0

@jerryzhao

Labels (2)
0 Karma
1 Solution

jerryzhao
Contributor

login to fortigate cli.

config global

config log syslogd setting

set format default

end

 

 

However if cef format is configured on fortianalyzer and then forwarded to splunk, you need to change the format on fortianlayzer to syslog.

View solution in original post

gokayakin
Engager

@jerryzhao thanks for helping, add-on is working 🙂

0 Karma

jerryzhao
Contributor

login to fortigate cli.

config global

config log syslogd setting

set format default

end

 

 

However if cef format is configured on fortianalyzer and then forwarded to splunk, you need to change the format on fortianlayzer to syslog.

Get Updates on the Splunk Community!

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...

Edge Processor Scaling, Energy & Manufacturing Use Cases, and More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Get More Out of Your Security Practice With a SIEM

Get More Out of Your Security Practice With a SIEMWednesday, July 31, 2024  |  11AM PT / 2PM ETREGISTER ...