Dashboards & Visualizations

Fortinet -Fortigate Data not reflecting In ES Dashboard

anandhalagarasa
Path Finder

Hi Team,

We are using Splunk Cloud in our environment. And we have a dedicated ES- Search head for Splunk Cloud as well. Currently we have installed the Fortinet Fortigate Add-on for Splunk (1.6.1) (https://splunkbase.splunk.com/app/2846) in our Heavy Forwarder and also in ES-Splunk Cloud Search head too. Based on the Add-On now we are getting the logs with the following sourcetypes fgt_traffic,fgt_event,fgt_utm.

As mentioned in the app when I checked in the ES-Splunk Cloud search head in Enterprise Security App I couldn’t able to find the Fortinet Fortigate data in dashboard as mentioned below.

Details provided in the Add-On:

"Verify the Add-on in Enterprise Security App
Available dashboards in Enterprise Security App supported by Fortinet Fortigate Add-on for Splunk.

Security Domain->Access->Access Center
Security Domain->Endpoint->Malware Center
Security Domain->Network->Traffic Center
Security Domain->Network->Intrusion Center
Security Domain->Network->Web Center
Security Domain->Network->Network Changes
Security Domain->Network->Port & Protocol Tracker
Security Domain->Identity->Session Center"

As recommended, I have disabled the Splunk Add-on for Fortinet as well but still the Fortinet Fortigate data is still not reflecting in ES Dashboards. Also I want to know how the data would in the Dashboard and how to know whether it is getting displayed in Dashboard or not as well.

Kindly help on this query.

Tags (1)
0 Karma

skalliger
SplunkTrust
SplunkTrust

Hi,

please allow a few days for other people to answer as many of us were at Splunk's conference .conf19 the last few days. 🙂

First of all, please try to understand how ES works before you install anything and may be wondering if something doesn't work like you expect it to be.

Disabling your TA won't help as this will just disable all the knowledge objects that come with the app.

Enable the app, restart the SH and look for the following:
1. Is the data coming in the correct sourcetype as per the docs?
2. Do most of the fields get extracted properly?
3. Are tags applied?
4. Is your network traffic data model (just one example) actually finding data? Use the base search provided in the data model to find matching events. Look out for indexes and sourcetypes in there.
5. Is your data model accelerated? Use one of the ES provided tstats searches to see whether you can get any matching events.

The Add-on does not bring any visualisations with it. No TA does. TAs help getting data ready to be used withing ES for example. If you want custom FortiNet visualisations, you need to get the FortiGate App as well.

Skalli

0 Karma

anandhalagarasa
Path Finder

Kindly help on the query

0 Karma

anandhalagarasa
Path Finder

Can anyone help on my request.

0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...