Dashboards & Visualizations

Fortinet -Fortigate Data not reflecting In ES Dashboard

anandhalagarasa
Path Finder

Hi Team,

We are using Splunk Cloud in our environment. And we have a dedicated ES- Search head for Splunk Cloud as well. Currently we have installed the Fortinet Fortigate Add-on for Splunk (1.6.1) (https://splunkbase.splunk.com/app/2846) in our Heavy Forwarder and also in ES-Splunk Cloud Search head too. Based on the Add-On now we are getting the logs with the following sourcetypes fgt_traffic,fgt_event,fgt_utm.

As mentioned in the app when I checked in the ES-Splunk Cloud search head in Enterprise Security App I couldn’t able to find the Fortinet Fortigate data in dashboard as mentioned below.

Details provided in the Add-On:

"Verify the Add-on in Enterprise Security App
Available dashboards in Enterprise Security App supported by Fortinet Fortigate Add-on for Splunk.

Security Domain->Access->Access Center
Security Domain->Endpoint->Malware Center
Security Domain->Network->Traffic Center
Security Domain->Network->Intrusion Center
Security Domain->Network->Web Center
Security Domain->Network->Network Changes
Security Domain->Network->Port & Protocol Tracker
Security Domain->Identity->Session Center"

As recommended, I have disabled the Splunk Add-on for Fortinet as well but still the Fortinet Fortigate data is still not reflecting in ES Dashboards. Also I want to know how the data would in the Dashboard and how to know whether it is getting displayed in Dashboard or not as well.

Kindly help on this query.

Tags (1)
0 Karma

skalliger
Motivator

Hi,

please allow a few days for other people to answer as many of us were at Splunk's conference .conf19 the last few days. 🙂

First of all, please try to understand how ES works before you install anything and may be wondering if something doesn't work like you expect it to be.

Disabling your TA won't help as this will just disable all the knowledge objects that come with the app.

Enable the app, restart the SH and look for the following:
1. Is the data coming in the correct sourcetype as per the docs?
2. Do most of the fields get extracted properly?
3. Are tags applied?
4. Is your network traffic data model (just one example) actually finding data? Use the base search provided in the data model to find matching events. Look out for indexes and sourcetypes in there.
5. Is your data model accelerated? Use one of the ES provided tstats searches to see whether you can get any matching events.

The Add-on does not bring any visualisations with it. No TA does. TAs help getting data ready to be used withing ES for example. If you want custom FortiNet visualisations, you need to get the FortiGate App as well.

Skalli

0 Karma

anandhalagarasa
Path Finder

Kindly help on the query

0 Karma

anandhalagarasa
Path Finder

Can anyone help on my request.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...