Create Splunk Alert for fortinet VPN tunnel status

mufthmu · ‎08-03-2020

Hi fellow Splunkers,

I want to create alert with these conditions:

alert triggered when any of the VPNs go down.
alert triggered when someone brings down the tunnel.

Thanks in advance

richgalloway · ‎08-04-2020

Do you have VPN and tunnel states logged in Splunk? If not, there is nothing you can do until that data is available. If you have the data, search the appropriate index(es) for events showing a down VPN or tunnel. Then save the search as an alert.
I'd like to be more specific, but vague questions beget vague answers.

---
If this reply helps you, Karma would be appreciated.

mufthmu · ‎08-04-2020

@richgalloway yes I do, we have events coming in (assume index=fortinet).

However, I do not know how to write specific search query that can capture an event when the VPN is down. Also if I simply search "index = fortinet", how do you narrow the search to find events that shows a down VPN or tunnel? I could not find those events.

richgalloway · ‎08-04-2020

This is when it helps to understand your data. If you're not familiar with the Fortinet logs I suggest you reach out to someone in your company who is familiar with them so he or she can tell you what to look for.

Some basic searches to get started include looking for the word "down"

index=fortinet "down"

or the name of a VPN or tunnel

index=fortinet "<VPN or tunnel name>"

---
If this reply helps you, Karma would be appreciated.

Create Splunk Alert for fortinet VPN tunnel status

Other

Data Preparation Made Easy: SPL2 for Edge Processor

Introducing Edge Processor: Next Gen Data Transformation

Tips & Tricks When Using Ingest Actions