Getting Data In

Splunk App Fortinet Fortigate

vinod94
Contributor

I have firewall data coming to my syslog server.The syslog file gets rotated every 24 hours. Ive installed forwarder on the syslog server. I have a monitoring stanza in my Fortinet FortiGate App for Splunk(TA) .

[monitor:///bbbb/aaaaa/xxxxxxx/syslog.log]
index = fortinet
sourcetype = fgt_log

Earlier the logs used to come, now the data has stopped coming. It says:

07-10-2018 14:10:39.143 +0530 WARN  TailReader - Enqueuing a very large file=/bbbb/aaaaa/xxxxxxx/syslog.log in the batch reader, with bytes_to_read=2626817453, reading of other large files could be delayed

07-10-2018 04:56:18.424 +0530 WARN  DateParserVerbose - Failed to parse timestamp in first MAX_TIMESTAMP_LOOKAHEAD (128) characters of event. Defaulting to timestamp of previous event (Tue Jul 10 04:56:02 2018). Context: source::/bbbb/aaaaa/xxxxxxx/syslog.log|host::XXXX|fgt_log|2414. 

tried reinstalling the forwarder, thruput = 0, initcrclength = 1024 but no luck!

Splunk version - 6.5.7
Fortinet FortiGate App for Splunk- 1.4

Any suggestions?

0 Karma
1 Solution

MoniM
Communicator

Hi @ vinod94 ,
can you please check your props.conf file.

View solution in original post

0 Karma

MoniM
Communicator

Hi @ vinod94 ,
can you please check your props.conf file.

0 Karma

vinod94
Contributor

Thank you!

0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...