Getting Data In

Splunk App Fortinet Fortigate

vinod94
Contributor

I have firewall data coming to my syslog server.The syslog file gets rotated every 24 hours. Ive installed forwarder on the syslog server. I have a monitoring stanza in my Fortinet FortiGate App for Splunk(TA) .

[monitor:///bbbb/aaaaa/xxxxxxx/syslog.log]
index = fortinet
sourcetype = fgt_log

Earlier the logs used to come, now the data has stopped coming. It says:

07-10-2018 14:10:39.143 +0530 WARN  TailReader - Enqueuing a very large file=/bbbb/aaaaa/xxxxxxx/syslog.log in the batch reader, with bytes_to_read=2626817453, reading of other large files could be delayed

07-10-2018 04:56:18.424 +0530 WARN  DateParserVerbose - Failed to parse timestamp in first MAX_TIMESTAMP_LOOKAHEAD (128) characters of event. Defaulting to timestamp of previous event (Tue Jul 10 04:56:02 2018). Context: source::/bbbb/aaaaa/xxxxxxx/syslog.log|host::XXXX|fgt_log|2414. 

tried reinstalling the forwarder, thruput = 0, initcrclength = 1024 but no luck!

Splunk version - 6.5.7
Fortinet FortiGate App for Splunk- 1.4

Any suggestions?

0 Karma
1 Solution

MoniM
Communicator

Hi @ vinod94 ,
can you please check your props.conf file.

View solution in original post

0 Karma

MoniM
Communicator

Hi @ vinod94 ,
can you please check your props.conf file.

0 Karma

vinod94
Contributor

Thank you!

0 Karma
Get Updates on the Splunk Community!

Routing Data to Different Splunk Indexes in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

Getting Started with AIOps: Event Correlation Basics and Alert Storm Detection in ...

Getting Started with AIOps:Event Correlation Basics and Alert Storm Detection in Splunk IT Service ...

Register to Attend BSides SPL 2022 - It's all Happening October 18!

Join like-minded individuals for technical sessions on everything Splunk!  This is a community-led and run ...