Solved: Re: Splunk App Fortinet Fortigate

vinod94 · ‎07-10-2018

I have firewall data coming to my syslog server.The syslog file gets rotated every 24 hours. Ive installed forwarder on the syslog server. I have a monitoring stanza in my Fortinet FortiGate App for Splunk(TA) .

[monitor:///bbbb/aaaaa/xxxxxxx/syslog.log]
index = fortinet
sourcetype = fgt_log

Earlier the logs used to come, now the data has stopped coming. It says:

07-10-2018 14:10:39.143 +0530 WARN  TailReader - Enqueuing a very large file=/bbbb/aaaaa/xxxxxxx/syslog.log in the batch reader, with bytes_to_read=2626817453, reading of other large files could be delayed

07-10-2018 04:56:18.424 +0530 WARN  DateParserVerbose - Failed to parse timestamp in first MAX_TIMESTAMP_LOOKAHEAD (128) characters of event. Defaulting to timestamp of previous event (Tue Jul 10 04:56:02 2018). Context: source::/bbbb/aaaaa/xxxxxxx/syslog.log|host::XXXX|fgt_log|2414.

tried reinstalling the forwarder, thruput = 0, initcrclength = 1024 but no luck!

Splunk version - 6.5.7
Fortinet FortiGate App for Splunk- 1.4

Any suggestions?

MoniM · ‎01-29-2019

Hi @ vinod94 ,
can you please check your props.conf file.

View solution in original post

MoniM · ‎01-29-2019

Hi @ vinod94 ,
can you please check your props.conf file.

vinod94 · ‎08-03-2019

Thank you!

Splunk App Fortinet Fortigate

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Data Management Digest – May 2026

Join the Conversation