Getting Data In

Splunk App Fortinet Fortigate

vinod94
Contributor

I have firewall data coming to my syslog server.The syslog file gets rotated every 24 hours. Ive installed forwarder on the syslog server. I have a monitoring stanza in my Fortinet FortiGate App for Splunk(TA) .

[monitor:///bbbb/aaaaa/xxxxxxx/syslog.log]
index = fortinet
sourcetype = fgt_log

Earlier the logs used to come, now the data has stopped coming. It says:

07-10-2018 14:10:39.143 +0530 WARN  TailReader - Enqueuing a very large file=/bbbb/aaaaa/xxxxxxx/syslog.log in the batch reader, with bytes_to_read=2626817453, reading of other large files could be delayed

07-10-2018 04:56:18.424 +0530 WARN  DateParserVerbose - Failed to parse timestamp in first MAX_TIMESTAMP_LOOKAHEAD (128) characters of event. Defaulting to timestamp of previous event (Tue Jul 10 04:56:02 2018). Context: source::/bbbb/aaaaa/xxxxxxx/syslog.log|host::XXXX|fgt_log|2414. 

tried reinstalling the forwarder, thruput = 0, initcrclength = 1024 but no luck!

Splunk version - 6.5.7
Fortinet FortiGate App for Splunk- 1.4

Any suggestions?

0 Karma
1 Solution

MoniM
Communicator

Hi @ vinod94 ,
can you please check your props.conf file.

View solution in original post

0 Karma

MoniM
Communicator

Hi @ vinod94 ,
can you please check your props.conf file.

0 Karma

vinod94
Contributor

Thank you!

0 Karma
Get Updates on the Splunk Community!

Security Highlights: September 2022 Newsletter

 September 2022 The Splunk App for Fraud Analytics (SFA) is now Splunk SupportedUse your existing Splunk ...

Platform Highlights | September 2022 Newsletter

 September 2022 What’s New in 9.0 and How to UpgradeGet a walk through of what is new Splunk Enterprise 9.0 ...

Observability Highlights | September 2022 Newsletter

 September 2022 Splunk Observability SuiteAccess to "Classic" SignalFx Interface Will be Removed on Sept 30, ...