Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Splunk Fortigate application

jscott4t
New Member
‎08-13-2012 02:34 PM

Hello,

I am new to Splunk and saw the Splunk for Fortigate application and wanted to use it. I have installed Splunk and have configured a TCP port connection on a specified port. The readme says to use the sourcetype of fortigate. So I have added that in the GUI under Data inputs. Is there anything else I should be doing to get this working? Thanks

Tags (1)
0 Karma
Reply

rbates20148
New Member
‎08-29-2012 12:54 PM

jscott4t;

Here's how I got the app to work using a FortiGate 3040B:

On the FG: Aim your syslogs at the Splunk indexer on a high port - I used 5012
On the Indexer: Configure a UDP Data input with:
"Source name override" = fortigate
"Set sourcetype" = manual
"Source type" = fortigate

I per formed a splunk stop/clean eventdata/start and started immediately seeing FG traffic and the app started to be able to see it also. Our FG is just in a test lab so it's not too chatty, but I am at least seeing data.

0 Karma
Reply

Drainy
Champion
‎08-14-2012 12:09 AM

Have you configured your fortigate appliances to forward the logs to the Splunk server? By default this is via UDP syslog on port 514.

0 Karma
Reply

jscott4t
New Member
‎08-14-2012 01:59 PM

@ Drainy In my data inputs section I am using TCP port 1514 I did that because Splunk documentation suggests using TCP for a more reliable connection. I also have source type set to manual and source type set to fortigate. Should I change back to UDP?

@MHibbin will try that and report back.

0 Karma
Reply

MHibbin
Influencer
‎08-13-2012 03:04 PM

Are you not seeing the desired results then?

You should check that Splunk is receiving the raw data (events), you can do this by searching for the sourcetype in the "Search" App and then using the flashtimeline/search view... then type the following in the search bar (using the word "search" a lot, haha 🙂 😞

sourcetype=fortigate

You should see your raw data here (assuming you set-up the sourcetype when you set-up the TCP monitor). You should then confirm the results by navigating to the fortigate App.

If you are not receiving the events in Splunk, you can use some troubleshooting tools such as tcpdump on the receiveing NIC and the relevant port. It may be there is a network issue preventing the traffic flow.

Hope this helps, if you need more specific help... please update your question with more detail of the issue.

Regards,

MHibbin

0 Karma
Reply

jscott4t
New Member
‎08-14-2012 02:02 PM

No joy yet search returned empty.

I have not setup any indexing does that matter?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Unlocking Unified Insights: New Gigamon Federated Search App for Splunk

In today’s data-heavy environment, organizations are caught in a data distribution dilemma. As data volumes ...

GA: New Data Management App in Splunk Platform

Streamlining Data Management: Introducing a unified experience in Splunk Managing data at scale shouldn’t feel ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...