Solved: Splunk ES: TA-fortinet field extractions not worki...

hthiel · ‎01-08-2019

I tried to use the TA-fortinet, built-in in ES - for FortiGate logs send via FortiAnalyzer in syslog format.
But the field-extractions are not working, as the field-aliases in the add-on are ie. for the field "src", but in the log it is named "srcip".

Is there any other solution, than creating every field-alias manually?
Or should I use the FortiGate Add-on and not the built-in TA-fortinet?

I am using ES 5.2.2.

lakshman239 · ‎01-09-2019

We use Fortinet Fortigate add-on for Splunk (version 1.6.0) and have uninstalled TA-fortinet shipped with ES. We are on Splunk Core 7.1.3/ES 5.11 and CIM 4.11.0

So, you should be good to uninstall the TA-fortinet and install the appropriate version and validate them against your datamodels. Create alias/update extractions as needed, over and beyond what is needed (from add-ons)

View solution in original post

mikkorh · ‎01-18-2019

Lets spam this thread also, I have a bit related problem, with CIM 4.12.0, ES 5.2.1 and Splunk 7.2.3 and Fortigate add-on 1.6.0 the signature from IPS says "unknown" instead of real signature sent by device. Signatures are however visible in Fortigate App for Splunk in the same Splunk instance. I can't seem to pinpoint where this gets broken. 😕 Any advice?

lakshman239 · ‎01-18-2019

check the data in the index and the field extractions via props.conf/transforms.conf and adjust/update them in your local/ folder to match your data. Its possible that not all data and the format required by the add-on is coming to splunk or an issue with the add-on itself.

asalimkumar · ‎10-30-2019

Did you got this issue resolved ?

malte_schroeder · ‎08-29-2019

The problem is that the field aliases don't seem to work in Splunk_TA_fortinet_fortigate. The original fields are properly extracted ("attack") but the alias doesn't appear ("signature").

maraman_splunk · ‎10-30-2019

have you tried changing the FIELDALIAS to use ASNEW (7.2.5 + needed) ?
see RN about field alias changes from 7.2

mikkorh · ‎02-13-2019

Solution - trash the Fortigate add-on 1.6.0 and go back to ES built-in TA-fortinet add-on. I don't know should I cry or laugh.

hthiel · ‎01-09-2019

Thanks for your answer!

Thats how it worked for me, too! So I am not using the built-in add-ons anymore, even though I am using the Splunk_TA-ForIndexers just for DA- / SA- from ES.

lakshman239 · ‎01-09-2019

We use Fortinet Fortigate add-on for Splunk (version 1.6.0) and have uninstalled TA-fortinet shipped with ES. We are on Splunk Core 7.1.3/ES 5.11 and CIM 4.11.0

So, you should be good to uninstall the TA-fortinet and install the appropriate version and validate them against your datamodels. Create alias/update extractions as needed, over and beyond what is needed (from add-ons)

Splunk ES: TA-fortinet field extractions not working because of wrong fieldnames in TA

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

AppDynamics is now part of Splunk Ideas

Advanced Splunk Data Management Strategies