Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk ES: TA-fortinet field extractions not working because of wrong fieldnames in TA

hthiel
Explorer
‎01-08-2019 11:26 AM

I tried to use the TA-fortinet, built-in in ES - for FortiGate logs send via FortiAnalyzer in syslog format.
But the field-extractions are not working, as the field-aliases in the add-on are ie. for the field "src", but in the log it is named "srcip".

Is there any other solution, than creating every field-alias manually?
Or should I use the FortiGate Add-on and not the built-in TA-fortinet?

I am using ES 5.2.2.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lakshman239
SplunkTrust
SplunkTrust
‎01-09-2019 05:25 AM

We use Fortinet Fortigate add-on for Splunk (version 1.6.0) and have uninstalled TA-fortinet shipped with ES. We are on Splunk Core 7.1.3/ES 5.11 and CIM 4.11.0

So, you should be good to uninstall the TA-fortinet and install the appropriate version and validate them against your datamodels. Create alias/update extractions as needed, over and beyond what is needed (from add-ons)

View solution in original post

Reply
Solved! Jump to solution

mikkorh
Explorer
‎01-18-2019 02:47 AM

Lets spam this thread also, I have a bit related problem, with CIM 4.12.0, ES 5.2.1 and Splunk 7.2.3 and Fortigate add-on 1.6.0 the signature from IPS says "unknown" instead of real signature sent by device. Signatures are however visible in Fortigate App for Splunk in the same Splunk instance. I can't seem to pinpoint where this gets broken. 😕 Any advice?

0 Karma
Reply
Solved! Jump to solution

lakshman239
SplunkTrust
SplunkTrust
‎01-18-2019 06:09 AM

check the data in the index and the field extractions via props.conf/transforms.conf and adjust/update them in your local/ folder to match your data. Its possible that not all data and the format required by the add-on is coming to splunk or an issue with the add-on itself.

0 Karma
Reply
Solved! Jump to solution

asalimkumar
New Member
‎10-30-2019 08:22 AM

Did you got this issue resolved ?

0 Karma
Reply
Solved! Jump to solution

malte_schroeder
Engager
‎08-29-2019 01:34 AM

The problem is that the field aliases don't seem to work in Splunk_TA_fortinet_fortigate. The original fields are properly extracted ("attack") but the alias doesn't appear ("signature").

0 Karma
Reply
Solved! Jump to solution

maraman_splunk
Splunk Employee
Splunk Employee
‎10-30-2019 08:28 AM

have you tried changing the FIELDALIAS to use ASNEW (7.2.5 + needed) ?
see RN about field alias changes from 7.2

0 Karma
Reply
Solved! Jump to solution

mikkorh
Explorer
‎02-13-2019 05:43 AM

Solution - trash the Fortigate add-on 1.6.0 and go back to ES built-in TA-fortinet add-on. I don't know should I cry or laugh.

0 Karma
Reply
Solved! Jump to solution

hthiel
Explorer
‎01-09-2019 05:28 AM

Thanks for your answer!

Thats how it worked for me, too! So I am not using the built-in add-ons anymore, even though I am using the Splunk_TA-ForIndexers just for DA- / SA- from ES.

0 Karma
Reply
Solved! Jump to solution
Solution

lakshman239
SplunkTrust
SplunkTrust
‎01-09-2019 05:25 AM

We use Fortinet Fortigate add-on for Splunk (version 1.6.0) and have uninstalled TA-fortinet shipped with ES. We are on Splunk Core 7.1.3/ES 5.11 and CIM 4.11.0

So, you should be good to uninstall the TA-fortinet and install the appropriate version and validate them against your datamodels. Create alias/update extractions as needed, over and beyond what is needed (from add-ons)

Reply
Get Updates on the Splunk Community!

Enterprise Security Content Updates (ESCU) - New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 3 releases of new content via the Enterprise ...

Thought Leaders are Validating Your Hard Work and Training Rigor

As a Splunk enthusiast and member of the Splunk Community, you are one of thousands who recognize the value of ...

.conf23 Registration is Now Open!

Time to toss the .conf-etti 🎉 —  .conf23 registration is open!   Join us in Las Vegas July 17-20 for ...