Splunk Enterprise Security

Splunk ES: TA-fortinet field extractions not working because of wrong fieldnames in TA

Explorer

I tried to use the TA-fortinet, built-in in ES - for FortiGate logs send via FortiAnalyzer in syslog format.
But the field-extractions are not working, as the field-aliases in the add-on are ie. for the field "src", but in the log it is named "srcip".

Is there any other solution, than creating every field-alias manually?
Or should I use the FortiGate Add-on and not the built-in TA-fortinet?

I am using ES 5.2.2.

0 Karma
1 Solution

SplunkTrust
SplunkTrust

We use Fortinet Fortigate add-on for Splunk (version 1.6.0) and have uninstalled TA-fortinet shipped with ES. We are on Splunk Core 7.1.3/ES 5.11 and CIM 4.11.0

So, you should be good to uninstall the TA-fortinet and install the appropriate version and validate them against your datamodels. Create alias/update extractions as needed, over and beyond what is needed (from add-ons)

View solution in original post

Explorer

Lets spam this thread also, I have a bit related problem, with CIM 4.12.0, ES 5.2.1 and Splunk 7.2.3 and Fortigate add-on 1.6.0 the signature from IPS says "unknown" instead of real signature sent by device. Signatures are however visible in Fortigate App for Splunk in the same Splunk instance. I can't seem to pinpoint where this gets broken. 😕 Any advice?

0 Karma

SplunkTrust
SplunkTrust

check the data in the index and the field extractions via props.conf/transforms.conf and adjust/update them in your local/ folder to match your data. Its possible that not all data and the format required by the add-on is coming to splunk or an issue with the add-on itself.

0 Karma

New Member

Did you got this issue resolved ?

0 Karma

The problem is that the field aliases don't seem to work in Splunk_TA_fortinet_fortigate. The original fields are properly extracted ("attack") but the alias doesn't appear ("signature").

0 Karma

Splunk Employee
Splunk Employee

have you tried changing the FIELDALIAS to use ASNEW (7.2.5 + needed) ?
see RN about field alias changes from 7.2

0 Karma

Explorer

Solution - trash the Fortigate add-on 1.6.0 and go back to ES built-in TA-fortinet add-on. I don't know should I cry or laugh.

0 Karma

Explorer

Thanks for your answer!

Thats how it worked for me, too! So I am not using the built-in add-ons anymore, even though I am using the Splunk_TA-ForIndexers just for DA- / SA- from ES.

0 Karma

SplunkTrust
SplunkTrust

We use Fortinet Fortigate add-on for Splunk (version 1.6.0) and have uninstalled TA-fortinet shipped with ES. We are on Splunk Core 7.1.3/ES 5.11 and CIM 4.11.0

So, you should be good to uninstall the TA-fortinet and install the appropriate version and validate them against your datamodels. Create alias/update extractions as needed, over and beyond what is needed (from add-ons)

View solution in original post

Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!