Solved: Splunk ES: TA-fortinet field extractions not worki...

hthiel · ‎01-08-2019

I tried to use the TA-fortinet, built-in in ES - for FortiGate logs send via FortiAnalyzer in syslog format.
But the field-extractions are not working, as the field-aliases in the add-on are ie. for the field "src", but in the log it is named "srcip".

Is there any other solution, than creating every field-alias manually?
Or should I use the FortiGate Add-on and not the built-in TA-fortinet?

I am using ES 5.2.2.

lakshman239 · ‎01-09-2019

We use Fortinet Fortigate add-on for Splunk (version 1.6.0) and have uninstalled TA-fortinet shipped with ES. We are on Splunk Core 7.1.3/ES 5.11 and CIM 4.11.0

So, you should be good to uninstall the TA-fortinet and install the appropriate version and validate them against your datamodels. Create alias/update extractions as needed, over and beyond what is needed (from add-ons)

View solution in original post

mikkorh · ‎01-18-2019

Lets spam this thread also, I have a bit related problem, with CIM 4.12.0, ES 5.2.1 and Splunk 7.2.3 and Fortigate add-on 1.6.0 the signature from IPS says "unknown" instead of real signature sent by device. Signatures are however visible in Fortigate App for Splunk in the same Splunk instance. I can't seem to pinpoint where this gets broken. 😕 Any advice?

lakshman239 · ‎01-18-2019

check the data in the index and the field extractions via props.conf/transforms.conf and adjust/update them in your local/ folder to match your data. Its possible that not all data and the format required by the add-on is coming to splunk or an issue with the add-on itself.

asalimkumar · ‎10-30-2019

Did you got this issue resolved ?

malte_schroeder · ‎08-29-2019

The problem is that the field aliases don't seem to work in Splunk_TA_fortinet_fortigate. The original fields are properly extracted ("attack") but the alias doesn't appear ("signature").

maraman_splunk · ‎10-30-2019

have you tried changing the FIELDALIAS to use ASNEW (7.2.5 + needed) ?
see RN about field alias changes from 7.2

mikkorh · ‎02-13-2019

Solution - trash the Fortigate add-on 1.6.0 and go back to ES built-in TA-fortinet add-on. I don't know should I cry or laugh.

hthiel · ‎01-09-2019

Thanks for your answer!

Thats how it worked for me, too! So I am not using the built-in add-ons anymore, even though I am using the Splunk_TA-ForIndexers just for DA- / SA- from ES.

lakshman239 · ‎01-09-2019

We use Fortinet Fortigate add-on for Splunk (version 1.6.0) and have uninstalled TA-fortinet shipped with ES. We are on Splunk Core 7.1.3/ES 5.11 and CIM 4.11.0

So, you should be good to uninstall the TA-fortinet and install the appropriate version and validate them against your datamodels. Create alias/update extractions as needed, over and beyond what is needed (from add-ons)

Splunk ES: TA-fortinet field extractions not working because of wrong fieldnames in TA

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...