Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk ES: TA-fortinet field extractions not working because of wrong fieldnames in TA

hthiel
Explorer
‎01-08-2019 11:26 AM

I tried to use the TA-fortinet, built-in in ES - for FortiGate logs send via FortiAnalyzer in syslog format.
But the field-extractions are not working, as the field-aliases in the add-on are ie. for the field "src", but in the log it is named "srcip".

Is there any other solution, than creating every field-alias manually?
Or should I use the FortiGate Add-on and not the built-in TA-fortinet?

I am using ES 5.2.2.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lakshman239
Influencer
‎01-09-2019 05:25 AM

We use Fortinet Fortigate add-on for Splunk (version 1.6.0) and have uninstalled TA-fortinet shipped with ES. We are on Splunk Core 7.1.3/ES 5.11 and CIM 4.11.0

So, you should be good to uninstall the TA-fortinet and install the appropriate version and validate them against your datamodels. Create alias/update extractions as needed, over and beyond what is needed (from add-ons)

View solution in original post

Reply
Solved! Jump to solution

mikkorh
Explorer
‎01-18-2019 02:47 AM

Lets spam this thread also, I have a bit related problem, with CIM 4.12.0, ES 5.2.1 and Splunk 7.2.3 and Fortigate add-on 1.6.0 the signature from IPS says "unknown" instead of real signature sent by device. Signatures are however visible in Fortigate App for Splunk in the same Splunk instance. I can't seem to pinpoint where this gets broken. 😕 Any advice?

0 Karma
Reply
Solved! Jump to solution

lakshman239
Influencer
‎01-18-2019 06:09 AM

check the data in the index and the field extractions via props.conf/transforms.conf and adjust/update them in your local/ folder to match your data. Its possible that not all data and the format required by the add-on is coming to splunk or an issue with the add-on itself.

0 Karma
Reply
Solved! Jump to solution

asalimkumar
New Member
‎10-30-2019 08:22 AM

Did you got this issue resolved ?

0 Karma
Reply
Solved! Jump to solution

malte_schroeder
Engager
‎08-29-2019 01:34 AM

The problem is that the field aliases don't seem to work in Splunk_TA_fortinet_fortigate. The original fields are properly extracted ("attack") but the alias doesn't appear ("signature").

0 Karma
Reply
Solved! Jump to solution

maraman_splunk
Splunk Employee
Splunk Employee
‎10-30-2019 08:28 AM

have you tried changing the FIELDALIAS to use ASNEW (7.2.5 + needed) ?
see RN about field alias changes from 7.2

0 Karma
Reply
Solved! Jump to solution

mikkorh
Explorer
‎02-13-2019 05:43 AM

Solution - trash the Fortigate add-on 1.6.0 and go back to ES built-in TA-fortinet add-on. I don't know should I cry or laugh.

0 Karma
Reply
Solved! Jump to solution

hthiel
Explorer
‎01-09-2019 05:28 AM

Thanks for your answer!

Thats how it worked for me, too! So I am not using the built-in add-ons anymore, even though I am using the Splunk_TA-ForIndexers just for DA- / SA- from ES.

0 Karma
Reply
Solved! Jump to solution
Solution

lakshman239
Influencer
‎01-09-2019 05:25 AM

We use Fortinet Fortigate add-on for Splunk (version 1.6.0) and have uninstalled TA-fortinet shipped with ES. We are on Splunk Core 7.1.3/ES 5.11 and CIM 4.11.0

So, you should be good to uninstall the TA-fortinet and install the appropriate version and validate them against your datamodels. Create alias/update extractions as needed, over and beyond what is needed (from add-ons)

Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...