- Splunk Answers
- :
- Splunk Premium Solutions
- :
- Security Premium Solutions
- :
- Splunk Enterprise Security
- :
- Re: Using the Fortinet FortiGate App for Splunk on...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Using the Fortinet FortiGate App for Splunk on Splunk Cloud with Enterprise Security, how to get the Fortinet Dashboard to show events?
Enterprise Security demands the sourcetype be "fortinet", but the App has all the macros and everything set to look for "fgt_logs".
Being a bit of a Splunk noob, how do I go about getting the Fortinet Dashboard to see the sourcetype as "fortinet" on Splunk Cloud? Can I do it myself, or do I need to put in a ticket? What do I need to ask be done?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you installed the add-on for the app? The app and add-on need to work together
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, both the App and the TA have been installed on the search head.
Fortinet FortiGate App for Splunk v1.4
Fortinet Fortigate Add-on for Splunk v1.4
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Add-on on indexer too?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Per the ticket "Cloud Ops has confirmed the TA has been installed on Indexers too".
Unfortunately, this being the Cloud Splunk, I don't have access to the Indexers to verify myself.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
TA is the key to app functionality. It will translate fgt_log to other source types needed by the dashboards. The symptoms you are seeing is usually caused by TA not reading the input source type or not recognized by the regex. Curious devname and devid is chopped off by your self before posted here or was like that from syslog?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Heh, I put bracket - redacted- bracket but It looks like it tried to interpret it as HTML.
Should I ask Cloud Ops to reinstall the TA on the indexers?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i see nowhere enterprise security demands sourcetype fortinet. the fortigate add-on , if installed, will translate fortigate indexes to CIM model. You don't need to do anything for Enterprise security youself.
fgt_logs is an intermediate sourcetype for internal use and you don't need to worry about it.
Please notice that you need to set fortigate log input as sourcetype fgt_log, as mentioned in the document here:
https://splunkbase.splunk.com/app/2800/#/details
Fortinet FortiGate Add-On for Splunk will by default automatically extract FortiGate log data from inputs with sourcetype 'fgt_log'.
If you want to configure it to extract a self-defined sourcetype, copy the props.conf
in $SPLUNK_HOME/etc/apps/Splunk_TA_fortinet_fortigate/default/props.conf to
$SPLUNK_HOME/etc/apps/Splunk_TA_fortinet_fortigate/local/props.conf and change the source stanza.
replace [fgt_log] with [fortigate], for instance.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for your help. A consultant told me it had to stay as "fortinet" but it sounds like he was mistaken.
I've changed the sourcetype to be the expected "fgt_log" now, and confirmed new events are coming in with that sourcetype, yet still the dashboards are not populating any data. Know where I should go from here?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
please refer to the troubleshooting section of the documentation.
first look at the search and reporting to check if the logs are correctly indexed under corresponding sourcetypes: fgt_traffic, fgt_event or fgt_utm. If so, you are good and just need some patience to wait for the datamodel to be accelerated. check FOS datamodel's process under settings->datamodels.
Please let me if it still doesn't work after you followed documentation and troubleshooting section.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for your help Jerry.
Still no luck.
We're having logs come in via syslog-ng, writing them to disk, and having Splunk monitor the directory for Fortigate logs.
Last night I manually changed the sourcetype from "fortinet" to "fgt_log".
This morning searching for "index=fortigate |stats count by sourcetype" I only get a result of fgt_log.
Here is an example log if it helps:
Oct 20 09:53:36 10.x.x.x date=2016-10-20 time=16:53:36 devname= devid=FG logid=0001000014 type=traffic subtype=local level=notice vd=root srcip=10.y.y.y srcport=53087 srcintf="Voice" dstip=255.255.255.255 dstport=43440 dstintf="root" sessionid=5039602 status=deny policyid=0 dstcountry="Reserved" srccountry="Reserved" trandisp=noop service=43440/udp proto=17 app=43440/udp duration=0 sentbyte=0 rcvdbyte=0
Introducing Splunk Enterprise 9.2
Adoption of RUM and APM at Splunk
Routing logs with Splunk OTel Collector for Kubernetes
