Splunk Enterprise Security

Using the Fortinet FortiGate App for Splunk on Splunk Cloud with Enterprise Security, how to get the Fortinet Dashboard to show events?

joecooper84
Explorer

Enterprise Security demands the sourcetype be "fortinet", but the App has all the macros and everything set to look for "fgt_logs".
Being a bit of a Splunk noob, how do I go about getting the Fortinet Dashboard to see the sourcetype as "fortinet" on Splunk Cloud? Can I do it myself, or do I need to put in a ticket? What do I need to ask be done?

0 Karma

jerryzhao
Contributor

Have you installed the add-on for the app? The app and add-on need to work together

0 Karma

joecooper84
Explorer

Yes, both the App and the TA have been installed on the search head.
Fortinet FortiGate App for Splunk v1.4
Fortinet Fortigate Add-on for Splunk v1.4

0 Karma

jerryzhao
Contributor

Add-on on indexer too?

0 Karma

joecooper84
Explorer

Per the ticket "Cloud Ops has confirmed the TA has been installed on Indexers too".
Unfortunately, this being the Cloud Splunk, I don't have access to the Indexers to verify myself.

0 Karma

jerryzhao
Contributor

TA is the key to app functionality. It will translate fgt_log to other source types needed by the dashboards. The symptoms you are seeing is usually caused by TA not reading the input source type or not recognized by the regex. Curious devname and devid is chopped off by your self before posted here or was like that from syslog?

0 Karma

joecooper84
Explorer

Heh, I put bracket - redacted- bracket but It looks like it tried to interpret it as HTML.

Should I ask Cloud Ops to reinstall the TA on the indexers?

0 Karma

jerryzhao
Contributor

i see nowhere enterprise security demands sourcetype fortinet. the fortigate add-on , if installed, will translate fortigate indexes to CIM model. You don't need to do anything for Enterprise security youself.
fgt_logs is an intermediate sourcetype for internal use and you don't need to worry about it.

Please notice that you need to set fortigate log input as sourcetype fgt_log, as mentioned in the document here:
https://splunkbase.splunk.com/app/2800/#/details
Fortinet FortiGate Add-On for Splunk will by default automatically extract FortiGate log data from inputs with sourcetype 'fgt_log'.
If you want to configure it to extract a self-defined sourcetype, copy the props.conf
in $SPLUNK_HOME/etc/apps/Splunk_TA_fortinet_fortigate/default/props.conf to
$SPLUNK_HOME/etc/apps/Splunk_TA_fortinet_fortigate/local/props.conf and change the source stanza.
replace [fgt_log] with [fortigate], for instance.

0 Karma

joecooper84
Explorer

Thank you for your help. A consultant told me it had to stay as "fortinet" but it sounds like he was mistaken.
I've changed the sourcetype to be the expected "fgt_log" now, and confirmed new events are coming in with that sourcetype, yet still the dashboards are not populating any data. Know where I should go from here?

0 Karma

jerryzhao
Contributor

please refer to the troubleshooting section of the documentation.
first look at the search and reporting to check if the logs are correctly indexed under corresponding sourcetypes: fgt_traffic, fgt_event or fgt_utm. If so, you are good and just need some patience to wait for the datamodel to be accelerated. check FOS datamodel's process under settings->datamodels.

Please let me if it still doesn't work after you followed documentation and troubleshooting section.

0 Karma

joecooper84
Explorer

Thanks for your help Jerry.
Still no luck.
We're having logs come in via syslog-ng, writing them to disk, and having Splunk monitor the directory for Fortigate logs.
Last night I manually changed the sourcetype from "fortinet" to "fgt_log".
This morning searching for "index=fortigate |stats count by sourcetype" I only get a result of fgt_log.

Here is an example log if it helps:

Oct 20 09:53:36 10.x.x.x date=2016-10-20 time=16:53:36 devname= devid=FG logid=0001000014 type=traffic subtype=local level=notice vd=root srcip=10.y.y.y srcport=53087 srcintf="Voice" dstip=255.255.255.255 dstport=43440 dstintf="root" sessionid=5039602 status=deny policyid=0 dstcountry="Reserved" srccountry="Reserved" trandisp=noop service=43440/udp proto=17 app=43440/udp duration=0 sentbyte=0 rcvdbyte=0
0 Karma