Splunk ES includes TA-fortinet 4.7.1.
FortiNet maintain Splunk_TA_fortinet_fortigate, currently at v1.5, and whose revision history explicitly references RegEx updates to support FortiOS 5.6 changes.
Has anyone got experience with these two and found a strong reason to use one rather than the other?
Thanks for the quick response Jerry.
We're syslogging the data then using a forwarder to monitor the logs. Do we just tell Splunk to use the single fgt_log sourcetype for the logs?
When I uploaded some sample data and told Splunk it was fgt_log it magically seemed to classify most of the events as fgt_traffic, some as fgt_utm etc.
Hey Jerry. We've now got this TA installed and are sending our FortiGate data - via syslog-ng - to Splunk. We're telling the forwarder the sourcetype is fgt_log - and all the events are treated as such, and thus not getting tagged as firewall,attack.
Should we blindly use fgt_traffic for all the stuff syslogged from a FortiGate appliance, or is there something more clever we should be doing?
you can do that but not advised, unless only graphs by fgt_traffic are what you care about.
they should be tagged with fgt_traffic, fgt_utm, fgt_event... once regex match them to those categories. you said when you uploaded sample log they were correctly tagged. but not with your fortigate logs? can you send me one piece of fortigate log to show me the format?
I noticed that the release notes for the TA state that 'From version 1.2, the Splunk TA(Add-on) for fortigate no longer match wildcard source or sourcetype to extract fortigate log data', that fgt_log is used by default - and that it's up to the customer if they want to use props/transforms in the /local folder to split the sourcetypes.
I can see that the /default/transforms.conf has some [force_sourcetype*] stanzas that aren't referenced in props.conf - presumably corresponding to the change mentioned above?
My customer's data shows that they have events of 'type' traffic (98%), utm (1.5%) and event and the data looks like it would match the regex in transforms, if they were active.
If I export one event of each type as raw, then re-import it by uploading a file and specifying fgt_log it the sourcetype transformations apply.
This is the same data that - when forwarded to splunk with sourcetype fgt_log, by an inputs.conf monitoring a syslog-ng folder - just ends up with sourcetype fgt_log.
Sample data, redacted, here: https://pastebin.com/GhxL4UnF
All very confusing!
Another question Jerry, do you know why the ftnt_fgt_virus event type tags events with the 'operations' tag? It means they get picked up by the ES malware operations lookup gen and written to the malware operations tracker, for no good reason - as far as I can tell, and they therefore contribute to some of the Key Indicator searches relating to # malware clients, # clients updating signatures etc.
That event type looks for sourcetype=fgt_utm subtype=virus vendor_action!=analytics.
i think that was intended for CIM model so our data can be shown in ES dashboards. As whether it is relevant or not, could you show me what the specific problem is? Maybe a screen shot will help me identify the issue.
There's a saved search in ES that populates the malware_operations_tracker lookup based on those events matching the malware and operations tags - which includes some of the Fortigate events, based on your TA.
That tracker is used to populate key indicators like 'Malware - Old Malware Definitions' i.e. clients that haven't checked in and updated in a while.
To be honest, I've forgotten why this seemed like a problem - maybe it seemed more significant because our AV solution (Sophos Central) wasn't populating the malware ops tracker but Fortigates were.
Ignore this one for now!