Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Search commands to monitor Forinet Firewalls ?

TheWiszard
Engager
4 weeks ago

Hi Guys,

 

Has anyone done a search were you can monitor the CPU on the Fortinet Firewalls? Its on the App but doesn't seem to work?

 

Cheers

Ahmed

Labels (1)
Labels
0 Karma
Reply

TheWiszard
Engager
4 weeks ago

Hi Picklerick, 

So the Forti app has a n event dashboard to view the CPU and Memory:

TheWiszard_0-1725372511315.png

But when you open the search you get no results:

|tstats summariesonly=true last(log.system_event.system.cpu) AS cpus FROM datamodel=ftnt_fos WHERE nodename="log.system_event.system" log.devname="*" log.vendor_action=perf-stats groupby _time log.devname | timechart values(cpus) by log.devname

 

New to Splunk so just wondering if there is something here i need to mod...

 

cheers

 

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
4 weeks ago

OK. This is a search from a particular accelerated datamodel. So for this to work three things must be configured properly.

1) You must be getting proper logs from the firewall.

2) You must have the datamodel configured properly (I suppose you either have to ingest firewall data to a specific index or have to reconfigure the datamodel to cover the index you're ingesting your fw events into).

3) And finally you must have datamodel acceleration enabled for that datamodel.

So these are three things that must happen before that dashboard can be populated with results.

BTW, you pointed to a SOAR app as relevant products for this thread. I suppose you meant the Fortinet FortiGate App - https://splunkbase.splunk.com/app/2800 - it does have a description section which seems to tell how to configure it (but I'd be cautious about the instructions for both this app and an accompanying add-on because it's a third-party add-on and vendors don't always know Splunk well and some of their ideas can be far from the best practice).

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
4 weeks ago

1. You don't "monitor the CPU" with Splunk as in "use search to interactively connect to the device and check its parameters". You can search the data that has been ingested prior to search. So...

2. Do you have any data fron your firewall ingested? Do you know where it is? Can you search it at all? Do you know _what_ data is ingested from the firewall?

3. What does "doesn't seem to work" mean? What are you doing (especially - what search are you running) and what are the results?

Reply
Get Updates on the Splunk Community!

Let’s Talk Terraform

If you’re beyond the first-weeks-of-a-startup stage, chances are your application’s architecture is pretty ...

Cloud Platform | Customer Change Announcement: Email Notification is Available For ...

The Notification Team is migrating our email service provider. As the rollout progresses, Splunk has enabled ...

Save the Date: GovSummit Returns Wednesday, December 11th!

Hey there, Splunk Community! Exciting news: Splunk’s GovSummit 2024 is returning to Washington, D.C. on ...