do you have "Fortinet" in your input config as the source type of fortigate logs since you reference it here in props.conf? ... View more

we have already fixed the issue since version 1.2. now fgt_log is the stanza we use. ... View more

TA is the key to app functionality. It will translate fgt_log to other source types needed by the dashboards. The symptoms you are seeing is usually caused by TA not reading the input source type or not recognized by the regex. Curious devname and devid is chopped off by your self before posted here or was like that from syslog? ... View more

Add-on on indexer too? ... View more

Have you installed the add-on for the app? The app and add-on need to work together ... View more

please refer to the troubleshooting section of the documentation. first look at the search and reporting to check if the logs are correctly indexed under corresponding sourcetypes: fgt_traffic, fgt_event or fgt_utm. If so, you are good and just need some patience to wait for the datamodel to be accelerated. check FOS datamodel's process under settings->datamodels. Please let me if it still doesn't work after you followed documentation and troubleshooting section. ... View more

i see nowhere enterprise security demands sourcetype fortinet. the fortigate add-on , if installed, will translate fortigate indexes to CIM model. You don't need to do anything for Enterprise security youself. fgt_logs is an intermediate sourcetype for internal use and you don't need to worry about it. Please notice that you need to set fortigate log input as sourcetype fgt_log, as mentioned in the document here: https://splunkbase.splunk.com/app/2800/#/details Fortinet FortiGate Add-On for Splunk will by default automatically extract FortiGate log data from inputs with sourcetype 'fgt_log'. If you want to configure it to extract a self-defined sourcetype, copy the props.conf in $SPLUNK_HOME/etc/apps/Splunk_TA_fortinet_fortigate/default/props.conf to $SPLUNK_HOME/etc/apps/Splunk_TA_fortinet_fortigate/local/props.conf and change the source stanza. replace [fgt_log] with [fortigate], for instance. ... View more

we are optimizing the data model to make acceleration faster. Will update in future release. If you have something worth sharing and would like to share, please do. thanks ... View more

several hours delay would be normal depending on the log volume per second and your hardware resource. The UTM dashboard as well as other dashboards but overview dashboard is not intended for real time and its graphs depend on the data model acceleration to show up. ... View more

They should be under type=event and subtype=user can you do a search in research and report app with query string fgt_auth ? and see if there is any result about logon ... View more

What is the progress of datamodel acceleration? There are also certain criteria that need to be met to display the utm event as a threat. Have you tried increasing the time range? Sessions transferred over time is a real time chart, so the time on fortigate need to be in sync, otherwise, the reported logs won't fall in the watch window. Then, there need to be logs with sourcetype=fgt_traffic for that device. ... View more

Hi Guilhem I have confirmed the issue and we are looking for a solution. It is more of a splunk bug because local is supposed to override default. In the mean time, could you tell us how the add-on will conflict with your other data, since the add-on uses regex to filter out fortigate logs to process? Thanks! ... View more

Hi flgrh because you are using syslog-ng's log file as input and tag the logs with sourcetype fgt_logs or fortigate, please add [fgt_logs] or [fortigate] in between. [source::*] #[source::udp:514] [fgt_logs] TRANSFORMS-force_sourcetype_fgt = force_sourcetype_fgt_traffic,force_sourcetype_fgt_utm,force_sourcetype_fgt_event ... View more

root causes are case by case although effect might look the same. in your case mshumate, it is because of a bug in the REGEX as you mentioned, it should have allowed for both FG and FW so forti-wifi products can be processed as well. As for dependency on the add-on, it has been stated in STEP 1 of this documentation, so maybe you missed that. https://splunkbase.splunk.com/app/2800/#/documentation ... View more

from the information you provided, props.conf specifically, i suspect you are not using fortinet's official app+add-on. https://splunkbase.splunk.com/app/2800/ props.conf [source::udp:514] [fortios5] TRANSFORMS-sourcetype_fortios5 = fortios5_virus, fortios5_ips, fortios5_app-ctrl, fortios5_webfilter, fortios5_traffic, fortios5_sslvpn, fortios5_event_wireless, f$ SHOULD_LINEMERGE = false or did you modified those lines yourself? ... View more

do you have fortigate constantly reporting log to splunk or historic log? since the record you posted is way back in history, could you change the acceleration period from default 1 day to longer days that cover the log's date? ... View more

it is all defined by yourself. in the original question it was 'fortigate', but you can define yours and our add-on can transform it to those sourcetypes(fgt_traffic, fgt_event...), which the app can process later. just add the sourcetype whatever you defined to props.conf to let the add-on know that the original source type for fortigate logs, as i suggested in my answer to the OP. ... View more

we don't support logs from lower than 5.0. they are not verified. fgt_system is a source type renamed from your input sourcetype if a regex for system logs matches your input log. fortigate is your source input source type. ... View more

we don't support fortios5 app. the first dashboard is overall dashboard for real time data, with a look back window of 15 mins, so if there is no data in the past 15 min, you will see nothing. the rest dashboards are for historical data. after the modification, could you try searching for fgt_system in search and reporting? if nothing, try searching fortigate and post the screen captured result for me to investigate. just by word description it is hard for me. ... View more

could you try adding a sourcetype stanza header in props.conf of fortigate add-on or TA the directory is /opt/splunk/etc/apps/Splunk_TA_fortinet_fortigate/default/props.conf [source::*] [fortigate] TRANSFORMS-force_sourcetype_fgt = force_sourcetype_fgt_traffic,force_sourcetype_fgt_utm,force_sourcetype_fgt_event SHOULD_LINEMERGE = false ... View more

did you install the add-on? could you show me what your input config looks like? a screenshot of the logs you are seeing in search? what fortigate app and add-on version are you using? ... View more

what version of splunk are you using? the app wouldn't support 6.1 and older ... View more