Currently, we are testing our FortiGate for sending UTM logs and they are being distributed with their corresponding sourcetype (fgt_utm) and everything, but the issue is that they are not being reflected on the Fortinet FortiGate App for Splunk. We tried downloading infected test files from eicar.org and other websites; they are reaching Splunk (we can search the events), but there is no sign of them in the app.
For troubleshooting, I ran the "diagnose log test" cmd on the FortiGate, and these are the only logs that I can see in the app; the ones generated by this cmd. Also, I checked on the version (for compatibility) and the visibility, on Splunk, of the Fortinet FortiGate Add-on for Splunk, and everything is how it is supposed to be.
Any ideas on why this is happening? Thanks!
... View more