Hi,
As this add-on makes the data preprocessing for the Fortigate App I think the problem is found here.
My setup:
Syslog-ng takes everything from syslog port and writes the logs into separate files on disk (per device). Splunk is configured to read them.
The problem is that I have no data in the app. If I change the sourcetype to "fgt_traffic" it works, but then I'll miss UTM and normal events as everythings is interpreted as traffic. If I set sourcetype to "fgt_logs" or "fortigate" I have no data again.
I added a SOURCE-KEY statement to the transfrom entries (I read about them somewhere here) but it didn't change anything. I checked the regex with regex101 and my logs and they match correctly.
Any ideas what I'm making wrong?
Many thanks,
Ronald
part of props.conf
[source::*]
#[source::udp:514]
TRANSFORMS-force_sourcetype_fgt = force_sourcetype_fgt_traffic,force_sourcetype_fgt_utm,force_sourcetype_fgt_event
SHOULD_LINEMERGE = false
part of transforms.conf
##sourcetype
[force_sourcetype_fgt_traffic]
SOURCE_KEY = MetaData:Sourcetype
DEST_KEY = MetaData:Sourcetype
REGEX = date=.+time=.+devid=FG.+type=traffic
FORMAT = sourcetype::fgt_traffic
[force_sourcetype_fgt_utm]
SOURCE_KEY = MetaData:Sourcetype
DEST_KEY = MetaData:Sourcetype
REGEX = date=.+time=.+devid=FG.+type=utm
FORMAT = sourcetype::fgt_utm
[force_sourcetype_fgt_event]
SOURCE_KEY = MetaData:Sourcetype
DEST_KEY = MetaData:Sourcetype
REGEX = date=.+time=.+devid=FG.+type=event
FORMAT = sourcetype::fgt_event
... View more