Splunk Enterprise Security

Which TA should I use for FortiGate?

gf13579
Communicator

Splunk ES includes TA-fortinet 4.7.1.

FortiNet maintain Splunk_TA_fortinet_fortigate, currently at v1.5, and whose revision history explicitly references RegEx updates to support FortiOS 5.6 changes.

Has anyone got experience with these two and found a strong reason to use one rather than the other?

1 Solution

jerryzhao
Contributor

i advise you use Splunk_TA_fortinet_fortigate, either you use ES or our app.
If you use our app, the TA is a must.

View solution in original post

jerryzhao
Contributor

i advise you use Splunk_TA_fortinet_fortigate, either you use ES or our app.
If you use our app, the TA is a must.

gf13579
Communicator

Thanks for the quick response Jerry.

We're syslogging the data then using a forwarder to monitor the logs. Do we just tell Splunk to use the single fgt_log sourcetype for the logs?

When I uploaded some sample data and told Splunk it was fgt_log it magically seemed to classify most of the events as fgt_traffic, some as fgt_utm etc.

0 Karma

jerryzhao
Contributor

yes. that's what our TA does.

0 Karma

gf13579
Communicator

Hey Jerry. We've now got this TA installed and are sending our FortiGate data - via syslog-ng - to Splunk. We're telling the forwarder the sourcetype is fgt_log - and all the events are treated as such, and thus not getting tagged as firewall,attack.

Should we blindly use fgt_traffic for all the stuff syslogged from a FortiGate appliance, or is there something more clever we should be doing?

0 Karma

jerryzhao
Contributor

you can do that but not advised, unless only graphs by fgt_traffic are what you care about.
they should be tagged with fgt_traffic, fgt_utm, fgt_event... once regex match them to those categories. you said when you uploaded sample log they were correctly tagged. but not with your fortigate logs? can you send me one piece of fortigate log to show me the format?

0 Karma

gf13579
Communicator

Hi Jerry.

I noticed that the release notes for the TA state that 'From version 1.2, the Splunk TA(Add-on) for fortigate no longer match wildcard source or sourcetype to extract fortigate log data', that fgt_log is used by default - and that it's up to the customer if they want to use props/transforms in the /local folder to split the sourcetypes.

I can see that the /default/transforms.conf has some [force_sourcetype*] stanzas that aren't referenced in props.conf - presumably corresponding to the change mentioned above?

My customer's data shows that they have events of 'type' traffic (98%), utm (1.5%) and event and the data looks like it would match the regex in transforms, if they were active.

If I export one event of each type as raw, then re-import it by uploading a file and specifying fgt_log it the sourcetype transformations apply.

This is the same data that - when forwarded to splunk with sourcetype fgt_log, by an inputs.conf monitoring a syslog-ng folder - just ends up with sourcetype fgt_log.

Sample data, redacted, here: https://pastebin.com/GhxL4UnF

All very confusing!

0 Karma

jerryzhao
Contributor

can you show me your inputs.conf that monitors syslog-ng folder?

0 Karma

gf13579
Communicator

That was the problem - thanks again Jerry. All working now.

0 Karma

gf13579
Communicator

Another question Jerry, do you know why the ftnt_fgt_virus event type tags events with the 'operations' tag? It means they get picked up by the ES malware operations lookup gen and written to the malware operations tracker, for no good reason - as far as I can tell, and they therefore contribute to some of the Key Indicator searches relating to # malware clients, # clients updating signatures etc.

That event type looks for sourcetype=fgt_utm subtype=virus vendor_action!=analytics.

0 Karma

jerryzhao
Contributor

i think that was intended for CIM model so our data can be shown in ES dashboards. As whether it is relevant or not, could you show me what the specific problem is? Maybe a screen shot will help me identify the issue.
Thanks!

0 Karma

gf13579
Communicator

Not easily.

There's a saved search in ES that populates the malware_operations_tracker lookup based on those events matching the malware and operations tags - which includes some of the Fortigate events, based on your TA.

That tracker is used to populate key indicators like 'Malware - Old Malware Definitions' i.e. clients that haven't checked in and updated in a while.

To be honest, I've forgotten why this seemed like a problem - maybe it seemed more significant because our AV solution (Sophos Central) wasn't populating the malware ops tracker but Fortigates were.

Ignore this one for now!

0 Karma

jerryzhao
Contributor

btw, did you installed the TA on forwarder?

gf13579
Communicator

Ah-ha - I think this is where we're going wrong! I'll sort this out and re-test.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...