Splunk Search

Search commands to monitor Forinet Firewalls ?

TheWiszard
Engager

Hi Guys,

 

Has anyone done a search were you can monitor the CPU on the Fortinet Firewalls? Its on the App but doesn't seem to work?

 

Cheers

Ahmed

Labels (1)
0 Karma
1 Solution

PickleRick
SplunkTrust
SplunkTrust

OK. This is a search from a particular accelerated datamodel. So for this to work three things must be configured properly.

1) You must be getting proper logs from the firewall.

2) You must have the datamodel configured properly (I suppose you either have to ingest firewall data to a specific index or have to reconfigure the datamodel to cover the index you're ingesting your fw events into).

3) And finally you must have datamodel acceleration enabled for that datamodel.

So these are three things that must happen before that dashboard can be populated with results.

BTW, you pointed to a SOAR app as relevant products for this thread. I suppose you meant the Fortinet FortiGate App - https://splunkbase.splunk.com/app/2800 - it does have a description section which seems to tell how to configure it (but I'd be cautious about the instructions for both this app and an accompanying add-on because it's a third-party add-on and vendors don't always know Splunk well and some of their ideas can be far from the best practice).

View solution in original post

0 Karma

TheWiszard
Engager

Hi Picklerick, 

So the Forti app has a n event dashboard to view the CPU and Memory:

TheWiszard_0-1725372511315.png

But when you open the search you get no results:

|tstats summariesonly=true last(log.system_event.system.cpu) AS cpus FROM datamodel=ftnt_fos WHERE nodename="log.system_event.system" log.devname="*" log.vendor_action=perf-stats groupby _time log.devname | timechart values(cpus) by log.devname

 

New to Splunk so just wondering if there is something here i need to mod...

 

cheers

 

0 Karma

PickleRick
SplunkTrust
SplunkTrust

OK. This is a search from a particular accelerated datamodel. So for this to work three things must be configured properly.

1) You must be getting proper logs from the firewall.

2) You must have the datamodel configured properly (I suppose you either have to ingest firewall data to a specific index or have to reconfigure the datamodel to cover the index you're ingesting your fw events into).

3) And finally you must have datamodel acceleration enabled for that datamodel.

So these are three things that must happen before that dashboard can be populated with results.

BTW, you pointed to a SOAR app as relevant products for this thread. I suppose you meant the Fortinet FortiGate App - https://splunkbase.splunk.com/app/2800 - it does have a description section which seems to tell how to configure it (but I'd be cautious about the instructions for both this app and an accompanying add-on because it's a third-party add-on and vendors don't always know Splunk well and some of their ideas can be far from the best practice).

0 Karma

PickleRick
SplunkTrust
SplunkTrust

1. You don't "monitor the CPU" with Splunk as in "use search to interactively connect to the device and check its parameters". You can search the data that has been ingested prior to search. So...

2. Do you have any data fron your firewall ingested? Do you know where it is? Can you search it at all? Do you know _what_ data is ingested from the firewall?

3. What does "doesn't seem to work" mean? What are you doing (especially - what search are you running) and what are the results?

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...