Splunk Search

Search commands to monitor Forinet Firewalls ?

TheWiszard
Engager

Hi Guys,

 

Has anyone done a search were you can monitor the CPU on the Fortinet Firewalls? Its on the App but doesn't seem to work?

 

Cheers

Ahmed

Labels (1)
0 Karma
1 Solution

PickleRick
SplunkTrust
SplunkTrust

OK. This is a search from a particular accelerated datamodel. So for this to work three things must be configured properly.

1) You must be getting proper logs from the firewall.

2) You must have the datamodel configured properly (I suppose you either have to ingest firewall data to a specific index or have to reconfigure the datamodel to cover the index you're ingesting your fw events into).

3) And finally you must have datamodel acceleration enabled for that datamodel.

So these are three things that must happen before that dashboard can be populated with results.

BTW, you pointed to a SOAR app as relevant products for this thread. I suppose you meant the Fortinet FortiGate App - https://splunkbase.splunk.com/app/2800 - it does have a description section which seems to tell how to configure it (but I'd be cautious about the instructions for both this app and an accompanying add-on because it's a third-party add-on and vendors don't always know Splunk well and some of their ideas can be far from the best practice).

View solution in original post

0 Karma

TheWiszard
Engager

Hi Picklerick, 

So the Forti app has a n event dashboard to view the CPU and Memory:

TheWiszard_0-1725372511315.png

But when you open the search you get no results:

|tstats summariesonly=true last(log.system_event.system.cpu) AS cpus FROM datamodel=ftnt_fos WHERE nodename="log.system_event.system" log.devname="*" log.vendor_action=perf-stats groupby _time log.devname | timechart values(cpus) by log.devname

 

New to Splunk so just wondering if there is something here i need to mod...

 

cheers

 

0 Karma

PickleRick
SplunkTrust
SplunkTrust

OK. This is a search from a particular accelerated datamodel. So for this to work three things must be configured properly.

1) You must be getting proper logs from the firewall.

2) You must have the datamodel configured properly (I suppose you either have to ingest firewall data to a specific index or have to reconfigure the datamodel to cover the index you're ingesting your fw events into).

3) And finally you must have datamodel acceleration enabled for that datamodel.

So these are three things that must happen before that dashboard can be populated with results.

BTW, you pointed to a SOAR app as relevant products for this thread. I suppose you meant the Fortinet FortiGate App - https://splunkbase.splunk.com/app/2800 - it does have a description section which seems to tell how to configure it (but I'd be cautious about the instructions for both this app and an accompanying add-on because it's a third-party add-on and vendors don't always know Splunk well and some of their ideas can be far from the best practice).

0 Karma

PickleRick
SplunkTrust
SplunkTrust

1. You don't "monitor the CPU" with Splunk as in "use search to interactively connect to the device and check its parameters". You can search the data that has been ingested prior to search. So...

2. Do you have any data fron your firewall ingested? Do you know where it is? Can you search it at all? Do you know _what_ data is ingested from the firewall?

3. What does "doesn't seem to work" mean? What are you doing (especially - what search are you running) and what are the results?

Get Updates on the Splunk Community!

Splunk Classroom Chronicles: Training Tales and Testimonials

Welcome to the "Splunk Classroom Chronicles" series, created to help curious, career-minded learners get ...

Access Tokens Page - New & Improved

Splunk Observability Cloud recently launched an improved design for the access tokens page for better ...

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...