All Apps and Add-ons

Splunk for Fortigate: How do I configure the app to get VDOM logging correctly?

ppater82
New Member

Hi All,

Could anyone help me?
I've successfully installed and configured the Fortigate App.

I see the Fortigate logging in the syslog "Search & Reporting"
I also see some information in the Fortigate app, but I see only logging related to VDOM root.
Can anyone tell me how do I get the VDOM logging correct in the APP? I see the VDOM information in syslog correctly.

Many thanks,

Best Regards
Patrick

Here some information on syslog output;

Splunk Version
6.3.1
Splunk Build
f3e41e4b37b2

Fortigate Firmware Version  
v5.2.5,build701 (GA)

inputs.conf
[udp://xx.xx.xxx.xxx:514]
sourcetype = fortios5
no_appending_timestamp = true

[udp://514]
sourcetype = networking
no_appending_timestamp = true

props.conf
[source::udp:514]
[fortios5]
TRANSFORMS-sourcetype_fortios5 = fortios5_virus, fortios5_ips, fortios5_app-ctrl, fortios5_webfilter, fortios5_traffic, fortios5_sslvpn, fortios5_event_wireless, f$
SHOULD_LINEMERGE = false

Fortigate config
ssc-fwfg-ph-1 # config global 
ssc-fwfg-ph-1 (global) # config log syslogd setting 
ssc-fwfg-ph-1 (setting) # show
config log syslogd setting
    set status enable
    set server "xx.xx.xxx.xx"
end

1/7/16
8:38:47.000 PM  
date=2016-01-07 time=20:38:47 devname=ssc-fwfg-ph-1 devid=FG1K2D3I15800495 logid=0000000013 type=traffic subtype=forward level=notice vd=pov-prod srcip=xx.xx.xxx.xx srcport=62851 srcintf="VLAN3193" dstip=xx.xx.x.xx dstport=161 dstintf="VLAN3192" poluuid=560e4f6a-b3f1-51e5-e898-8f134de431ef sessionid=38302588 proto=17 action=accept policyid=6 dstcountry="Reserved" srccountry="Reserved" trandisp=noop service="udp/161" duration=180 sentbyte=71 rcvdbyte=75 sentpkt=1 rcvdpkt=1 appcat="unscanned"
host = xx.xx.xxx.xxx source = udp:514 sourcetype = fortios5_traffic
1/7/16
8:38:47.000 PM  
date=2016-01-07 time=20:38:47 devname=ssc-fwfg-ph-1 devid=FG1K2D3I15800495 logid=0000000013 type=traffic subtype=forward level=notice vd=zwo-prod srcip=xx.xxx.x.x srcport=60759 srcintf="VLAN3168" dstip=xx.xxx.xxx.xx dstport=6343 dstintf="VLAN3169" poluuid=b8f3cf02-ae0a-51e5-4868-7cc8fa2c558a sessionid=38302591 proto=17 action=accept policyid=5 dstcountry="Reserved" srccountry="Reserved" trandisp=noop service="udp/6343" duration=180 sentbyte=316 rcvdbyte=0 sentpkt=1 rcvdpkt=0 appcat="unscanned"
host = xx.xx.xxx.xxx source = udp:514 sourcetype = fortios5_traffic
1/7/16
8:38:47.000 PM  
date=2016-01-07 time=20:38:47 devname=ssc-fwfg-ph-1 devid=FG1K2D3I15800495 logid=0000000013 type=traffic subtype=forward level=notice vd=pov-prod srcip=xx.xx.xxx.xx srcport=62851 srcintf="VLAN3193" dstip=xx.xx.x.xx dstport=161 dstintf="VLAN3192" poluuid=560e4f6a-b3f1-51e5-e898-8f134de431ef sessionid=38302590 proto=17 action=accept policyid=6 dstcountry="Reserved" srccountry="Reserved" trandisp=noop service="udp/161" duration=180 sentbyte=71 rcvdbyte=75 sentpkt=1 rcvdpkt=1 appcat="unscanned"
host = xx.xx.xxx.xxx source = udp:514 sourcetype = fortios5_traffic
1/7/16
8:38:47.000 PM  
date=2016-01-07 time=20:38:47 devname=ssc-fwfg-ph-1 devid=FG1K2D3I15800495 logid=0000000013 type=traffic subtype=forward level=notice vd=zwo-prod srcip=xx.xxx.xxx.xxx srcport=53396 srcintf="VLAN3168" dstip=xx.xxx.x.xxx dstport=443 dstintf="VLAN3169" poluuid=b8f3cf02-ae0a-51e5-4868-7cc8fa2c558a sessionid=38305573 proto=6 action=close policyid=5 dstcountry="Reserved" srccountry="Reserved" trandisp=noop service="HTTPS" duration=1 sentbyte=132 rcvdbyte=92 sentpkt=3 rcvdpkt=2 appcat="unscanned"
host = xx.xx.xxx.xxx source = udp:514 sourcetype = fortios5_traffic
1/7/16
8:38:47.000 PM  
date=2016-01-07 time=20:38:47 devname=ssc-fwfg-ph-1 devid=FG1K2D3I15800495 logid=0000000013 type=traffic subtype=forward level=notice vd=pov-prod srcip=xx.xx.xxx.xx srcport=62851 srcintf="VLAN3193" dstip=xx.xx.x.xx dstport=161 dstintf="VLAN3192" poluuid=560e4f6a-b3f1-51e5-e898-8f134de431ef sessionid=38302589 proto=17 action=accept policyid=6 dstcountry="Reserved" srccountry="Reserved" trandisp=noop service="udp/161" duration=180 sentbyte=71 rcvdbyte=76 sentpkt=1 rcvdpkt=1 appcat="unscanned"
host = xx.xx.xxx.xxx source = udp:514 sourcetype = fortios5_traffic
1/7/16
8:38:47.000 PM  
date=2016-01-07 time=20:38:47 devname=ssc-fwfg-ph-1 devid=FG1K2D3I15800495 logid=0000000013 type=traffic subtype=forward level=notice vd=zwo-prod srcip=xx.xxx.x.xxx srcport=54894 srcintf="VLAN3169" dstip=xx.xxx.xx.xxx dstport=9100 dstintf="VLAN3168" poluuid=b8f5eb20-ae0a-51e5-5f17-ffeefe4d276b sessionid=38305223 proto=6 action=timeout policyid=6 dstcountry="Reserved" srccountry="Reserved" trandisp=noop service="tcp/9100" duration=19 sentbyte=152 rcvdbyte=0 sentpkt=3 rcvdpkt=0 appcat="unscanned" crscore=5 craction=262144 crlevel=low
host = xx.xx.xxx.xxx source = udp:514 sourcetype = fortios5_traffic
1/7/16
8:38:47.000 PM  
date=2016-01-07 time=20:38:47 devname=ssc-fwfg-ph-1 devid=FG1K2D3I15800495 logid=0000000013 type=traffic subtype=forward level=notice vd=zwo-prod srcip=xx.xxx.xxx.xxx srcport=49980 srcintf="VLAN3168" dstip=xx.xxx.x.xxx dstport=443 dstintf="VLAN3169" poluuid=b8f3cf02-ae0a-51e5-4868-7cc8fa2c558a sessionid=38305527 proto=6 action=close policyid=5 dstcountry="Reserved" srccountry="Reserved" trandisp=noop service="HTTPS" duration=5 sentbyte=132 rcvdbyte=92 sentpkt=3 rcvdpkt=2 appcat="unscanned"
host = xx.xx.xxx.xxx source = udp:514 sourcetype = fortios5_traffic
0 Karma

jerryzhao
Contributor

from the information you provided, props.conf specifically, i suspect you are not using fortinet's official app+add-on.
https://splunkbase.splunk.com/app/2800/

props.conf
[source::udp:514]
[fortios5]
TRANSFORMS-sourcetype_fortios5 = fortios5_virus, fortios5_ips, fortios5_app-ctrl, fortios5_webfilter, fortios5_traffic, fortios5_sslvpn, fortios5_event_wireless, f$
SHOULD_LINEMERGE = false

or did you modified those lines yourself?

0 Karma

ppater82
New Member

Hello,

I've changed the inputs.conf without succes 😞

inputs.conf
[udp://514]
sourcetype = fortios5
no_appending_timestamp = true

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...