All Apps and Add-ons

Fortinet Fortigate App and Add-on for Splunk: Why are dashboards not showing any data from our UDP:515 input?

josefa
Path Finder

Hello,

I'm having some problems while configuring the app.
I've configured it according to the documentation in Splunkbase (both Add-on and App). I'm sending the logs through udp:515 (I have udp:514 as Data Input with syslog sourcetype for other devices), created the relevant Data Input (with default parameters, so no sourcetype nor index). I know data is coming to the Splunk server, as I can see the traffic with a tcpdump, but I can't see any info in the dashboard (or even from the Search & Reporting App, which is odd).

I have installed the other Fortinet App before (I don't have the add-on, just the app) and receiving the data through udp:513 and I can see some info.

Could somebody advise what could be happening, why am I not seeing any data from udp:515?

Any help will be much appreciated

0 Karma
1 Solution

jerryzhao
Contributor

If we are in the context of fortinet official app and add-on, then read on:

you should be able to see logs in Search & Reporting App at least if you created the input for 515 port correctly.
how did you search in Search & Reporting? with the host="$fortigate_ip_address"? what index did you use for input 515, or none, if none it should be default to main, which can be monitored by admin user. if other index is used, you need to add it for admin to see by default:
http://$splunk_ip:8000/en-US/manager/search/authorization/roles/admin?action=edit&uri=%2FservicesNS%2F-%2Fsearch%2Fauthorization%2Froles%2Fadmin

also make sure iptable is not in the way of splunk from receiving udp traffic from port 515.

For UDP input, you don't really need much more configuration for it to work besides those covered in the documentation.

View solution in original post

0 Karma

wellmore
Explorer

Our input in 1514/UDP and the sourcetype= Fortinet

We have the Fortinet Addon and TA addon installed, but we see no data in Fortinet app. We do have data in search though.

Can someone help us get this working?

0 Karma

jerryzhao
Contributor

after changing the sourcetype to Fortinet, you have to modify it in props.conf of add-on as well.
Quote from the documentation of add-on:
https://splunkbase.splunk.com/app/2846/#/details
Fortinet FortiGate Add-On for Splunk will by default automatically extract FortiGate log data from inputs with sourcetype 'fgt_log'.
If you want to configure it to extract a self-defined sourcetype, copy the props.conf
in $SPLUNK_HOME/etc/apps/Splunk_TA_fortinet_fortigate/default/props.conf to
$SPLUNK_HOME/etc/apps/Splunk_TA_fortinet_fortigate/local/props.conf and change the source stanza.

replace [fgt_log] with [fortigate], for instance.

Restart Splunk service for the change to take effect.

BTW, what do you mean by "We have the Fortinet Addon and TA addon installed", the app and add-on you need to install are:
https://splunkbase.splunk.com/app/2800/
https://splunkbase.splunk.com/app/2846/

jerryzhao
Contributor

If we are in the context of fortinet official app and add-on, then read on:

you should be able to see logs in Search & Reporting App at least if you created the input for 515 port correctly.
how did you search in Search & Reporting? with the host="$fortigate_ip_address"? what index did you use for input 515, or none, if none it should be default to main, which can be monitored by admin user. if other index is used, you need to add it for admin to see by default:
http://$splunk_ip:8000/en-US/manager/search/authorization/roles/admin?action=edit&uri=%2FservicesNS%2F-%2Fsearch%2Fauthorization%2Froles%2Fadmin

also make sure iptable is not in the way of splunk from receiving udp traffic from port 515.

For UDP input, you don't really need much more configuration for it to work besides those covered in the documentation.

0 Karma

josefa
Path Finder

iptables fault -.-' As I was seeing incoming traffic on the server assumed it was receiving it without problems.
Added the needed rules, everything's working ok. Thanks for your reply

0 Karma

gtriSplunk
Path Finder

You do need to install the TA and make sure your data is sourcetyped properly to ensure the field extractions are correct. If you need more help just let us know! Make sure you install this TA on both the indexers and/or heavy forwarders and search heads. The TA will mark all udp:514 traffic with the fortigate sourcetype (if you are sending more than just fortigate syslog to port 514 let us know and we can advise on what to do).

https://splunkbase.splunk.com/app/2846/

GTRI Splunk Team!

jawaharas
Motivator

Hi GTRI,

As per https://splunkbase.splunk.com/app/2800/#/details,

Configuration Steps
1. Install Fortinet FortiGate Add-on for Splunk on search head, indexer,
forwarder or single instance Splunk server:

The developer mentioned that the TA Add-on can be installed either in Search Head or Indexer (Correct me if I understood it wrong). I have installed the add-on on 'Search Head'. Ideally, the searchtime extraction should work. But it's not. Do we really have to install the addon in 'Indexer' as well?

Thanks, Jawahar.

0 Karma

jerryzhao
Contributor

not can be installed but must be installed. so yes, you need to install add-on on searchhead, indexer and forwarder.

0 Karma

jawaharas
Motivator

Thanks @jerryzhao . The events are visible after the add-on is installed on indexers.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...