- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Why am I not seeing UTM logs on Fortinet FortiGate...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Currently, we are testing our FortiGate for sending UTM logs and they are being distributed with their corresponding sourcetype (fgt_utm) and everything, but the issue is that they are not being reflected on the Fortinet FortiGate App for Splunk. We tried downloading infected test files from eicar.org and other websites; they are reaching Splunk (we can search the events), but there is no sign of them in the app.
For troubleshooting, I ran the "diagnose log test" cmd on the FortiGate, and these are the only logs that I can see in the app; the ones generated by this cmd. Also, I checked on the version (for compatibility) and the visibility, on Splunk, of the Fortinet FortiGate Add-on for Splunk, and everything is how it is supposed to be.
Any ideas on why this is happening? Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It may not show up immediately on UTM dashboard as the log enters. Can you check the status of the data model acceleration? If it is 100%, you should be able to see data on dashboard. And also remember to set the time range to include the time when utm log was generated.
We also used test files on eicar to test UTM logs, so I am sure it will be reflected on threat dashboard.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It may not show up immediately on UTM dashboard as the log enters. Can you check the status of the data model acceleration? If it is 100%, you should be able to see data on dashboard. And also remember to set the time range to include the time when utm log was generated.
We also used test files on eicar to test UTM logs, so I am sure it will be reflected on threat dashboard.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am having the same issue with version 1.3 of the app and add-on. The logs are definitely indexed properly but dashboards are several hours delayed at best. Seems to be an issue with the data model acceleration. Is there something that we should be doing to optimize the acceleration or the indexing for the FortiGate logs?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
several hours delay would be normal depending on the log volume per second and your hardware resource.
The UTM dashboard as well as other dashboards but overview dashboard is not intended for real time and its graphs depend on the data model acceleration to show up.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We do about 350-400 logs/sec but our hardware is more than capable of keeping up with the acceleration. I ended up spending a morning making my own dashboards that are loosely based on the FortiGate's dashboard and the Splunk app. Much more useful overall, so no need for the Splunk app.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
we are optimizing the data model to make acceleration faster. Will update in future release. If you have something worth sharing and would like to share, please do. thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are you able to see any events if you search for "sourcetype=fgt_utm type=utm"? If yes what is your FortiOS version?
If you cannot see any utm events on splunk search, enter in your fortigate type: "config log syslogd filter" and "show full-configuration" and post the results?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the reply, gfreitas.
Yes, I'm able to see events with the sourcetype=fgt_utm. The FortiOS version is 5.4.0.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
but can you see "type=utm" as well?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So, you are not seeing just virus logs or any utm? If you search for example: "sourcetype=fgt_utm subtype=virus" are you able to see any results? If not the app is correct and we can find something on fortigate to enable the logs.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, I can see logs if I do a search for "sourcetype=fgt_utm subtype=virus".
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, I can see type=utm as well.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you installed the add-on: https://splunkbase.splunk.com/app/2846/ ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, it is already installed.
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
