All Apps and Add-ons

Fortinet Fortigate App for Splunk Not Showing Data

wellmore
Explorer

Greetings!

I have searched the other related posts on this and still couldn't find a solution to our problem, which is the Fortinet Fortigate App for Splunk is not showing any data.

I have one data input on port 1514/UDP and the sourcetype name is 'Fortinet'. Our regular search/reporting is working fine witn the incoming syslog.

I installed the 'Fortinet FortiGate App for Splunk' ver. 1.4 and 'Fortinet Fortigate Add-on for Splunk' ver. 1.4. The only other change I made was to the first section this file: 'C:\Program Files\Splunk\etc\apps\Splunk_TA_fortinet_fortigate\default\props.conf'

[Fortinet]
    TRANSFORMS-force_sourcetype_fgt = force_sourcetype_fgt_traffic,force_sourcetype_fgt_utm,force_sourcetype_fgt_event
    SHOULD_LINEMERGE = false

Currently I see no data in the Fortigate app, it shows 0 for device|virtual domain|session.

If I click on search within the device block, it brings me to a search with no results using string: fgt_logs | stats dc(devid)

Can someone help us get this working?

Thank you in advance,
Lee

0 Karma

wellmore
Explorer

We have upgraded to Fortinet 5.2.9 and I am still not seeing any data in the Splunk App Fortinet FortiGate App for Splunk. However, we do see the syslogs under Splunk Search & Reporting.

We only have one props.conf file under: C:\Program Files\Splunk\etc\apps\SplunkAppForFortinet\local

Here is the first 4 lines of the props.conf file, the remaining lines are untouched/default:

[source::*]
[fortigate]
TRANSFORMS-force_sourcetype_fgt = force_sourcetype_fgt_traffic,force_sourcetype_fgt_utm,force_sourcetype_fgt_event
SHOULD_LINEMERGE = false

Can someone help us get this working?

Thank you,
Lee

0 Karma

jerryzhao
Contributor

the first dashboard is real time, so do you have fortigate logs reported in the past 10 minutes? splunk server and fortigate time in sync?
when you do the search in search and reporting, what sourcetype is your result? Fortinet or something starts with fgt_?
what index are you using for the input?

0 Karma

wellmore
Explorer

@jerryzhao,

Thank you for all your time. I apologize that I overlooked the Fortigate version 5.0+ requirement for this app. We are upgrading from 4.3 to 5.2 in the next two months.

0 Karma

wellmore
Explorer

My search log results are working both real-time and historically. From what I can tell the time is synced. My data input and search results sourcetype is 'Fortinet'. Not sure what index...?

0 Karma

jerryzhao
Contributor

index is the one you may specify when adding the input. if leave unspecified, it goes to main index. you can show it in GUI settings->data input->UDP

if your search results only have Fortinet sourcetype, the add-on is not transforming the logs. the add-on should categorize fortigate logs into fgt_event, fgt_traffic or fgt_utm sourcetypes.
do you happen to have a copy of props.conf in local folder in addition to default? after the change on props.conf did your restart splunk?

0 Karma

wellmore
Explorer

@jerryzhao,

My data input for UDP on port 1514 sourcetype= Fortinet

I don't see an index value in the data input properties section. I was only able to find a props.conf file in path noted in orig. post above, which was:
'C:\Program Files\Splunk\etc\apps\Splunk_TA_fortinet_fortigate\default\props.conf'

I left the file intact and just changed the [fgt_logs] to [Fortinet]. Yes I restarted Splunk after making this change. See below:

 [Fortinet]
     TRANSFORMS-force_sourcetype_fgt = force_sourcetype_fgt_traffic,force_sourcetype_fgt_utm,force_sourcetype_fgt_event
     SHOULD_LINEMERGE = false

Thank you for all your help, I really hope we can get this working today.

0 Karma

wellmore
Explorer

@jerryzhao do you have a free moment to further trouble-shoot this with me?

Or anyone else that can help me get this working?

Thank you in advance,

0 Karma

jerryzhao
Contributor

please shoot an email to splunk_app@fortinet.com and we will go from there.

0 Karma

wellmore
Explorer

Can we not resolve it here? Is Fortinet support going to help with this Splunk issue?

I sent the email as you requested.

0 Karma

jerryzhao
Contributor

i myself am the maintainer of the app so i am pretty sure they will. because we may need some one on one support with email or gotomeeting, it is not a good idea to flood the comment section here.

0 Karma

wellmore
Explorer

Thank you; understood and I look forward to your help.

0 Karma

jerryzhao
Contributor

i just tested on windows with same sourcetype Fortinet. no problem as far as i can see. i am not sure of the props.conf format after your modification. unix, windows thing, you know. it would be more efficient if you can send me your props.conf or online chat. you know my email.

0 Karma

wellmore
Explorer

@jerryzhao,
I just emailed you the props.conf file. I look forward to hearing back. I'd like to ultimately put the resolution here when it is found for other Splunkers to benefit. Thanks again!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...