Splunk for Fortigate Config

Andrew_Banman · ‎07-06-2012

I am trying to get the Splunk Fortigate application running as it would be very useful. When I go into it and give it a device and vdom it just reports no data is found. I have setup the UDP:512 port on Splunk and the sourcetype/IP config per the README file but I still seem to be unable to get the app to display the data. I am not sure what I have done wrong and I'm not sure even where to begin looking at this point. Can anyone offer some troubleshooting suggestions?

You can see I have log data per my splunk data:

date=2012-07-06,time=13:48:53,devname=FW-NAME,device_id=FG###########,log_id=0022000003,type=traffic,subtype=violation,pri=warning,status=deny,vd="root",src=###.###.###.###,srcname=###.###.###.###,src_port=50962,dst=###.###.###.###,dstname=###.###.###.###,dst_port=53,service=53/udp,proto=17,app_type=N/A,duration=0,rule=0,policyid=0,identidx=0,sent=0,rcvd=0,shaper_drop_sent=0,shaper_drop_rcvd=0,perip_drop=0,shaper_sent_name="N/A",shaper_rcvd_name="N/A",perip_name="N/A",vpn="N/A",src_int="V645_ITG_MGMTS",dst_int="V998_MGMTN",SN=582346120,app="N/A",app_cat="N/A",user="N/A",group="N/A",carrier_ep="N/A"
date=2012-07-06,time=13:48:53,devname=FW-NAME,device_id=FG###########,log_id=0022000003,type=traffic,subtype=violation,pri=warning,status=deny,vd="root",src=###.###.###.###,srcname=###.###.###.###,src_port=162,dst=###.###.###.###,dstname=###.###.###.###,dst_port=162,service=162/udp,proto=17,app_type=N/A,duration=0,rule=0,policyid=0,identidx=0,sent=0,rcvd=0,shaper_drop_sent=0,shaper_drop_rcvd=0,perip_drop=0,shaper_sent_name="N/A",shaper_rcvd_name="N/A",perip_name="N/A",vpn="N/A",src_int="V998_MGMTN",dst_int="V999_MGMTS",SN=582346112,app="N/A",app_cat="N/A",user="N/A",group="N/A",carrier_ep="N/A"
date=2012-07-06,time=13:48:53,devname=FW-NAME,device_id=FG###########,log_id=0022000003,type=traffic,subtype=violation,pri=warning,status=deny,vd="root",src=###.###.###.###,srcname=###.###.###.###,src_port=162,dst=###.###.###.###,dstname=###.###.###.###,dst_port=162,service=162/udp,proto=17,app_type=N/A,duration=0,rule=0,policyid=0,identidx=0,sent=0,rcvd=0,shaper_drop_sent=0,shaper_drop_rcvd=0,perip_drop=0,shaper_sent_name="N/A",shaper_rcvd_name="N/A",perip_name="N/A",vpn="N/A",src_int="V998_MGMTN",dst_int="V999_MGMTS",SN=582346110,app="N/A",app_cat="N/A",user="N/A",group="N/A",carrier_ep="N/A"
date=2012-07-06,time=13:48:52,devname=FW-NAME,device_id=FG###########,log_id=0022000003,type=traffic,subtype=violation,pri=warning,status=deny,vd="root",src=###.###.###.###,srcname=###.###.###.###,src_port=58072,dst=###.###.###.###,dstname=###.###.###.###,dst_port=53,service=53/udp,proto=17,app_type=N/A,duration=0,rule=0,policyid=0,identidx=0,sent=0,rcvd=0,shaper_drop_sent=0,shaper_drop_rcvd=0,perip_drop=0,shaper_sent_name="N/A",shaper_rcvd_name="N/A",perip_name="N/A",vpn="N/A",src_int="V645_ITG_MGMTS",dst_int="V998_MGMTN",SN=582346087,app="N/A",app_cat="N/A",user="N/A",group="N/A",carrier_ep="N/A"
date=2012-07-06,time=13:48:52,devname=FW-NAME,device_id=FG###########,log_id=0022000003,type=traffic,subtype=violation,pri=warning,status=deny,vd="root",src=###.###.###.###,srcname=###.###.###.###,src_port=48295,dst=###.###.###.###,dstname=###.###.###.###,dst_port=514,service=514/udp,proto=17,app_type=N/A,duration=0,rule=0,policyid=0,identidx=0,sent=0,rcvd=0,shaper_drop_sent=0,shaper_drop_rcvd=0,perip_drop=0,shaper_sent_name="N/A",shaper_rcvd_name="N/A",perip_name="N/A",vpn="N/A",src_int="V998_MGMTN",dst_int="V999_MGMTS",SN=582346085,app="N/A",app_cat="N/A",user="N/A",group="N/A",carrier_ep="N/A"
date=2012-07-06,time=13:48:52,devname=FW-NAME,device_id=FG###########,log_id=0022000003,type=traffic,subtype=violation,pri=warning,status=deny,vd="root",src=###.###.###.###,srcname=###.###.###.###,src_port=48295,dst=###.###.###.###,dstname=###.###.###.###,dst_port=514,service=514/udp,proto=17,app_type=N/A,duration=0,rule=0,policyid=0,identidx=0,sent=0,rcvd=0,shaper_drop_sent=0,shaper_drop_rcvd=0,perip_drop=0,shaper_sent_name="N/A",shaper_rcvd_name="N/A",perip_name="N/A",vpn="N/A",src_int="V998_MGMTN",dst_int="V999_MGMTS",SN=582346084,app="N/A",app_cat="N/A",user="N/A",group="N/A",carrier_ep="N/A"
date=2012-07-06,time=13:48:52,devname=FW-NAME,device_id=FG###########,log_id=0022000003,type=traffic,subtype=violation,pri=warning,status=deny,vd="root",src=###.###.###.###,srcname=###.###.###.###,src_port=48295,dst=###.###.###.###,dstname=###.###.###.###,dst_port=514,service=514/udp,proto=17,app_type=N/A,duration=0,rule=0,policyid=0,identidx=0,sent=0,rcvd=0,shaper_drop_sent=0,shaper_drop_rcvd=0,perip_drop=0,shaper_sent_name="N/A",shaper_rcvd_name="N/A",perip_name="N/A",vpn="N/A",src_int="V998_MGMTN",dst_int="V999_MGMTS",SN=582346073,app="N/A",app_cat="N/A",user="N/A",group="N/A",carrier_ep="N/A"
date=2012-07-06,time=13:48:52,devname=FW-NAME,device_id=FG###########,log_id=0022000003,type=traffic,subtype=violation,pri=warning,status=deny,vd="root",src=###.###.###.###,srcname=###.###.###.###,src_port=48295,dst=###.###.###.###,dstname=###.###.###.###,dst_port=514,service=514/udp,proto=17,app_type=N/A,duration=0,rule=0,policyid=0,identidx=0,sent=0,rcvd=0,shaper_drop_sent=0,shaper_drop_rcvd=0,perip_drop=0,shaper_sent_name="N/A",shaper_rcvd_name="N/A",perip_name="N/A",vpn="N/A",src_int="V998_MGMTN",dst_int="V999_MGMTS",SN=582346072,app="N/A",app_cat="N/A",user="N/A",group="N/A",carrier_ep="N/A"
date=2012-07-06,time=13:48:52,devname=FW-NAME,device_id=FG###########,log_id=0022000003,type=traffic,subtype=violation,pri=warning,status=deny,vd="root",src=###.###.###.###,srcname=###.###.###.###,src_port=48295,dst=###.###.###.###,dstname=###.###.###.###,dst_port=514,service=514/udp,proto=17,app_type=N/A,duration=0,rule=0,policyid=0,identidx=0,sent=0,rcvd=0,shaper_drop_sent=0,shaper_drop_rcvd=0,perip_drop=0,shaper_sent_name="N/A",shaper_rcvd_name="N/A",perip_name="N/A",vpn="N/A",src_int="V998_MGMTN",dst_int="V999_MGMTS",SN=582346071,app="N/A",app_cat="N/A",user="N/A",group="N/A",carrier_ep="N/A"

Andrew_Banman · ‎07-09-2012

Thanks for your responce and help. I don't see these deny's in the denied screens but ....

We will have to wait to use your excellent tool until we update I guess. We are fairly conservitive and almost NEVER run the latest release of anything.

femedina · ‎10-23-2013

abelcdo first great work on the app for MR3 patches this app seems to work fine but there were some bugs that were fixed in version 5.0 of the firmware that were needed and the app seems to not work with this version. Is there any plans at the time to develop the app for Version 5.0 of the firmware? I have a specific use case and would like to work with you to help develop this further.

abelcdo · ‎07-06-2012

Your logs are denied traffic. Nothing appear in the denied reports even if you doesn't create a filter.
I suugest to upgrade cause this App was created around the 4.0MR3.
I've done some test with MR2 and traffic reports have worked but i cannot confirm it with all MR2 patches.

abelcdo · ‎07-06-2012

About the index, nothing is described about the index because it isn't specific for this application but global to Splunk.

Andrew_Banman · ‎07-06-2012

Not sure about the index issue. I didn't do anything intentional with indexes and I didn't see instructions for this in the README.

Andrew_Banman · ‎07-06-2012

Hi Abel,

Thanks for the speedy responce. Here is a vesion from the status dashboard on the Fortigate:

v4.0,build0328,110718 (MR2 Patch 😎

Cheers,
Andrew

abelcdo · ‎07-06-2012

Hello,

What is the version of your Fortigate firmware ?
The App only supports 4.0MR3 and few logs from the 4.0MR2.

If the version of the firmware is OK, have you created a new index where the Fortigate logs are collected ?
If yes, have you give the hability of your account to access in this index by default ?

Regards,
Abel

Splunk for Fortigate Config

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio