Solved: Splunk App Fortinet Fortigate

vinod94 · ‎07-10-2018

I have firewall data coming to my syslog server.The syslog file gets rotated every 24 hours. Ive installed forwarder on the syslog server. I have a monitoring stanza in my Fortinet FortiGate App for Splunk(TA) .

[monitor:///bbbb/aaaaa/xxxxxxx/syslog.log]
index = fortinet
sourcetype = fgt_log

Earlier the logs used to come, now the data has stopped coming. It says:

07-10-2018 14:10:39.143 +0530 WARN  TailReader - Enqueuing a very large file=/bbbb/aaaaa/xxxxxxx/syslog.log in the batch reader, with bytes_to_read=2626817453, reading of other large files could be delayed

07-10-2018 04:56:18.424 +0530 WARN  DateParserVerbose - Failed to parse timestamp in first MAX_TIMESTAMP_LOOKAHEAD (128) characters of event. Defaulting to timestamp of previous event (Tue Jul 10 04:56:02 2018). Context: source::/bbbb/aaaaa/xxxxxxx/syslog.log|host::XXXX|fgt_log|2414.

tried reinstalling the forwarder, thruput = 0, initcrclength = 1024 but no luck!

Splunk version - 6.5.7
Fortinet FortiGate App for Splunk- 1.4

Any suggestions?

MoniM · ‎01-29-2019

Hi @ vinod94 ,
can you please check your props.conf file.

View solution in original post

MoniM · ‎01-29-2019

Hi @ vinod94 ,
can you please check your props.conf file.

vinod94 · ‎08-03-2019

Thank you!

Splunk App Fortinet Fortigate

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio