Hi all,
still learning Splunk here and we just started ingesting Fortigate firewall logs. After a recent FortiGate update the logs are coming in all with a timestamp of 5am. The logs are coming in via syslog to a HF. I have tried using
TIME_FORMAT = date=%Y-%m-%d time=%H:%M:%S
TIME_PREFIX = ^\s*<\d{3}>
which was suggested in another fortigate ticket without any luck. Any help is appreciated.
11/6/20 5:00:00.000 AM | <189>logver=602055878 timestamp=1604673601 tz="UTC-5:00" devname="RNHN-FW1800F" devid="FG181FTK20900192" vd="CORP" date=2020-11-06 time=09:40:01 logid="0001000014" type="traffic" subtype="local" level="notice" eventtime=1604673601539310045 tz="-0500" srcip=87.251.80.10 srcport=53887 srcintf="FairPoint_WAN_B" srcintfrole="wan" dstip=71.181.10.217 dstport=2256 dstintf="unknown0" dstintfrole="undefined" sessionid=45763314 proto=6 action="deny" policyid=0 policytype="local-in-policy" service="tcp/2256" dstcountry="United States" srccountry="Russian Federation" trandisp="noop" app="tcp/2256" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 appcat="unscanned" crscore=5 craction=262144 crlevel="low" mastersrcmac="02:00:40:05:26:15" srcmac="02:00:40:05:26:15" srcserver=1 |
The TIME_PREFIX value does not match the example data. Try these settings
TIME_FORMAT = %Y-%m-%d time=%H:%M:%S
TIME_PREFIX = date=